On this week’s meeting of the security minds, stalwart SecurityIntelligence podcast hosts Pam Cobb and David Moulton tackle travel security with the help of IBM Security Vice President Caleb Barlow.
Since transportation services are now second only to financial institutions as the most-targeted industry, it’s worth diving into the why and how of travel data value, emerging attacker interest and effective defense techniques.
Cyberattacks on the Travel Industry Are Taking Off
As Barlow notes, while the financial services industry invariably tops the “most likely attacked” list, transportation and travel services have typically been at the bottom. However, a shift is underway: “the transportation industry in particular, which also includes things like air travel, is now the second most likely to be attacked.”
According to a recent X-Force Threat Intelligence Index,13 percent of all attacks targeted the travel industry in 2018. According to Barlow, attackers have now realized that “getting access to travel data provides a whole other level of context about an individual because if I know where you travel, I know what you’re interested in. I know your political views. I know how you think.”
It’s About the Journey — Not the Destination
The travel industry’s quick shift from low-priority target to second-place infosec imperative begs the question: Are organizations prepared to handle the new travel security concerns?
From Barlow’s perspective, probably not. Because transportation companies have historically been passed over by attackers, “you haven’t historically seen the investment required to protect.” But with critical information such as passport data now under threat from cybercriminals, organizations need to reevaluate their security measures.
For Barlow, it’s not about a quick-fix destination; instead, businesses “need to pick a security framework, something like NIST, evaluate where [they] are relative to that framework and where [they] need to invest.”
Travel Security Tips for Individuals
Travel security attacks can also pose a risk to individuals. It’s easy for frequent fliers and periodic passengers to put their data in harm’s way if they’re caught up in the stress of catching flights, safeguarding possessions and sorting out trip details. Barlow suggests shredding plane tickets rather than tossing them in the trash, as their barcodes often link to personally identifiable information (PII). He also points to the advantages of using passphrases rather than passwords:
“If you start getting over 15 characters and it’s a phrase, then you’ve got something that might take years to break,” says Barlow.
It’s also a good idea to avoid the obvious travel security pitfall that is public Wi-Fi. A recent IBM Security survey found that 70 percent of travelers still use public Wi-Fi, which can put the data stored on their laptops and mobile devices at risk.
Attackers are now taking the road less traveled and compromising transportation companies’ systems to steal personal data. Financial investment in critical frameworks can help to reduce total risk for organizations, while insuring device safety for jet-setters means getting back to security basics.
David: Oversharing is real and it’s such an easy thing to do when we’re traveling.
Pam: When people do share pictures digitally on social media, they come with a lot of info behind their vacation happy snaps. A lot of cameras, they embed metadata like location and day and maybe even who you were with.
David: That richness, that context, that’s what’s making travel data so appealing to criminals and it’s why the transportation industry is increasingly been a target for attacks.
Pam: So our IBM X-Force security research team in their most recent Threat Intelligence index reported that transportation services was the target of 13 percent of total attacks and incidents in 2018. After financial services, that industry is 2nd most likely to be attacked and it’s up from 10th in 2017.
This is the Security Intelligence Podcast, where we discuss cyber security, industry analysis, tips and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
This episode we have Caleb Barlow back on the show to talk about travel and transportation security. Caleb is the Vice President of X-Force Threat Intelligence for IBM Security.
As Caleb puts it, getting access to travel data provides a whole other level of context about an individual. He shares his insights into why the transportation industry is the second most likely to be attacked and how individual travelers can protect their PII. Here’s our conversation.
David: So why is travel, transportation and security top of mind for you right now?
Caleb: Well, interestingly enough, historically, if we look at what are the industries most likely attacked, you know, you would see financial services at the top. Why? Well, because they’ve got the money. And then you would often see critical infrastructure, healthcare, things like that. Travel, transportation, almost always at the bottom.
Well, we saw that dramatically shift this year where the transportation industry in particular, which also includes things like air travel, is now the second most likely to be attacked industry right behind financial services.
David: Well, that’s terrifying.
Caleb: And the interesting part of this is the why. Well, most of this is coming from nation state adversaries that have realized that, you know, in addition to getting PII, you know, name, date of birth, maybe your social security number, you know, that type of thing. Getting access to travel data provides a whole other level of context about an individual because if I know where you travel, I know what you’re interested in. I know your political views. I know how you think. And for a lot of entities, this can be very important to understand. Do you support a government? Do you not?
