Cybersecurity training for Boards of Directors in the maritime industry



Overview

The Board and the CEO of legal entities in the maritime sector must have the knowledge and skills necessary to assess cybersecurity risks, challenge security plans, discuss activities, formulate opinions, and evaluate policies and solutions that protect the assets of their organization. The failure to maintain adequate risk oversight can expose companies, officers, and directors to liability.

Directors have a significant role in overseeing the risk management of their entities. The failure to exercise appropriate oversight constitutes a breach of the duty of loyalty. A decision about cybersecurity that is negligent constitutes a breach of the duty of care.

The Board and the CEO must also assess whether and how to disclose a cyberattack internally and externally. After a successful cyberattack, entities in the maritime sector must provide evidence that they have an adequate and tested cybersecurity program in place that meets international standards, and that they had the knowledge, policies and procedures to prevent and detect a security breach.

We provide short, comprehensive briefings on key issues the board needs to be informed about in order to exercise professional judgment and adequate risk oversight.


Our Briefings for the Board:

We offer custom briefings for the Board of Directors and executive management, tailored to the specific needs of each legal entity. Our briefings can be short and comprehensive (60 minutes), or longer, depending on the needs, the content of the program and the case studies.

Alternatively, you may choose one of our existing briefings:


A. Cybersecurity briefings specific to the maritime sector.

A1. Understanding the cybersecurity challenges in the maritime sector, for the Board of Directors and executive management.

A2. The NIS 2 Directive as it applies in the maritime sector, for the Board of Directors and executive management of EU legal entities.

A3. The NIS 2 Directive as it applies in the maritime sector, for the Board of Directors and executive management of non-EU legal entities.


B. Cybersecurity briefings for Board development.

B1. An effective cybersecurity culture and the Board of Directors.

B2. Social engineering and the Board of Directors.

B3. Social engineering: the targeting and victimization of key people through weaponized psychology.

B4. State-sponsored but independent hacking groups. The long arm of countries that exploit legal pluralism and make the law a strategic instrument.

B5. Deception, disinformation, misinformation, propaganda, and the role of the Board.

B6. Cyber espionage, intellectual property theft, and the role of the Board.

B7. Steganography in business intelligence and intellectual property theft, and the role of the Board.

B8. Cyber Proxies and the role of the Board.


You can find all information below.


Delivery format of the training program

a. In-House Instructor-Led Training program - designed and tailored for persons working for a specific company or organization (Board members, executive management, risk managers and employees etc.). In all In-House Instructor-Led Training programs an instructor from Cyber Risk GmbH that is approved by the Client travels to the location chosen by the Client and leads the class according to the needs of the Client and the Contract.

b. Online Live Training program - synchronous (real time, not pre-recorded) training program that takes place in a live virtual meeting room using platforms like Zoom, Webex, Microsoft Teams etc. In all Online Live Training programs, instructors from Cyber Risk GmbH that are approved by the Client tailor the method of delivery (interactive, non-interactive, etc.) to the needs of the Client, lead the virtual class, and answer questions according to the needs of the Client and the Contract.

c. Video-Recorded Training program - professional, pre-recorded training program. Instructors from Cyber Risk GmbH that are approved by the Client tailor the training content according to the needs of the Client and the Contract, and they record the training content in a professional studio. The training material (including any subsequent updates) is licensed by Cyber Risk GmbH to the Client for training purposes. Clients can incorporate the recorded videos to their internal learning system. Video-Recorded Training programs include Orientation Video Training and Compliance Video Training programs.



A1. Understanding the cybersecurity challenges in the maritime sector, for the Board of Directors and executive management.

Modules of the tailor-made training

Introduction.

- An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.

- May 2022, attack that targeted the Port of London Authority forced its website to go offline.

- October 2021, attempt to hack over 250 Office 365 accounts, with a focus on Persian Gulf ports of entry or maritime transportation companies with a presence in the Middle East.

- October 2020, UN shipping agency the International Maritime Organization (IMO) reported that its website and networks had been disrupted by a sophisticated cyber attack.

- March 2013, hackers targeted civilian and military maritime operations within the South China Sea, companies involved in maritime satellite systems, aerospace companies and defense contractors.

- June 2021, United States Naval Institute (USNI) claimed the tracking data of two NATO ships, the U.K. Royal Navy’s HMS Defender and the Royal Netherlands Navy’s HNLMS Evertsen, was falsified off the coast of a Russian controlled naval base in the Black Sea. The faked data positioned the two warships at the entrance of a major Russian naval base.

