USCG released its annual Cyber Trends and Insights in the Marine Environment (ME) report. This report aims to provide relevant information about best practices to secure their critical systems based on USCG findings.
Since December 2020, Coast Guard Cyber Command (CGCYBER) has vastly grown its presence and increased its operational tempo to protect cyber systems underpinning the ME.
The observations and findings in this report provide Coast Guard units and their port partners with relevant information to identify and address cyber risks. Coast Guard Cyber Protection Teams (CPTs) and the Maritime Cyber Readiness Branch (MCRB) developed these findings through technical engagements throughout 2022 with ME partners.
Findings
(MTS) partners Fully or Partially Mitigated 93% of all findings within six-months of receiving a CPT Assess mission, an 11% increase from 2021. Other than a slight decrease in Partially Mitigated findings, which is believed to be a result of the increase in Fully Mitigated, all remediation efforts improved from 2021 to 2022. These metrics validate the conclusion that organizations in the ME can take quick and effective action to reduce their attack surface, particularly if they understand the business impacts associated with the risks.
Phishing for Information
Phishing for Information is a sub-technique of the Phishing Technique. Phishing for Information is categorized as a reconnaissance technique by the MITRE Corporation rather than an initial access technique.
Valid Accounts
The most common initial access technique used during Assess missions was Valid Accounts. Valid Accounts were often gathered from publicly available sources or from using related techniques such as Phishing for Information, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, or Steal or Forge Kerberos Tickets: Kerberoasting. Coast Guard CPTs gained initial access to the target networks using gathered account information.
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
LLMNR/NBT-NS Poisoning and SMB Relay attacks leverage antiquated features used for host identification to harvest credentials from within a network.
Mitigation Recommendations
#1 Password Policies
A password policy is a set of rules and guidelines that dictate how users should create and manage their passwords for a given system or organization. Password policies are put in place to ensure the security and integrity of systems and the data they contain. Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication.
#2 Multi-Factor Authentication
MFA is a security method in which a user is required to provide multiple forms of identification to access a system or account. MFA typically involves at least two of the following three authentication factors:
- Something the user knows, such as a password or a PIN.
- Something the user has, such as a security token or a smartphone.
- Something the user is, such as a fingerprint or a facial recognition.
#3 Filter Network Traffic
Filtering network traffic is an important aspect of network security and management, and provides
the following benefits:
- Protects the network and authorized users from malicious traffic.
- Improves network performance, security, and monitoring.
- Provides the ability to enforce compliance requirements.
#4 Privileged Account Management
Privileged account management is a critical element of security and compliance. It helps protect sensitive data and resources, meet regulatory requirements, and improve efficiency by limiting unnecessary access and permissions. Privilege account management is the process of creating, managing, and monitoring privileged accounts in a computer system or network. A privileged account is an account that has more access and permissions than regular user accounts. Privileged accounts include administrator accounts, root accounts, and service accounts.
The main goal of privilege account management is to reduce the risk of security breaches and other malicious actions by controlling access to sensitive data and resources.
#5 Update Software
- Perform regular software updates to mitigate exploitation risk.
- Ensure operating systems and browsers are using the most current version.
- Update password managers regularly by employing patch management for internal enterprise endpoints and servers.
- Keep system images and software updated and migrate to SNMPv3.
- Update all browsers and plugins and use modern browsers with security features turned on.
- Update software regularly by employing patch management for externally exposed applications and internal enterprise endpoints and servers.
- Patch the Basic input/output System (BIOS) and other firmware as necessary to prevent successful use of known vulnerabilities.
- Update software regularly to include patches that fix Dynamic Link Library (DLL) sideloading vulnerabilities.
#6 User Training
User training is a vital mitigation factor because it helps to educate users about the risks and threats. User training minimizes the likelihood of human error and enables compliance with regulatory requirements. By providing training on topics such as safe browsing, email security, and password management, users are better equipped to identify and mitigate potential security risks.
#7 User Account Management
User account management is managing “the creation, use, and permissions associated to user accounts” from MITRE ATT&CK. User account management should follow the principle of least privilege and separation of duties.
#8 Account Use Policies
Account Use Policies refers to configuring “features related to account use like login attempt lockouts, specific login times, etc.” from MITRE ATT&CK.
EXPLORE MORE AT USCG’S CYBER TRENDS REPORT