So this pivot in the travel and transportation space is all about the adversaries who in many cases have already stolen all of our, you know, kind of traditional PII like name and address and date of birth and phone number. Maybe they’ve already stolen our healthcare records. It’s about now providing that context to how do we feel, what do we believe, how do we spend our time. And that’s why you’re seeing this industry really take off as the second most likely industry to be attacked.
David: So if you go from number six to number two, that’s a pretty big jump. Are our customers in transportation, are they prepared to deal with these attacks?
Caleb: Generally speaking, when we see a dramatic increase in attacks in a particular industry, not only does this represent a, you know, potentially new found business model by the adversary or new interest level from the adversary, but it’s also a recognition that maybe an industry hasn’t stepped up to ride all the protections that they need to. And, you know, if we go industry by industry, there are a lot of kind of cultural norms of how much do they invest, how much do they understand about the attack service and their own vulnerabilities, and how much are they willing to invest.
I think financial services, having been at the top and the most likely to be attacked and the fact that probably every financial institution of size has had some form of significant attack, those companies are typically very well-funded on their cyber security teams. They often hire many of the best people they can get their hands on, but they’re also constantly hit with these attacks so those people are well exercised and well versed.
When we go to other industries, both critical infrastructure and non, and travel and transportation being one of them, you haven’t historically seen those types of attacks. You haven’t historically seen the investment required to protect. And it just hasn’t been one of the top business risks that they’ve been dealing with. That is clearly changing and that will clearly change this year. And I think much like we saw for example in the retail industry, you will see that pivot of budget, of attention, and of ultimately even hiring pivot in these industries because they’re gonna realize fairly quickly that the business risk due to cyber security is probably one of if not the top risk that they have as a corporation.
David: Could you spend a minute and riff on what the business risks are to these organizations?
Caleb: Well, if we look at, again, travel and transportation, the business risks are somewhat different than…you know, let’s say you have financial services. You know, if I lose your credit card, a business might be on the hook to replace that card, might be on the hook to pay for credit monitoring, things like that. But now that we get into other forms of PII or other information, the risks grow in rather unique ways.
One of the things we saw for example in the Marriott breach is the loss of passport numbers. Well, passports aren’t exactly easy to replace. In fact, it cost over a $100 USD to replace a passport. And there’s a lot of discussion going on right now as to whether the individuals who had their data stolen may need updated passports and who’s gonna pay for that and how would that even work, right? Because you can do a lot of things with a passport, right? In a lot of ways the passport is kinda like having a social security card. You know, you can get on an airline flight, you can get a job. You can do a lot of things with a passport because it demonstrates not only identity, but also demonstrates citizenship.
I think the other thing we get into where this gets really interesting is…let me pivot to let’s say healthcare, right? You know, historically we thought of the loss of healthcare data as a whole lot more PII, right? I mean, your doctor has your social security number, your name, your date of birth. They know your ailments, they know your allergies. But they also know your medical history. And, you know, initially we would see those stolen medical records maybe used to have people sign up for surgeries that it wasn’t the person. You know, kind of medical fraud.
But, you know, if we put this in the hands of a nation state adversary, you know a lot about who you’re up against based on their medical record. And there’s a lot of interesting and nefarious things you could do with that. But if we really span this out, right, and you say, “Well, where is this going, right? They’ve got my PII, they’ve potentially got my healthcare information, now maybe they’re getting my passport details and my travel details.” What’s next?
Well, what’s next is genomic information. And what’s fascinating when we look at genomic data is I don’t actually even need to steal your data. I just need to steal the data of a close relative and then I know a lot about you as well. So, that’s just one example of where this is going as just like we build databases for marketing on people and understand, you know, as much as we can about who’s gonna respond to what ad, so too can a nation state adversary build all of these details about a person from a variety of different breaches.
David: So what tactics can travel and transportation services take to be proactive against attacks and incidents?
Caleb: Well, at the end of the day, regardless of what industry you’re in, the types of approaches you need to take to prevent the loss of data or a destructive attack are all very much the same regardless of industry, right? The first thing to do is to pick a security framework, something like NIST, evaluate where you are at relative to that framework and where you need to invest.