- September 2020, French shipping company CMA CGM SA saw two of its subsidiaries in Asia hit with a ransomware attack that caused significant disruptions to IT networks, though did not affect the moving of cargo.

- December 2018, U.S. Navy officials report that hackers had repeatedly stolen information from Navy contractors including ship maintenance data and missile plans.

- June 2017, NotPetya ransomware attack shut down the port terminals of Danish shipping giant Maersk for two days, causing an estimated $300 million in associated costs.

- August 2016, designs and data regarding India’s Scorpene submarines were leaked from the French shipbuilder DCNS.

- June 2015, the Chinese company Qihoo360 reports discovering “OceanLotus,” an espionage program operating since 2012 to target marine agencies, research institutions and shipping companies.

- February 2022, multiple oil terminals in some of Europe’s biggest ports across Belgium and Germany fell victim to a cyberattack, rendering them unable to process incoming barges. A ransomware strain associated with a Russian-speaking hacking group was used to disrupt the ability of energy companies to process payments.


Understanding the guidelines on cyber security onboard ships, produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING COUNCIL.

- Understanding the challenges,

- Threats and vulnerabilities,

- Ship to shore interface,

- Risk exposure,

- Risk assessment made by the company and by third-parties,

- Protection and detection measures,

- Defence in depth and in breadth,

- Procedural protection measures,

- Respond to and recover from cyber security incidents,

- Losses arising from a cyber incident,

- Best practices, what to remember at all times.


Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Cyber Pirates.

- Hacktivists and the maritime industry.

- Professional criminals and information warriors.

- Cyber-attacks against passengers, baggage, cargo, catering, systems, staff, and all persons having authorized access to systems and data.


How do the adversaries plan and execute the attack?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment, and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.


Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the maritime industry?


What must be protected?

- Best practices for all employees that provide services and have authorized access to systems and data.

- What to do, what to avoid.

- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.


Malware.

- Trojan Horses and free programs, games, and utilities.

- Ransomware.


Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.


Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.


Case studies.

We will discuss the mistakes and the consequences in one or more of the following case studies:

- May 2022, attack that targeted the Port of London Authority.

- October 2021, attempt to hack over 250 Office 365 accounts.

- October 2020, International Maritime Organization (IMO) report.

- March 2013, South China Sea.

- June 2021, United States Naval Institute (USNI) report.

- September 2020, shipping company CMA CGM SA, ransomware attack.

- December 2018, U.S. Navy report.

- June 2017, NotPetya ransomware attack, Danish shipping giant Maersk.

- August 2016, India’s Scorpene submarines.

- June 2015, Qihoo360.

- February 2022, multiple oil terminals in some of Europe’s biggest ports across Belgium and Germany.

- What has happened?

- Why has it happened?

- Which were the consequences?

- How could it be avoided?


Closing remarks and questions.


Target Audience

The program is beneficial to the Board of Directors and the CEO of firms and organizations in the maritime sector.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



A2. The NIS 2 Directive as it applies in the maritime sector, for the Board of Directors and executive management of EU legal entities.

Overview

The NIS 2 Directive replaces and repeals the NIS Directive (Directive 2016/1148/EC). NIS 2 will improve cybersecurity risk management and will introduce reporting obligations across sectors such as energy, transport, health and digital infrastructure.

Important obligations: According to Article 20 (Governance), the management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation and "can be held liable for infringements."

According to Article 20, Member States shall ensure that the "members of the management bodies of essential and important entities are required to follow training," and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

According to Article 21 (Cybersecurity risk-management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the "state-of-the-art" and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

The measures shall be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include "at least" the following:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.


Course Synopsis

- Are you sure we must comply with the NIS 2 Directive? Where can we find this information?
- Are we an essential or important entity? Why?

- What is this "high common level of cybersecurity across the EU"?
- The new competent authorities - the Cooperation Group, the cyber crisis management authorities, the single points of contact on cybersecurity, and the Computer Security Incident Response Teams (CSIRTs).
- The European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- The new cybersecurity risk management measures and reporting obligations.
- The new cybersecurity information sharing obligations.

- Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities must approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

- Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The role and the tasks of the representative.

- Cybersecurity information-sharing arrangements.
- General aspects concerning supervision and enforcement.

- What is next: Delegated and Implementing Acts.
- Review.
- Transposition.

