Supplier Spotlight

Web Exclusive Articles

« back to listing

Homeland security

Australia’s Corporate Reputation Index is a measure of consumer trust in the country’s top brands. Back in 2012 the national postal operator, Australia Post (AusPost), ranked number two on the index. By 2015 it had slipped to sixth place and by 2016 was all the way down to 19th.

Over that same period AusPost had been fighting an ongoing cybersecurity battle to stop its brand being used by hackers for nefarious purposes. “AusPost noticed our brand being used in late 2013 and early 2014 in very small numbers, which we were able to manage through take-downs of fraudulent sites,” says Kristin Lyons, chief information security officer at AusPost. But that action provided only a temporary reprieve and the problem has since become much worse, including “many aggressive campaigns, a steep increase in their numbers and many changes of tack”, adds Lyons.

The hackers’ main method of attack has been ransomware – malicious software that locks computer files and demands payment for their release. Typically the ransomware is hidden inside an attached “shipping confirmation” document in an email purporting to come from AusPost. The hackers have tried to entice tens of thousands of online users into downloading the malware using data gleaned from the target’s social media profiles to give the emails an air of authenticity.

According to the Australian Competition and Consumer Commission, these email scams cost consumers more than A$80,000 (US$61,580) in 2015. It is unclear what the reputational cost has been and whether falling consumer confidence in the company is linked to this proliferation in scams. But Lyons says that it was AusPost’s status as “one of Australia’s most trusted brands” that made it a desirable target in the first place. “People are familiar with our emails and will at times be expecting them, which could make them more susceptible to opening a fake email,” she adds.

The US Postal Service (USPS) has frequently found its brand being used in these targeted email attacks, known as spear phishing. “For several years our customers were commonly the target of these sorts of cyber attacks,” comments Greg Crabb, acting chief information security officer and digital solutions vice president at the USPS.

To tackle the problem, the USPS has introduced two sets of email authentication protocols that have “reduced the amount of spam purporting to be from the USPS to near zero”, Crabb explains.

The protocols – known as Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) – allow email service providers such as Google and Yahoo to distinguish genuine USPS correspondence from phishing attacks. Crabb adds, “That has helped develop and preserve our email brand in a very measurable way.”
 

Right: Kristin Lyons, chief information security officer at AusPost

 

Gaps in security
Despite these efforts the USPS was the victim of a major cybersecurity breach in 2014. In this case hackers didn’t confine themselves merely to appropriating the USPS brand, but successfully attacked the post’s own networks via an attack that compromised the personal information of nearly three million customers and stole the social security numbers of 750,000 former and current employees, according to US media reports at the time.

A follow-up report by the USPS’s watchdog, the Office of the Inspector General (OIG), was highly critical of the postal operator, finding that it lacked “a cybersecurity culture”.

One specific shortcoming the report pointed to was outdated software – half of the software systems tested by the OIG were no longer supported by the manufacturer, which meant that any security vulnerabilities could not be patched up. It also noted an understaffed cybersecurity team and negligible staff training – only about 1% of USPS employees had completed security awareness training, compared with an average of about 80% in the private sector.

More worryingly, when the OIG launched fake phishing attacks as part of its audit months after the original breach, it found that a quarter of staff still fell for the emails. “Information security awareness training is critical to ensuring that employees are equipped with the knowledge to identify and report phishing emails,” says Kimberly Benoit, the OIG’s deputy assistant inspector general for technology. “As a result, we recommended that management update training requirements to require all employees with network access to complete annual information security awareness training.”

Start with the basics
Creating a successful cybersecurity apparatus “often means doing the dull things right”, says Rob Pritchard, founder of the Cyber Security Expert, a web-based consultancy. He explains, “It means managing your assets so that you know what software is out of date and where your vulnerabilities are – this is not a trivial task for a large enterprise.”

In response to the OIG’s findings, the USPS initiated a comprehensive training program called Cyber Safe that has provided security awareness training to 200,000 staff and contractors that have computer access within the organization. As part of Cyber Safe, staff performance is continuously monitored through monthly fake phishing attacks.

“Every month we test 10,000 of our staff, and employees’ click rates have reduced dramatically,” says Crabb. “Whenever an employee takes the bait we provide remedial training and retest them afterward.”

As well as these measures, the USPS recently launched a consumer-facing campaign on its website to educate customers about potential cyberattacks.

Australia Post has also tried to promote public awareness about cybersecurity, using its website and social media strands to inform customers about the ransomware scams and provide practical advice to victims. “We believe it is our social obligation to keep our customers informed when these scams happen, so that they can take the required action to protect themselves,” says Lyons.
 

Left: Greg Crabb, acting chief information security officer and digital solutions vice president, the USPS

 

Types of attacks
Another key factor in tackling cyberthreats is understanding where they come from. Crabb says that the USPS deals with three main varieties of hackers: socially motivated hackers like members of the hacking collective Anonymous; criminal hackers whose motivation is solely financial; and hackers operating on behalf of a nation state.

“Socially motivated hackers,” he says, “usually favor denial-of-service (DoS) attacks, in which the targeted network is flooded with multiple requests in an attempt to overload the system.” The USPS has controls that protect it from DoS attacks.