Having good hygiene, good security culture is absolutely key. And first off getting that baseline in a framework and then starting to execute against that framework is what’s gonna get you there. And that is not only an all of company discussion, but it’s also a board level discussion with, you know, honestly complete transparency between the lowest level responder and a board member.
David: What about the travelers themselves, Caleb? What considerations do you think travelers should be thinking about to protect their identity and their data?
Caleb: The challenge in a lot of this is the traveling public often doesn’t have a whole lot they can do here because providing this information is required, for example, to get on a plane. A lot of times it’s required to register at a hotel. So, unfortunately you don’t really have the option of not providing it and it’s difficult to monitor, right? I mean, there’s no good way to know if your passport number was stolen, for example.
But there are some things we can do to practice good hygiene, right? Not having that information outward and accessible. You know, I think one of the great examples is airline tickets. There’s an awful lot of information on the barcode on an airline ticket. Most people just throw them in the trash at the airport. Don’t do that. Take them home, shred them, rip them up, throw them in the trash someplace other than the airport where they’re not gonna get lifted. You know, that’s another really important thing to think about. And, of course, passwords, right?
You need a password with length. Oddly enough, I don’t actually care so much about the complexity, you know, upper, lower case, special characters. What I really care about is the length because it’s relatively easy to crack a password. A passphrase is really difficult to crack. So even a 12 character password, if it’s a word, it’s pretty easy for an adversary to crack that just by brute forcing it. If you start getting over 15 characters and it’s a phrase, then you’ve got something that might take years to break and that’s gonna be a much more powerful solution that you can implement on your own and you don’t need to rely on anyone else to do it.
Pam: Caleb talked about transportation security, this macro industry view, but let’s shift gears and get a little more personal, David. Let’s talk about security for individual travelers.
David: Right, in case you’re one of the 47 million Americans gearing up to travel for the 4th of July this year.
Pam: I mean, who doesn’t love to migrate across the country for uppity colonist day?
David: Uppity colonist day. I know I do but that’s just a…so that I can go back to the Midwest and escape the incredible heat here in Texas.
Pam: Well, it’s no fun if you blow your own thumb off with your homemade fireworks in your own cul-de-sac, David. Like, we know how to celebrate in the south.
David: That’s right. You’re not wrong. Although the last couple of years it seems like the folks in Texas are more worried about setting things on fire, all the things on fire than setting off the fireworks.
Pam: That’s a real concern. Hey, speaking of things that are on fire, we’ve got a red-hot survey fresh off the press.
So, a company called Morning Consult did this online survey on behalf of IBM Security earlier this year and we were talking to over 2,200 U.S. adults about their travel security choices. And basically, the net is that a lot of people are making risky choices for the sake of convenience.
So, 7 out of 10 Americans, good old 70 percent, do the math with me at home, have connected to unsecured public Wi-Fi, they’ve charged a device using a public USB station or they’ve been able to auto connect on their devices, thus putting all of their information on their laptops, mobile devices at risk
Have you ever done any of these things, David?
David: And when you think… Oh, for sure. I look back and I think about the number of times that I’ve made some of these choices. I am tired, I’ve got the family with. I need to check something. My phone battery’s down.
It’s so temping to choose that convenience or that immediately accessible or cheap option sometimes, not realizing that there’s a whole lot of risk. It might be invisible but a whole lot of risk with it. And so the fact that it’s only 7 out of 10 doesn’t… I mean, maybe it’s the 7 out of 10 that surprises me. I would’ve thought it was a little higher personally. A nice 80 percent. You know, 80-20 rule.
David: But I think that if you’re going to travel and you’re thinking about how to keep yourself safe, how to keep your family safe and your data safe, make those choices ahead of time. So, if you’re going to be traveling and you know your phone’s going to run out of juice, you can pack a battery that gets you out of a pretty risky spot of plugging your phone or your computer into a public USB station. And the same goes for public Wi-Fi and, you know, going and auto attaching. Those are convenient so that the data is always flowing and/or it’s free but, you know, as we’ve seen, there’s a lot of ways that…public Wi-Fi is not a clean place to tap into if you wanna make sure that you’re protected.
Pam: Yeah. It is very easy to set up what looks like free public Wi-Fi as long as you name your Wi-Fi network some catchy thing.
David: So, Pam, when you’re thinking about a trip, are there certain things that you do to protect yourself and/or your family or things that you would recommend for our listeners?