- Master plan and list of immediate actions, for firms established in the EU.

- Other new EU directives and regulations that introduce compliance challenges to EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.


Target Audience

The program is beneficial to the Board of Directors and the CEO of EU legal entities in the maritime sector.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



A3. The NIS 2 Directive as it applies in the maritime sector, for the Board of Directors and executive management of non-EU legal entities.

Overview

Under Article 26 of the NIS 2 Directive (Jurisdiction and territoriality), if an entity is not established in the EU, but offers services within the EU, it shall designate a representative in the EU. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be considered to fall under the jurisdiction of the Member State where the representative is established. In the absence of a representative, any Member State in which the entity provides services may take legal actions against the entity for the infringement of this Directive.


Course Synopsis

- What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.
- Are you sure we must comply with the NIS 2 Directive? Where can we find this information?
- Are we an essential or important entity in the EU? We are not established in the EU, and we are regulated in our country.

- Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The tasks of the representative.

- The "high common level of cybersecurity across the Union".
- The new cybersecurity risk-management measures and reporting obligations.
- The new cybersecurity information sharing obligations.
- The new EU competent authorities and single points of contact.
- The new European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- International cooperation.

- Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

- General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.

- What is next - Delegated and Implementing Acts.
- Review.
- Transposition.

- Master plan and list of immediate actions, for firms established in non-EU countries.

- Other new EU directives and regulations that introduce compliance challenges to EU and non-EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.


Target Audience

The program is beneficial to the Board of Directors and the CEO of non-EU legal entities in the maritime sector.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B1. An effective cybersecurity culture and the Board of Directors.

Overview

The Board of Directors, as the culture owner, must ensure that the beliefs, the perceptions, the attitudes, the assumptions, and the norms regarding cybersecurity are in line with the mission and the vision of their organization. They must also ensure that information security considerations are an integral part of every employee’s and manager’s job, habits, and conduct.

The majority of data breaches within organisations are the result of human actors. Cybersecurity is not only a technical challenge. As long as managers and employees can provide access to systems and data, cybersecurity depends on them too.

Employees that have access to critical assets of an organization, become targets. Those that have access to technology and organizational assets are also responsible for the protection of those assets. Are they fit and proper to handle this responsibility? Do they have the awareness and skills necessary to protect themselves and their organisation?

The economic costs of cyberattacks and breaches are more important than many directors and managers believe. There are direct and indirect costs, that include downtime of services, compromise of confidential information, fines, decreased profits through reputational damage, supervisory scrutiny etc.

We must tailor the program, to include the organization’s cybersecurity compliance obligations and their implications across all relevant jurisdictions, the specific threat actors the organization faces, and how is the organization more likely to be breached.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B2. Social engineering and the Board of Directors

Overview

Cybersecurity is not only a technical challenge. It is also a behavioral challenge. As long as managers and employees can provide access to systems and data, cybersecurity depends on them too.

Employees that have access to critical assets of an organization, become targets. Those that have access to technology and organizational assets are also responsible for the protection of those assets. Are they fit and proper to handle this responsibility? Do they have the awareness and skills necessary to protect themselves and their organisation?

The Board and the CEO are high value targets, so they are high risk targets too. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Are the Board members and the CEO equipped with the knowledge necessary to defend the organization and to protect themselves from well-funded, planned, and sophisticated attacks?


Course Synopsis

Board members and the CEO must understand better the social engineering modus operandi. We will cover:


The Social Engineering Kill-chain.

1. Reconnaissance: The research phase used to identify and select targets.

2. Targeting: Who is the most vulnerable person to attack? What is the biggest vulnerability of the target?

3. Pretexting: The attacker’s cover story.

4. Establishing trust with the target.

5. Manipulating, exploiting, and victimizing.

6. Case studies.


Typical Social Engineering Attacks from a Distance.

1. Phishing Emails.

2. Spear Phishing.

3. Vishing.

4. Smishing.

5. Watering Holes.

6. Spoofing.

7. Baiting.

8. Whaling phishing.

9. Emotional triggers that will make you want to respond - but you shouldn’t.

10. Case studies.

11. Defence.


Is your social media content making you a target?

1. Social media is a primary source of information for attackers.

2. How your social media content can be used against you.

3. Cybersecurity hygiene advice for social media.

4. Attacks through social media.

5. Examples.

6. Defense.


In- Person attacks and manipulation techniques.

