Skip to content Skip to footer

Who we are

Our website address is: https://shipip.com.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

Who we share your data with

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Your contact information

Additional information

How we protect your data

What data breach procedures we have in place

What third parties we receive data from

What automated decision making and/or profiling we do with user data

Industry regulatory disclosure requirements

MARITIME CYBER SECURITY

Phishing penetration test measures crew vigilance

February 2, 2021

 

GTMaritime is now offering a penetration testing service free of charge which allows customers to evaluate the ability of their personnel to identify phishing attacks

Hackers are constantly trying to come up with new ruses to outwit software-based protections. For this reason, crew cannot afford to become complacent in the belief that, with a technological safety net in place, everything reaching their inbox is trustworthy and can be taken at face value.

On the contrary, they must remain vigilant: the few malicious messages that do arrive will more likely resemble an authentic request or employ advanced social-engineering techniques, which make them harder to recognise.

Quality ship operators understand this and take a holistic approach to cyber defence. To supplement the work done by technological tools such as GTMailPlus by GTMaritime, they routinely remind staff to stay alert and offer training on what to look out for.

However, it can be difficult to gauge exactly how well these measures are working or to identify areas that would benefit from improvement. In the same way that cyber criminals are constantly refining their techniques, ship operators too must continually adapt.

Last autumn GTMaritime started offering a penetration testing service free of charge to its shipping company customers. The service involves sending a selection of crafted spoof phishing messages to crew to test for alertness and for response. These realistic but ultimately harmless simulated attacks offer an effective way of gathering quantitative evidence on the alertness of the frontline staff most exposed to hoax emails.

By revealing weaknesses in training provision, the free service allows customers to pinpoint where educational resources can be enhanced or redirected, knowledge gaps plugged and awareness raised.

Test results revealed weaknesses

We recently completed a two-round penetration test for an established shipping company. For the initial test the vessel operator sent to sixteen of its captains a spoof message appearing to come from a Port Authority requesting basic identifying information about the vessel and its owner.

Half correctly identified the message as a phishing attempt and ignored it, but half supplied the information asked for. Of the latter group, in no case was the message escalated to management for advice on how to proceed.

The 50-50 split certainly raised pulses at company headquarters, as the spoof email was written in poor English and emanated from a mysteriously unnamed port authority – both common traits that should ring alarm bells. To determine if the same result would be found if more detailed information was requested a second test was employed.

This time the message that supposedly came from a port authority had a personalised subject line that mentioned the target vessel’s name and IMO number. There is mounting evidence of cyber criminals including references to familiar people or organisations, adding a veneer of authenticity that encourages the targeted recipient to lower their guard. The rogue message then asked for a host of sensitive particulars and security details, which if passed on to pirates could jeopardise the safety of vessel and crew.

The response showed a marked improvement over the first test. Eight recipients immediately detected something was amiss and ignored the request. Encouragingly, three were suspicious enough to seek guidance from head office. Although head office personnel were kept in the dark about the test, they reacted correctly, advising vessels not to send any data and also alerted the IT department.

Even so, five vessels still obligingly followed the instructions in the message without properly considering either the safety or commercial ramifications of sensitive information falling into the wrong hands.

Path to enhanced education and procedures

Following the penetration tests GTMaritime supplied the vessel operator with educational materials for both staff and IT personnel. The operator took an enlightened view to the results, seeing them as an opportunity to learn rather than apportion blame. It later shared the full findings in a company-wide security bulletin in the hope that using real data rather than hypothetical scenarios to present the dangers would drive home the need for vigilance.

SHIP IP LTD – Remote internal/external Vulnerability & Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

https://shipip.com/new/maritime-vulnerability-and-penetration-testing/

 

Tags:
0Likes
About Author

You May Also Like

MARITIME CYBER SECURITY

Port Technology International hosted IAPH cyber experts

June 27, 2022
MARITIME CYBER SECURITY, Maritime Safety News

Maritime union joins Sea Machines’ 1,000 NM autonomous voyage

October 19, 2021