Pam: Well, I mean, beyond the don’t connect to public Wi-Fi…and that’s a hard message honestly to get across to kids. Mine are at an age where they both have their own phones and they’re also maxing out their data plans, and so there is this strong urge to connect to Wi-Fi and we have a lot of not exactly the let’s talk about safety discussions that I remember from my childhood. So being careful where you connect and using a VPN, and making sure it’s a legitimate VPN and not one you got off an unauthorized app store that may have been put there by someone else looking to steal your data as you route your stuff through their VPN.
David: Yeah, absolutely. I think that that’s the first thing that came to mind for me was to put that VPN in there and make sure that that traffic that you’re sending is protected and made private rather than open Wi-Fi networks.
Pam: Yeah, one thing that I’m not good about that I need to be better with is shredding tickets or even baggage claim…like, those horrible stickers that get…if you check your bag. And I’ll be honest, sometimes now I just spit a piece of gum into them and crumple it up because at least it’ll be disgusting for an attacker trying to steal my data.
David: You know, it doesn’t take too long to shred it or rip it up and throw it away, and make sure that it’s disposed of in a safe way. Definitely a little bit more work, but the kind of thing that if before you go on your vacation, before you travel, you think these are the things that you always do. Just add one more thing to your routine and, you know, then you don’t end up finding yourself compromised and/or having the, you know, the low light of your travel being a data breach or a stolen identity.
Pam: Yeah. I remember back in the day my mother would always encourage me to travel with travelers’ checks. I don’t even know where to get those from now. But I do tend to leave my debit card at home and only carry a credit card because there is better banking protection, you know, in the event something does happen.
But, yeah. I just…I think, “Oh, travelers’ checks. That’s a good 80s callback.”
So what about taking your work devices with you? Do you do anything special with them before you go on a trip?
David: Well, I think here we’ve got a number of protections on our work devices. If it’s a personal trip, I certainly don’t take it with but when I do, you know, need to take my devices and I’m on a work trip, I do lock them up, make sure that they’re in the hotel safe. I imagine some people think I’m a bit paranoid, but you never know who’s gonna get into your room so I like to make sure that there’s at least an attempt to protect those and then certainly, you know, having your data backed up so that, you know…say you forget it.
I got out of an Uber in Florida once and the guy drove off with my backpack before I could grab it out of the trunk. He came back. But, you know, I lost control of my device for a good 15, 20 minutes and, you know, even if nothing bad happened, you know, or nothing malicious happened, I was out of all that work product. So that was, you know, that was when I was really happy to have cloud backups.
And then things like encryption on particular files or to make sure that you’ve got segmentation on your passwords if you’re getting into really sensitive information. I think some…just security fundamentals are relevant there. You know, so if you’ve got high levels of…or if you’ve got access to really sensitive data, you maybe don’t wanna have that under the same username and password that you have for all of your other work.
Pam: So in the positive side, do we have a good news story of the week, David?
David: Oh, we do. It’s something that I saw online from one of our counterparts over at Microsoft and I thought it was really interesting, what she was calling for. So, over at Microsoft, there’s a gal named Ann Johnson and she had this post or this article that she had written about moving away from some of the jargon laced language, away from deep acronym filled sentences. And I like that call, I like that article because it’s the kind of thing that was so much more inclusive.
If you’ve ever tried to jump into a conversation on an industry that you’re not familiar with, you know that it can be daunting. And I think that if we were to move away from specific language that excludes to language, it’s a little simpler and includes…you know, then people would know when they’re traveling how to keep themselves safe because it wouldn’t necessarily be these obscure kind of nerdy terms and then the same thing within, you know, the security language broadly if we had more accessible language. So, I think that’s my big positive story for the week was this idea that we could move towards really easy simple to use language.
Pam: There is definitely a place for that. And as a person with the word editor in my job title, I can endorse that message.
So that’s it for this episode. Thanks to Caleb Barlow for joining us as a guest.
David: Listen to this podcast on Apple Podcasts or wherever you get your podcasts. And we want your feedback. Leave us a comment on our SoundCloud page and if you really like what you hear, we’re definitely open to some five-star reviews on Apple Podcasts. For more security stories, visit SecurityIntelligence.com. Thanks to our producers, Megan and Ted, and most of all, thanks for listening.