1. USB traps.

2. Emotional elicitation & exploitation.

3. Time pressure.

4. Authority.

5. Likeability.

6. Intimidation.

7. Reciprocity.

8. Impersonation.

9. Pity & Helpfulness.

10. Commitment & Consistency.

11. Reverse Social Engineering.

12. Examples & Case Studies.

13. Defence.


Physical security.

1. Why social engineers will try to enter your establishment.

2. What assets can be stolen/ compromised?

3. Gaining unauthorized access to physical spaces.

4. Tailgating and bypassing physical security measures.

5. Locked does NOT mean secure - lockpicking capabilities.

6. Defence.


Identifying a social engineering attack.

1. Identifying manipulation and deceit.

2. Emotional triggers, emotional exploitation & what to do about it.

3. Verifying intentions - subtly.

4. Case studies.

5. Responding to and deterring a social engineering attack.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Christina Lekati, psychologist, social engineering training expert. To learn about her you may visit: https://www.cyber-risk-gmbh.com/About_Christina_Lekati.html


Christina Lekati, Social Engineering Training Expert

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B3. Social engineering: the targeting and victimization of key people through weaponized psychology

Overview

Threat actors are not interested in attacking everyone and anyone in an organization. High value individuals are the ones with elevated access to information, assets, and systems. Board members and the C-Suite become by default high-risk targets for cyberattacks.

The most effective and frequent method to attack high value individuals is weaponized psychology. Board members and C-Level executives must learn the answers to the following questions:

- Which is the advanced psychological game that threat actors use to compromise their targets?

- How do they find their targets’ vulnerabilities?

- What can we do to avoid being exploited from a determined adversary with a carefully planned attack?

High-value individuals must understand the threat, to protect themselves and their organisation from cyber attacks, industrial espionage, competitors, and other threat actors lurking online and offline.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Christina Lekati, psychologist, social engineering training expert. To learn about her you may visit: https://www.cyber-risk-gmbh.com/About_Christina_Lekati.html


Christina Lekati, Social Engineering Training Expert

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B4. State-sponsored but independent hacking groups. The long arm of countries that exploit legal pluralism and make the law a strategic instrument


Overview

According to Article 51 of the U.N. Charter: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.”

But is a cyber-attack comparable to an armed attack?

There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Nations assert different definitions and apply different thresholds for what constitutes a use of force.

For example, if cyber operations cause effects that, if caused by traditional physical means, would be regarded as a use of force under jus ad bellum, then such cyber operations would likely also be regarded as a use of force.

Important weaknesses of international law include the assumption that it is possible to isolate military and civilian targets with sufficient clarity, and to distinguish a tangible military objective to be attained from an attack.

More than 20 countries have announced their intent to use offensive cyber capabilities, in line with Article 2(4) and Article 51 of the United Nations (UN) Charter.

Unfortunately, these capabilities will not help when the attackers are State-sponsored groups, and the States supporting them, claim that not only they are not involved, but also that their adversaries (the victims) have fabricated evidence about it. This is a very effective disinformation operation.

Adversaries have already successfully exploited weakness of non-authoritarian societies, especially the political and legal interpretation of facts from different political parties. It is difficult to use offensive cyber capabilities in line with democratic principles and international law, as it is almost impossible to distinguish with absolute certainty between attacks from States and attacks from State-sponsored independent groups.

Even when intelligence services know that an attack comes from a State that uses a State-sponsored independent group, they cannot disclose the information and the evidence that supports their assessment, as disclosures about technical and physical intelligence capabilities and initiatives can undermine current and future operations. This is the “second attribution problem” – they know but they cannot disclose what they know.

As an example, we will discuss the data breach at the U.S. Office of Personnel Management (OPM). OPM systems had information related to the background investigations of current, former, and prospective federal government employees, U.S. military personnel, and those for whom a federal background investigation was conducted. The attackers now have access to information about federal employees, federal retirees, and former federal employees. They have access to military records, veterans' status information, addresses, dates of birth, job and pay history, health insurance and life insurance information, pension information, data on age, gender, race, even fingerprints.

But why?

Aldrich Ames, a former intelligence officer turned mole, has said: “Espionage, for the most part, involves finding a person who knows something or has something that you can induce them secretly to give to you. That almost always involves a betrayal of trust.”

Finding this person is much easier, if you have data easily converted to intelligence, like the data stolen from the U.S. Office of Personnel Management (OPM). This leak is a direct risk for the critical infrastructure.