“The most sophisticated attacks are usually those launched by nation states,” Crabb continues. “They require that we implement a layered set of controls, assuming that the adversary may be able to completely circumvent certain security controls of our tool providers,” says Crabb. “You can’t rely on only one or even two sets of tools when you’re dealing with a nation state actor.”

Media reports following the 2014 breach speculated that it may have come from China. The USPS has never confirmed its origin – it is still the subject of an FBI investigation – but Pritchard warns against attributing these large-scale hacks to nation states, contending that the motive is “more often financial”.

He points to the massive hack of US bank JPMorgan Chase in 2014, in which data on more than 80 million customers was stolen. One of the largest data breaches in history, the hack happened to coincide with the escalating conflict in eastern Ukraine between the government and pro-Russian separatists.

“There were lots of rumors at the time that it was Russian reprisals for the West’s involvement in Ukraine,” says Pritchard. “But it turned out to be some people running a pump-and-dump scam – a financial fraud that involves artificially inflating the price of stocks – and they were using the hacked customer details simply as a database.”

Protecting data
In order to protect customer data from attacks like the JPMorgan Chase hack, the USPS has trained staff to encrypt sensitive data, like credit card numbers, and to avoid storing it on hard drives. But a balance has to be struck, according to Crabb, “between privacy and security, and making the systems robust and available”.

He gives the example of the USPS change of address management system. Since 20% of the US population moves each year, the mailing community needs to be able to follow consumers. To facilitate this, the USPS has designed a system that allows sharing of change of address information “in a very privacy-enhanced way”, say Crabb.

“We don’t provide mail service providers with a database of names and addresses. Instead we encrypt that information and require that senders know the recipient’s name before they can get the new address. I consider that change of address system a national treasure.”
 

Right: Members of the USPS’s CyberSafe initiative passing out materials to attendees at the Cybersecurity Awareness Fair on October 11, 2016

 

The threat within
As well as the threat posed by hostile actors, posts must also contend with insider threats. To this end, the USPS uses a data-loss prevention tool that stops staff from using thumb drives or other removable media to take sensitive data out of its networks.

Pritchard, however, believes that technological solutions will only get you so far and that “it’s more an issue of personal management. You have to ask yourself: Are you correctly vetting staff and dealing with disgruntled employees so that it doesn’t get
to the point where someone walks out of the door with a lot of sensitive data?”

Pritchard is skeptical about the existing insider threat detection software that is meant to pick up on unusual user behavior: “It tends to generate a lot of false positives, so it requires very competent operators to monitor it, who know the system well and can drill through what they’re seeing and pick out the genuine anomalies. In the end it still comes down to having good personnel.”

To read the full version of the article in the January 2017 issue of Postal Technology International, click here.

Article by Paul Willis

December 2, 2016

 

Video Exclusives


PostEurop releases latest mail and parcel statistics for Europe

PostEurop, a trade association representing 52 posts in 49 countries, has released its latest figures aggregated from its members, giving an overview of the European post and parcel delivery market in 2016.

23 May, 2017


PostNord delivers parcels into customers' homes

Nordic postal operator PostNord has partnered with Swedish lock manufacturer Assa Abloy to offer customers a new service where parcels can be delivered inside their door (full story here).

Customers who posses a digital lock, such as the Yale Doorman, can register for the service, which provides PostNord delivery personnel with a one-time code enabling them to enter the property and place the parcel inside. To view a video of the indoor delivery service, click on the link below.

19 April, 2017

Read Latest Issue

Read Latest Issue

Exclusive Articles

Matthew Robertson, co-CEO of parcel data management platform NetDespatch, comments on the surprise findings of research into the working relationship between retailers and their delivery partners.  May 16, 2017  
Click here to read more


This week Omniva selected Fives to install the sorting system for its new Tallinn hub (story here). Joona Saluveer, the recently appointed chairperson to the Omniva board, speaks to PPTI about the company’s future strategy and the challenges of digitization. May 2, 2017  
Click here to read more


Patrick Armstrong, CEO of IoT developer Snaile, explores some of the restrictions posed by outdated USOs and explains how they can be avoided using modern technology. April 24, 2017  
Click here to read more



Supplier Spotlight

Supplier SpotlightClick here for listings and information on leading suppliers covering all aspects of the postal technology industry. Want to see your company included? Contact helena.hunt@ukimediaevents.com for more details.

فروشگاه اینترنتی فروشگاه اینترنتی سیستم همکاری در فروش ماهواره آنلاین اندروید کانال تلگرام ماهواره جیبی اندروید چت روم دانلود فیلم مرکز خرید ایرانیان

Submit your industry opinion

Industry BlogDo you have an opinion you'd like to share with the postal technology community? We'd like to hear your views and opinions on the leading issues shaping the industry. Share your comments by sending up to 500 words to helen.norman@ukimediaevents.com

Submit Your Recruitment Ad

Recruitment AdTo send us your recruitment advertising or to receive information on placing a banner please email helena.hunt@ukimediaevents.com