Australia’s Corporate Reputation Index is a measure of consumer trust in the country’s top brands. Back in 2012 the national postal operator, Australia Post (AusPost), ranked number two on the index. By 2015 it had slipped to sixth place and by 2016 was all the way down to 19th.
Over that same period AusPost had been fighting an ongoing cybersecurity battle to stop its brand being used by hackers for nefarious purposes. “AusPost noticed our brand being used in late 2013 and early 2014 in very small numbers, which we were able to manage through take-downs of fraudulent sites,” says Kristin Lyons, chief information security officer at AusPost. But that action provided only a temporary reprieve and the problem has since become much worse, including “many aggressive campaigns, a steep increase in their numbers and many changes of tack”, adds Lyons.
The hackers’ main method of attack has been ransomware – malicious software that locks computer files and demands payment for their release. Typically the ransomware is hidden inside an attached “shipping confirmation” document in an email purporting to come from AusPost. The hackers have tried to entice tens of thousands of online users into downloading the malware using data gleaned from the target’s social media profiles to give the emails an air of authenticity.
According to the Australian Competition and Consumer Commission, these email scams cost consumers more than A$80,000 (US$61,580) in 2015. It is unclear what the reputational cost has been and whether falling consumer confidence in the company is linked to this proliferation in scams. But Lyons says that it was AusPost’s status as “one of Australia’s most trusted brands” that made it a desirable target in the first place. “People are familiar with our emails and will at times be expecting them, which could make them more susceptible to opening a fake email,” she adds.
The US Postal Service (USPS) has frequently found its brand being used in these targeted email attacks, known as spear phishing. “For several years our customers were commonly the target of these sorts of cyber attacks,” comments Greg Crabb, acting chief information security officer and digital solutions vice president at the USPS.
To tackle the problem, the USPS has introduced two sets of email authentication protocols that have “reduced the amount of spam purporting to be from the USPS to near zero”, Crabb explains.
The protocols – known as Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) – allow email service providers such as Google and Yahoo to distinguish genuine USPS correspondence from phishing attacks. Crabb adds, “That has helped develop and preserve our email brand in a very measurable way.”
Right: Kristin Lyons, chief information security officer at AusPost
Gaps in security
Despite these efforts the USPS was the victim of a major cybersecurity breach in 2014. In this case hackers didn’t confine themselves merely to appropriating the USPS brand, but successfully attacked the post’s own networks via an attack that compromised the personal information of nearly three million customers and stole the social security numbers of 750,000 former and current employees, according to US media reports at the time.
A follow-up report by the USPS’s watchdog, the Office of the Inspector General (OIG), was highly critical of the postal operator, finding that it lacked “a cybersecurity culture”.
One specific shortcoming the report pointed to was outdated software – half of the software systems tested by the OIG were no longer supported by the manufacturer, which meant that any security vulnerabilities could not be patched up. It also noted an understaffed cybersecurity team and negligible staff training – only about 1% of USPS employees had completed security awareness training, compared with an average of about 80% in the private sector.
More worryingly, when the OIG launched fake phishing attacks as part of its audit months after the original breach, it found that a quarter of staff still fell for the emails. “Information security awareness training is critical to ensuring that employees are equipped with the knowledge to identify and report phishing emails,” says Kimberly Benoit, the OIG’s deputy assistant inspector general for technology. “As a result, we recommended that management update training requirements to require all employees with network access to complete annual information security awareness training.”
Start with the basics
Creating a successful cybersecurity apparatus “often means doing the dull things right”, says Rob Pritchard, founder of the Cyber Security Expert, a web-based consultancy. He explains, “It means managing your assets so that you know what software is out of date and where your vulnerabilities are – this is not a trivial task for a large enterprise.”
In response to the OIG’s findings, the USPS initiated a comprehensive training program called Cyber Safe that has provided security awareness training to 200,000 staff and contractors that have computer access within the organization. As part of Cyber Safe, staff performance is continuously monitored through monthly fake phishing attacks.