There are questions to be answered, and decisions to be made, not only about tactic and strategy, but also political and legal interpretation.

We tailor the program to meet specific requirements. You may contact us to discuss your needs.

Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B5. Deception, disinformation, misinformation, propaganda, and the role of the Board.


Overview

Misinformation is incorrect or misleading information.

Disinformation is false information, deliberately and often covertly spread, in order to influence public opinion, or obscure the truth.

Propaganda is a broader and older term. Propaganda uses disinformation as a method. While the French philosopher Jacques Driencourt asserted that everything is propaganda, the term is most often associated with political persuasion and psychological warfare.

Psychological warfare is the use of propaganda against an enemy (or even a friend that could become an enemy in the future), with the intent to break his will to fight or resist, or to render him favorably disposed to one's position.

In deception (according to Bell and Whaley), someone is showing the false and hiding the real. Hiding the real is divided into masking, repackaging, and dazzling, while showing the fake is divided into mimicking, inventing, and decoying.

People are remarkably bad at detecting deception and disinformation.

They often trust what others say, and usually they are right to do so. This is called the “truth bias”. People also tend to believe something when it is repeated. They tend to believe something they learn for the first time, and subsequent rebuttals may reinforce the original information, rather than dissipate it.

Humans have an unconscious preference for things they associate with themselves, and they are more likely to believe messages from users they perceive as similar to themselves. They believe that sources are credible if other people consider them credible. They trust fake user profiles with images and background information they like.

Citizens must understand that millions of fake accounts follow thousands of real and fake users, creating the perception of a large following. This large following enhances perceived credibility, and attracts more human followers, creating a positive feedback cycle.

People are more likely to believe others who are in positions of power. Fake accounts have false credentials, like false affiliation with government agencies, corporations, activists, and political parties, to boost credibility.

Freedom of information and expression are of paramount importance in many cultures. The more freedom of information we have, the better. But the more information we have, the more difficult becomes to understand what is right and what is wrong. The right of expression and the freedom of information can be used against the citizens. We often have the weaponization of information.

The Internet and the social media are key game-changers in exploiting rights and freedoms. In the past, a secret service should work hard to get disinformation in the press. Today, the Internet and the social media give the opportunity for spreading limitless fake photos, reports, and "opinions". Many secret services wage online wars using Twitter, Facebook, LinkedIn, Google+, Instagram, Pinterest, Viber etc. Only imagination is the limit.

Social media platforms, autonomous agents, and big data are directed towards the manipulation of public opinion. Social media bots (computer programs mimicking human behaviour and conversations, using artificial intelligence) allow for massive amplification of political views, manufacture trends, game hashtags, add content, spam opposition, attack journalists and persons that tell the truth.

In the hands of State-sponsored groups these automated tools can be used to both boost and silence communication and organization among citizens.

Over 10 percent of content across social media websites, and 62 percent of all web traffic, is generated by bots, not humans. Over 45 million Twitter accounts are bots, according to researchers at the University of Southern California.

Machine-driven communications tools (MADCOMs) use cognitive psychology and artificial intelligence based persuasive techniques. These tools spread information, messages, and ideas online, for influence, propaganda, counter-messaging, disinformation, espionage, intimidation. They use human-like speech to dominate the information-space and capture the attention of citizens.

Artificial intelligence (AI) technologies enable computers to simulate cognitive processes, such as elements of human thinking. Machines can make decisions, perceive data or the environment, and act to satisfy objectives.

The rule of the people, by the people, and for the people, requires citizens that can make decisions in areas they do not always understand. When citizens understand the online environment, they will be way more prepared to protect their families, their working environment, and their country.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B6. Cyber espionage, intellectual property theft, and the role of the Board.


Overview

Intelligence is the collection of information that have military, political, or economic value.

Intelligence refers to both:

- information that is collected by clandestine means,

- information available through conventional means.

Espionage is a set of intelligence gathering methods.

The Oxford’s English Dictionary defines espionage as “the practice of spying or of using spies, typically by governments, to obtain political and military information.”

The Merriam-Webster's Dictionary has a slightly different opinion. Espionage is “the practice of spying or using spies, to obtain information about the plans and activities especially of a foreign government or a competing company.”

The U.S. Federal Bureau of Investigations (FBI) defines economic espionage as "the act of knowingly targeting or acquiring trade secrets to benefit any foreign government, foreign instrumentality, or foreign agent."

