Cyber Security and Business Aviation

Transcription

1 Cyber Security and Business Aviation What flight departments need to know about the biggest threat facing business aircraft today. October 2017

2 Cyber Security and Business Aviation What flight departments need to know about the biggest threat facing business aircraft today. For being what IBM CEO Ginni Rometty calls the greatest threat to every company in the world 1, it s surprising how little thought many of us give to cyber security in our day-to-day actions. Instead, we tend to brush it off as a problem for multinationals or something for the IT department to worry about. Yet this is a clear and dangerous misconception, as cyber security is not only a part of every IT discussion but every business discussion. Not convinced? Perhaps these statistics will scare you straight: 73% of company security experts expect to experience a major security breach within a year.2 Despite the money and resources spent on cyber security, 87% of company security experts believe their security controls are failing to protect their business.3 65% of security professionals identified phishing and social engineering as the biggest security threats to their organization.4 All it takes is one person clicking a fake to give a hacker direct access to all the data on their device and a direct path to your network. Yet, even though everybody claims to be aware of this risk, 78% of us click on the links anyway.5 The greatest threat to every company in the world Ginni Rometty IBM CEO 97% of applications tested by Trustwave had one or more security vulnerabilities.6 70% of business respondents think that employees are the biggest risk to the business.7 The Straight Talk You Need If you manage or maintain aircraft at a business aviation flight department, consider this primer a must-read. In an interesting and non-technical manner, Satcom Direct s cyber security experts provide the straight talk on cyber security, including what the threats are, how the bad guys do it, and what you can do to protect yourself. Satcom Direct strongly recommends discussing your cyber security strategy with your data provider. By reading this primer, you ll have the information and confidence you need to ask the right questions and take a proactive role in protecting your flight department. 2

3 Don t Think You re a Target? Just Ask Target. 8 Like many companies, Target is equipped with state-of-the-art security technology. Yet in 2014, hackers stole 70 million credit cards. So how did this happen? Most likely, it all started with a simple Google search, where hackers found Target s vendor list. Instead of trying to get through Target s complex security system, the hackers instead backed their way in by compromising an unsuspecting third-party refrigeration contractor. Via a phishing , an employee of the vendor inadvertently allowed a virus to be installed on their computers. As the vendor wasn t using an appropriate anti-malware software, all the hackers had to do was wait until the malware offered them the golden ticket: the vendor s login credentials. With credentials in hand, it was a hop, skip and jump to the credit card information. The lesson learned? Even with the most high-tech security system in place, your entire network remains vulnerable to the vendors who lack proper data security measures. Man vs. Machine What this makes abundantly clear is that your company s data security is vulnerable on two fronts. First is the technology front. Even with the most secure devices or the latest security software, it s always a matter of trying to stay one step ahead of the hackers. If the leading security experts working at the world s most security-conscious companies are kept up at night worrying about the vulnerability of their security controls you should be too. The second front in the battle for cyber security is human error. Even if your IT department is doing everything right to protect the company from an attack, more often than not a breach happens because of a simple mistake by an employee or a vendor. What this means is that in cyber security, you don t have the luxury of choosing one or the other. What you need is a strategy that simultaneously addresses both the technical and the human factors. Altitude Doesn t Make You Safe Unfortunately, being in a business aircraft doesn t exempt you from a cyber threat. One of the most common myths in the industry is that once the aircraft s Wi-Fi signal is out of the range of those on the ramp, it is safe from an attack. Nothing could be farther from the truth. Regardless of whether you are on the ground or in the air, if you can see the internet, then the internet and the hackers are most definitely able to see you. In other words, altitude doesn t make you safe. 3

