Recently, the Korean Register of Shipping stated that 'social engineering' means to secure access rights to systems, data, and buildings by exploiting human psychology instead of a technical hacking technique to steal into the system.

AXIS' Cyber Risk Advisor, Simon West, stated that social engineering could be either a single-stage attack of a multiple-staged attack.

A multiple-staged attack consists of various levels of manipulation so that attackers accomplish their goals. The attack may be carried out by interpersonal or non-interpersonal means, the latter of which can entail the gathering of information through Open Source Intelligence (OSINT).

How does social engineering affect someones life?

An attacker is able to find many detailed information about the individual that they will attack, by surfing web browsers, social media, or other digital sites that record addresses and business information.

Attackers secure information either from electronic or non-electronic means.

  1. Non-electronic means: there is typically a physical element to the ploy, for example, attackers looking over victims’ shoulders to copy passwords or PIN numbers, attackers impersonating victims or reverse social engineering, when attackers create problems and convince victims they can solve them
  2. Electronic means: involve an interaction between two people via email, telephone, or some other device that allows the attacker to target the unsuspecting victim.

Most of the times, an attackers conducts reconnaissance, weaponisation and delivery, to easily attack its victim. Regarding social engineering the attracker decides what tools to use to proceed to the attack. The option of the tools is based on the information the attacker has gathered for the victim, during the reconnaissance phase.

The information can be gathered by:

  1. Phishing (random email), spear phishing (targeted email), vishing (voice call) and smishing (SMS Text). - In May, LogRhythm Labs provided ten tips to detect a phishing email. -
  2. Spoofing (Captain, crew, management agencies and third party suppliers)
  3. Pretexting (creating a fictional situation)
  4. Baiting (to lure someone)
  5. Posing as someone of influence
  6. Tailgating and shoulder surfing
  7. Direct or remote implantation of malware
  8. The use of covert technical devices (recording audio and imagery)
  9. Physical theft of information

In March 2019, during the 2019 SMART4SEA Conference, Cynthia Hudson, CEO, HudsonAnalytix, provided a discussion on Cyber Incident Response to share insight on immediate need to establish the method to respond to a Cyber Incident.

Ms Hudson highlighted

Train: Incorporate cyber risks into tabletop exercises. We had an awareness training. Is that all you need? No. Awareness training is great, but it is a starting point.

Concluding, Mr West noted that training is of a great importance when it comes to dealing with cyber threats and attacks. The ability to create a strong security culture onboard a vessel makes a vast difference in reducing your attack surface. This takes time, nevertheless with a strong internal security education strategy, it can be developed and used to the advantage of the business.