According to the 2019 Situation Report of the Swiss Federal Intelligence Service (FIS): "Espionage is driven by a variety of different motives and has more than one aim. For example, states strive, using information obtained by their intelligence services, to gain a fuller picture of the situation in order to improve the effectiveness of their actions.

It can furthermore be observed that information is increasingly being procured with the aim of influencing (in so-called influence operations) or damaging the actions of rivals. Both can be achieved through the selective publication of information. The aim of such activities is often to weaken the cohesion of international groups or institutions and thereby to restrict their ability to act."

Cyber is a prefix used to describe new things that are now possible as a result of the spread of computers, systems, and devices, that are interconnected. It relates to data processing, data transfer, or information stored in systems.

With the word cyber we also refer to anything relating to computers, systems, and devices, especially the internet.

The prefix cyber has been added to a wide range of words, to describe new flavors of existing concepts, or new approaches to existing procedures.

Intelligence gathering involves human intelligence (HUMINT - information collected and provided by human sources), signals intelligence (SIGINT - information collected by interception of signals), imagery intelligence (IMINT), measurement and signature intelligence (MASINT), geospatial intelligence (GEOINT), open-source intelligence (OSINT), financial intelligence (FININT), etc.

HUMINT is the oldest form of intelligence gathering. Cyber-HUMINT refers to the strategies and practices used in cyberspace, in order to collect intelligence while attacking the human factor.

Cyber-HUMINT starts with traditional human intelligence processes (recruitment, training, intelligence gathering, deception etc.), combined with social engineering strategies and practices.

Cyber espionage includes:

- unauthorized access to systems or devices to obtain information,

- social engineering to the persons that have authorized access to systems or devices, to obtain information.

Cyber espionage involves cyber attacks to obtain political, commercial, and military information.

Cyber espionage and traditional espionage have similar or the same end goals. Cyber espionage exploits the anonymity, global reach, scattered nature, the interconnectedness of information networks, the deception opportunities that offer plausible deniability.

Economic and industrial espionage, including cyber espionage, represents a significant threat to a country’s prosperity, security, and competitive advantage. Cyberspace is a preferred operational domain for many threat actors, including countries, state sponsored groups, the organized crime, and individuals. Artificial Intelligence (AI) and the Internet of Things (IoT) introduce new vulnerabilities.

Cyber economic espionage is the targeting and theft of trade secrets and intellectual property. It is usually much larger in scale and scope, and it is a major drain on competitive advantage and market share.

According to Burton (2015), cyber threats can be classified into four main categories: Cybercrime, cyber espionage, cyberterrorism, and cyber warfare.

Cybercrime is crime enabled by or that targets computers. Criminal activities can be carried out by individuals or groups who have diverse goals such as financial gain, identity theft, and damaging property. Usually cybercrime is financially motivated.

Cyber espionage activities are conducted by state-sponsored cyber attackers "for the purpose of providing knowledge to the states to obtain political, commercial, and military gain" (Burton, 2015).

According to Denning, cyberterrorism is “the convergence of cyberspace and terrorism" that covers politically motivated hacking and operations intended to cause grave harm such as loss of life or severe economic damage.

Cyber Warfare involves the use of computers and systems to target an enemy’s information systems. The use of cyber power in military operations is an important force multiplier. Since the armed forces are highly dependent on information technologies and computer networks, disruption of these systems would provide great advantages.

Cyberspace is regarded as the fifth domain of warfare after land, sea, air, and space. NATO Secretary General Jens Stoltenberg announced in June 2016 that “the 28-member alliance has agreed to declare cyber an operational domain, much as the sea, air and land are”.

According to the 2019 Situation Report of the Swiss Federal Intelligence Service (FIS): "Espionage operations which have come to light reveal that cyber tools and other communications reconnaissance instruments are being used in parallel and in interaction with human sources.

Depending on the objective, information is also being procured exclusively via cyberspace. The latter has gained in importance insofar as the use of cyber-based information-gathering tools has proven successful for many actors.

Cyber espionage is difficult to detect, the perpetrators can hardly be successfully prosecuted, as the purported country of origin does of course not help to elucidate the affair and determination by the means of intelligence of the origins of the cyber-attack (ʻattributionʼ) can simply be denied based on the lack of provability."

A major challenge today is the lack of awareness and training. Many organizations and companies continue to believe that cyber security is a technical, not a strategic discipline. They believe that cyber security involves the protection of systems from threats like unauthorized access, not the awareness and training of persons that have authorized access to systems and information.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B7. Steganography in business intelligence and intellectual property theft, and the role of the Board.