4 Like it or Not, Your Aircraft is Under Attack Your CEO receives an message from what appears to be a known associate. Being fairly tech savvy, before opening the or clicking on any links, the CEO takes a closer look at the address. Seeing that the name is spelled correctly and the company name follows he decides to open it. Still hesitant, he double checks to make sure the signature and the company logo are correct after all, you can never be too careful these days. Judging that everything adds up, the CEO clicks the link and fills in the requested information before sending it off to an anxiously waiting cybercriminal. Quick Tips from Satcom Direct As if the general threat of a breach isn t bad enough, even more worrying for business aviation is that attackers no longer cast a wide net in hopes of catching something random. Instead, hackers now go out of their way to target VIPs. And what better place to reel in a VIP than in the cabin of a business aircraft? What can you do to better defend your aircraft? Here we take a look at how some of the most common cyber threats facing business aviation happen and offer some quick tips for mitigating these risks. Scenario 1: The Phishing Threat Messages that ask for sensitive information or that need information urgently should always raise a red flag. Before clicking, hover your curser over a link to see what the URL is. If the website is unfamiliar, don t click, just delete. Always confirm that an is legitimate before opening an attachment. This could be as simple as calling or ing the sender to let them know you received an unexpected document and want to confirm it was from them before opening. Scenario 2: The Spy Who Stole the Secrets Threat Awesome Company is negotiating a merger with Better Company. Hector, a hacker who works for The Questionable Company, a major competitor of Awesome Company, gets wind of the deal. Hector starts by hacking into the computers at Blue Skies Charter and steals a flight manifest showing when Awesome Company s CEO is traveling to the city that Better Company is located. Combining this information with data on the aircraft, Hector uses a hacking site to pinpoint its departure and arrival time. With this information in hand, The Questionable Company can now either buy stock in Better Company to cash in on 4

5 the upcoming merger or make a well-timed competing bid to disrupt the deal altogether. By creating procedures that limit access, eliminate out-of-date addresses and establish a protocol for transmitting sensitive information, many of the doors used by hackers can be wholly or at least partially closed. Scenario 3: The Threat of the Evil Twin Scenario 4: The Let s Do Business Threat A couple of days before welcoming passengers on board the company aircraft for a business trip to Brussels, flight planner Joe starts receiving s from Belgian catering companies promoting their services. How do they know we re going to Brussels?, he thinks. Simple, flight plan data for European flights is available on a subscription basis from NMOC and FBOs, meaning catering companies and other service-oriented businesses can use it to find customers. It also means hackers, posing as caterers, can use it to find potential targets. It starts with educating both crew and passengers about the threats and advising them that a company s exposure to hacking or corporate espionage could be elevated when traveling. Scenario 5: The Bad Thumb Drive Threat While killing time in the FBO lounge, Jane, a member of the flight crew, connects to a free, no-password-required Wi-Fi network. Like most of us, she s just so happy she doesn t have to go track down a password that she doesn t think twice before connecting. Little does Jane know that the network she just connected to isn t the FBO s actual network, which is password protected, but instead what is called an evil twin an unsecured network with a name similar to the legit connection. At the other end of her unsecure connection is a savvy hacker busy browsing her files and downloading company documents all while Jane is busy preparing for her upcoming flight. Always use a secure, password-protected connection. During an MRO conference, Chris, your head of maintenance, picks up the usual SWAG: bags, pens, notepads and a handful of USB drives. Back at the shop and needing to save a file, Chris reaches into the desk drawer and grabs one of those drives, plugs it in and starts to download. What Chris doesn t know is that by plugging the thumb drive into his computer, he just transferred a virus to the aircraft databases that is well on its way to wreaking havoc on the aircraft. It s not unheard of for hackers to scatter infected USB drives in company parking lots, around a trade show, or wherever they are likely to be picked up by an unsuspecting employee. To protect yourself, implement maintenance protocols that prohibit the use of unauthorized USB drives. 5