“Every month we test 10,000 of our staff, and employees’ click rates have reduced dramatically,” says Crabb. “Whenever an employee takes the bait we provide remedial training and retest them afterward.”
As well as these measures, the USPS recently launched a consumer-facing campaign on its website to educate customers about potential cyberattacks.
Australia Post has also tried to promote public awareness about cybersecurity, using its website and social media strands to inform customers about the ransomware scams and provide practical advice to victims. “We believe it is our social obligation to keep our customers informed when these scams happen, so that they can take the required action to protect themselves,” says Lyons.
Left: Greg Crabb, acting chief information security officer and digital solutions vice president, the USPS
Types of attacks
Another key factor in tackling cyberthreats is understanding where they come from. Crabb says that the USPS deals with three main varieties of hackers: socially motivated hackers like members of the hacking collective Anonymous; criminal hackers whose motivation is solely financial; and hackers operating on behalf of a nation state.
“Socially motivated hackers,” he says, “usually favor denial-of-service (DoS) attacks, in which the targeted network is flooded with multiple requests in an attempt to overload the system.” The USPS has controls that protect it from DoS attacks.
“The most sophisticated attacks are usually those launched by nation states,” Crabb continues. “They require that we implement a layered set of controls, assuming that the adversary may be able to completely circumvent certain security controls of our tool providers,” says Crabb. “You can’t rely on only one or even two sets of tools when you’re dealing with a nation state actor.”
Media reports following the 2014 breach speculated that it may have come from China. The USPS has never confirmed its origin – it is still the subject of an FBI investigation – but Pritchard warns against attributing these large-scale hacks to nation states, contending that the motive is “more often financial”.
He points to the massive hack of US bank JPMorgan Chase in 2014, in which data on more than 80 million customers was stolen. One of the largest data breaches in history, the hack happened to coincide with the escalating conflict in eastern Ukraine between the government and pro-Russian separatists.
“There were lots of rumors at the time that it was Russian reprisals for the West’s involvement in Ukraine,” says Pritchard. “But it turned out to be some people running a pump-and-dump scam – a financial fraud that involves artificially inflating the price of stocks – and they were using the hacked customer details simply as a database.”
Protecting data
In order to protect customer data from attacks like the JPMorgan Chase hack, the USPS has trained staff to encrypt sensitive data, like credit card numbers, and to avoid storing it on hard drives. But a balance has to be struck, according to Crabb, “between privacy and security, and making the systems robust and available”.
He gives the example of the USPS change of address management system. Since 20% of the US population moves each year, the mailing community needs to be able to follow consumers. To facilitate this, the USPS has designed a system that allows sharing of change of address information “in a very privacy-enhanced way”, say Crabb.
“We don’t provide mail service providers with a database of names and addresses. Instead we encrypt that information and require that senders know the recipient’s name before they can get the new address. I consider that change of address system a national treasure.”
Right: Members of the USPS’s CyberSafe initiative passing out materials to attendees at the Cybersecurity Awareness Fair on October 11, 2016
The threat within
As well as the threat posed by hostile actors, posts must also contend with insider threats. To this end, the USPS uses a data-loss prevention tool that stops staff from using thumb drives or other removable media to take sensitive data out of its networks.
Pritchard, however, believes that technological solutions will only get you so far and that “it’s more an issue of personal management. You have to ask yourself: Are you correctly vetting staff and dealing with disgruntled employees so that it doesn’t get
to the point where someone walks out of the door with a lot of sensitive data?”
Pritchard is skeptical about the existing insider threat detection software that is meant to pick up on unusual user behavior: “It tends to generate a lot of false positives, so it requires very competent operators to monitor it, who know the system well and can drill through what they’re seeing and pick out the genuine anomalies. In the end it still comes down to having good personnel.”
To read the full version of the article in the January 2017 issue of Postal Technology International, click here.
Article by Paul Willis
December 2, 2016