Overview

Steganography is the art and the science of concealing a message, image, or file within another message, image, or file, and communicating in a way that hides the existence of the message and the communication. For example, a message can be hidden inside a graphic image file, an audio file, or other file format, in a way that it is difficult for steganography experts and impossible for all the others to find it.

The word steganography comes from the Greek words στεγανός (covered or concealed) and γράφω (write). Payload is the data that has been hidden, and carrier is whatever (like a file) hides the payload.

Steganography is different from cryptography. Cryptography is the art of secret writing, it makes a message unreadable by a third party, but it does not hide the existence of the message. Steganography is about concealing the message.

It is relatively easy to identify an encrypted file, but it is usually not so easy to decrypt it. The analysts might be able to identify the encryption method by examining the file header, identifying encryption programs installed on the system, or finding encryption keys (which are often stored on other media).

With steganography, everything is more complex and difficult. The analysts must first find the file that hides another encrypted file (looking for multiple versions of the same image, identifying the presence of grayscale images, searching metadata and registries, using histograms, and using hash sets to search for known steganography software), then the analysts might be able to extract the embedded data, and they still have to find the encryption key (as the hidden file is usually encrypted too).

Steganography can be very useful. Using digital watermarking, an author can embed a hidden message in a file so that ownership of the intellectual property can be proved. Artists can post artwork on a website, and if others claim the ownership of the work, the artists can prove ownership as they can recover the watermark. Steganography has also a number of nefarious applications. Criminals can easier hide records of illegal activity and financial crimes, and terrorists can easier exchange messages.

Steganalysis is the analysis of steganography, and involves the detection of hidden data, the extraction of the hidden message, and sometimes the alteration of the hidden message so that the recipient cannot extract it, or receive a different message.

Many steganalysis tools are signature-based (similar to antivirus and intrusion detection systems). There are also anomaly-based steganalysis systems, more flexible and better for new steganography techniques.

New complex steganography methods continue to emerge. Spread-spectrum steganography methods are similar to spread-spectrum radio transmissions (where the signal is spread across a wide-frequency spectrum rather than focused on a single frequency, in an effort to make detection and jamming more difficult). In spread-spectrum steganography, small distortions to images are less detectable in bright colors, so the hidden message is stored in bright colors only, not each color. You can also check the Biosteganography link at the top of the webpage.


Case study, steganography used in espionage, organized crime, and terrorism.

Consider the following scenario. Every Friday afternoon (for the target's time zone) a member of a foreign state-sponsored group puts an item for sale on eBay, and posts a photograph of the item. The item for sale is real, and it will be sold according to the rules of eBay. Bids are accepted, money is collected, and items are delivered. The photograph of the item hides a message, but this is just one from so many millions of photos that can be found at eBay. Anybody in the world can download the photo, but only members of the same foreign state-sponsored group know how to extract the encrypted message and how to decrypt it.


What can we do?

Corporate security and acceptable use policies, that detail what employees are authorized to do within the corporate environment, can always help and must be in the first line of defense. Awareness training for all employees, that explains the reasons they have to respect policies and includes the modus operandi and risks of steganography attacks is of paramount importance.

User policies explain what is prohibited, and they provide an organization with the legal means to punish or prosecute violators.

We must clearly explain in policies that every line of code or piece of software that is not approved, is strictly prohibited. In this way, we will avoid most of the following:

- anti-forensics tools (used to thwart digital forensic investigations, like drive wiping tools, cache and history erasers, file property and time alternators, VPNs, e-mail, and chat log erasers),

- encryption or steganography tools (there are over 1,000 free steganography tools online, most of them very dangerous for everybody that downloads the "free" tool, or even visits these websites. In some websites we read: "This application does not require installation. You can copy the program files to an external data device, so as to run it on any computer you can get your hands on, with just a click of the button. It is not adding new items to the Windows registry or hard drive without your approval, as installers usually do, and it will not leave any traces behind"),

- exploit kits (programs designed to exploit a known vulnerability in a piece of software or online resource. They are often distributed as a package, which will enable attackers with limited knowledge to launch a sophisticated attacks),

- toolkits (that enable unsophisticated users to construct new malware applications, sometimes not detectable by standard signature-based virus scanning engines),

- keyloggers (designed to covertly monitor keystrokes on a device. Once a device has been compromised, all keystrokes, including passwords, can be monitored, and recorded),

- password cracking tools (designed to break password-protected files and accounts),

- sniffers (that capture and analyze network traffic. Many protocols, including FTP and chat, are not encrypted. These programs obtain cleartext information, and also collect packets that can be used to crack network passwords and find protected files, servers, and user accounts),

- spyware tools (for industrial espionage, unauthorized monitoring, and collection of proprietary data),

- piracy tools (that allow users to bypass copyright protection in various forms of media, making illegal copies, and saving to a storage medium).