6 Scenario 6: The Questionable Airspace Threat Flying over certain countries can increase the risk of hacking. For example, when in some countries airspace, airborne internet traffic is automatically routed to a satellite earth station, meaning someone is likely looking and listening. Use geolocation-based services that send an automatic alert to pilots when entering questionable airspace to remember to terminate the internet connection. The Big Cost of a Data Breach So, how much do these threats cost a company? According to IBM, the estimated average cost of each stolen record is $ That s $ for every stolen bank account, password, social account, file all of which adds up fast. In fact, the global cost of cybercrime is set to increase to $2 trillion by Then there s the cost of resolving an attack. According to Hewlett Packard Enterprise, the mean number of days needed to resolve cyber-attacks is 46, with an average cost of $21,155 per day or a total cost of $973,130 over the 46-day remediation period.11 Not If, But When The unfortunate reality is that it s not a matter of if a breach will occur, but when. As a result, companies are investing heavily in cyber security. According to Forbes, the cyber security market is expected to grow from $75 billion in 2015 to $170 billion by 2020, with companies spending $1 trillion for cyber security in the five years from Even Bank of America has gone on record saying it has an unlimited budget when it comes to combating cybercrime. There s also the issue of backing your security with the necessary talent which is neither readily available nor cheap. According to Stanford s Peninsula Press, more than 209,000 cyber security jobs in the U.S. are unfilled. Furthermore, demand for cyber security professionals is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million. So, how does your company compare? Are you taking the threat of cyber security seriously? Is your back-end security technology up to date? Have you provided your employees with training? Are your vendors utilizing best practices in cyber security? What about adding the additional technological features to help mitigate the effect of human error? When a hacker strikes your aircraft, are you ready? Overwhelmed Yet? Despite all this bad news, there is good news too. When it comes to cyber security, there are several quick fixes you can easily implement today to potentially save you and your company significantly tomorrow. It all starts with a full cyber security assessment. As information governance reduces losses by $1 million annually, there s never been a better time to invest in an assessment of your data controls. And all you have to do is to pick up the phone and call your aviation data provider. Think of your cyber security assessment as an insurance policy. Even if you have the world s best driving record, you still get auto insurance. Why? To protect yourself from all the other poor drivers on the road. Likewise, even if you have the world s most secure network and latest cyber security technology, you need to protect yourself from the vendors, suppliers and employees who don t. A cyber security assessment is your insurance policy to protect you from everybody else. 6

7 Your Comprehensive Cyber Security Strategy Addressing the risks of cyber security in business aviation requires the use of both the latest technology and the right procedures to mitigate against human error and only Satcom Direct offers both. Simply said, nobody in business aviation has invested more in cyber security than Satcom Direct. Satcom Direct is the only provider offering the technology, assessment, training and ongoing support needed to address both the technological and human components of cyber security. SD s cyber security team combines experience and expertise, providing comprehensive solutions to help bolster your flight security practices from cockpit to cabin and beyond. Our comprehensive security service includes: 1. Network Discovery. The SD Cyber Security team will evaluate your state-of-the-network and current security processes, and provide a complimentary consultation to give recommendations on any identified areas of improvement. 2. Security Risk Assessment. SD offers a full onsite risk assessment for flight departments, to help you understand and identify threats to your environment both on-wing and at the hangar. Our security experts come to your location, evaluate your network and current security processes, and make recommendations on how to combat security risks found within a flight department through a suite of practices that adhere to ISO and NIST standards. 3. Risk Mitigation and Threat Monitoring Services. To protect against known cyber security risks, SD offers a variety of enhanced threat analysis and prevention solutions, such as Antivirus, Modern Malware Protection and Threat Intelligence services. Our in-house network security experts stay ahead of evolving security threats and actively monitor network activity to detect and block intrusion attempts in real time. 4. SD Private Network. The SD Private Network (SDPN) is a global communications framework that allows satellite and air-to-ground connectivity providers to connect to the aircraft through our SD Data Center and its multiple points of presence (POPs) worldwide avoiding the public internet and protecting user communications and data. With the SDPN, you can apply all of your current corporate compliance and security to the aircraft network just like any other company location. The SD Private Network offers an unparalleled level of security and reliability. 7

8 Going the Extra Mile: The SD Data Center Satcom Direct is the only data provider in business aviation that operates a wholly-owned data center dedicated to safeguarding your connectivity and communication streams. The SD Data Center is the foundation for all of Satcom Direct s services and the base from which we can help you build a tailored cyber security strategy. Whereas other providers outsource this to third-party data centers, with Satcom Direct your data never leaves the company s 25,000 sq. ft. purpose built facility that meets Tier III standards, complies with major industry requirements, and is designed to withstand a Category 5 hurricane. In other words, your data is safe here. Ready to protect your company from a cyber attack? To request a comprehensive review from the SD Cyber Security team, contact us today at cybersecurity@satcomdirect.com or Satcom Direct, Inc 2017 All Rights Reserved. 8