There are unlimited methods of steganography, only imagination is the limit. We usually learn about encrypted messages hidden in large files (images, sound files, videos etc.), and nothing more. Although steganography is usually considered a technical problem, it is not. It is also a business intelligence (or just intelligence) problem. If we do not know where to look for hidden messages, it is very unlikely to find them. Only the cooperation of the public and the private sector can protect against these security threats.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



B8. Cyber Proxies and the role of the Board.


Overview

The word proxy is interesting. In Latin, procuro means manage, administer - from pro (“on behalf of”) and curo (“I care for”).

Today a proxy is a person or entity who is authorized to act on behalf of another person or entity.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.

According to Tim Maurer, proxy is an intermediary that conducts or directly contributes to an offensive cyber operation that is enabled knowingly, actively or passively, by a beneficiary who gains advantage from its effect.

Cyber proxies are valuable actors in political warfare. This is the employment of military, intelligence, diplomatic, financial, and other means, short of conventional war, to achieve national objectives. It encompasses the exploitation of computer networks and platforms, electronic warfare, psychological operations, and information operations.

For some countries, the main battlespace is the mind. With information and psychological warfare, these countries can morally and psychologically depress the enemy’s armed forces personnel and civil population.

In 2019, the United States spent $732 billion on defense, compared to Russia’s $65.1 billion. It is obvious that Russia and other countries in similar position will try to find less expensive means to counter big, expensive U.S. weapons and systems. Cyber espionage is especially economical when countries conduct activities through proxies.

Countries actively create fertile grounds for malicious activities to occur. Cyber actors (which include cyber criminals, hacktivists, and political, economic and religious groups) are continually operating from within the sphere of influence of the sponsoring country with the understanding that their illegal activities will be tolerated, as soon as they will also support the objectives of the sponsoring country.

As John Carlin, former Assistant U.S. Attorney General for National Security has stated, what you’re seeing is the world’s most sophisticated intelligence operations when it comes to cyber espionage, using the criminal groups for their intelligence ends, and protecting them from law enforcement.

Cyber threats posed by cyber proxies must be managed, and the laws must be changed in this area. Publicly attributing malicious cyber activity to a country in a timely manner and holding that country accountable is difficult, but necessary. If international law is unable to solve these problems, national policies will ignore international law and confront cyber adversaries through rapid attribution and offensive countermeasures, to deter future aggression.


COVID-19 and cyber proxies

The COVID-19 pandemic has disrupted life worldwide, with far-reaching effects that extend well beyond global health to the economic, political, and security spheres. The economic and political implications of the pandemic will ripple through the world for years. It is raising geopolitical tensions, and many countries try to take advantage of the situation and increase their influence.

The economic fallout from the pandemic is likely to create or worsen instability in many countries, as people face challenges that include economic downturns, job losses, and disrupted supply chains. Some hard-hit developing countries are experiencing financial and humanitarian crises, increasing the risk of surges in migration, collapsed governments, or internal conflict.

The COVID-19 pandemic is prompting shifts in security priorities for countries around the world. As the public and the private sectors try to cut budgets, gaps are emerging in training and risk management. These gaps are likely to grow.

Cyber proxies consider the Covid-19 pandemic a major opportunity to spread a cyber pandemic and infodemics (disinformation campaigns that use the pandemic as a vector). They can influence citizens around the world to question the policies in many countries and divide the population. They can also attack the health care sector and the institutions involved in the management of the crisis, to make governments weaker in responding to the crisis.

Cyber proxies love the new "work from home" policies, and the exponential digitalization of our lives for work, education, communication and entertainment. Moving activities online creates new opportunities for malicious actors.


Target Audience

The program is beneficial to the Board of Directors and the CEO.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



Contact us

Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60
Email: george.lekatis@cyber-risk-gmbh.com








Web: https://www.cyber-risk-gmbh.com









We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.