“What should keep you up at night is, ‘What do I not know?’ There may be things that you know you don’t know, and there may be things you don’t know that you don’t know.”
During the National Motor Freight Traffic Association’s (NMFTA) May webinar, John Sheehy, senior vice president of research and strategy at IOActive, a research-fueled security services firm, offered that thought-provoking reminder.
Sheehy’s presentation, hosted by Antwan Banks, director of cybersecurity of NMFTA, is part of the organization’s cybersecurity series leading up to its October Digital Solutions Conference in Houston. The conference will be a meeting of minds to discuss emerging cybersecurity threats and related issues faced by the transportation and logistics industries.
Cybercrime attacks on large transportation businesses have made headlines in recent years, and as the industry has become more appealing to attackers, companies of all sizes are vulnerable to system breaches. The range of threat techniques only continues to grow as hackers adapt and evolve ways to gain access to critical company information.
For transportation companies, threats don’t just apply to internal digital systems, but also to the vehicles and equipment they use to move freight. Additionally, how these systems interface with one another through telematics devices presents risk. With many entry points for hackers, the importance of cybersecurity is paramount.
The prevalence of these “hackable” interfaces that organizations build their business on provides malicious individuals and entities many opportunities to breach an organization and wreak havoc.
“[It] could be as simple as one of your employee’s laptops or something more complex such as your overall wide area network. Or … from an operational technology perspective, something that might move freight on the warehouse floor that is necessary for shipping and receiving can be disrupted too,” Sheehy elaborated.
Identifying critical digital security lapses is the first step in defending your business from bad actors, who, in the worst-case scenario, could pose an existential threat to your company.
Penetration testing is one of the most impactful ways to figure out what it is you don’t know about your company’s vulnerabilities, allowing you to mitigate risks before an attacker can exploit them.
During the webinar, Sheehy discussed what penetration tests are, as well as the methodologies and the best practices you can implement to gain maximum value from them.
What is a penetration test?
Simulating an attack on your computer system or network using the same tools, techniques and procedures as the real thing, penetration testing allows an organization to evaluate its security and expose the business impacts of its vulnerabilities.
“These vulnerabilities may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in processes or technical countermeasures,” Banks said.
Penetration test methodologies
Penetration tests are not one-size-fits-all processes; Sheehy identified three main kinds of test methodologies, which fall on a spectrum from limited to more information provided to testers. The test an organization chooses often depends on budget, deadlines and other business requirements.
These three levels of penetration tests can unearth various system weaknesses, according to Sheehy:
Black Box Testing: This external-analysis-focused approach provides the least amount of information to testers, closely emulating what real-world attackers would have. An example in the context of a web application would be that the tester is provided only URLs and IPs.
Gray Box Testing: Gray box tests, also focused on external analysis, furnish more information to testers from the start. This mimics what attackers would have gathered with more time. Instead of spending resources reverse engineering a protocol or an API set, for example, testers are given this information right away so they can focus on trying to find weaknesses within the application.
White Box Testing: This test provides testers with the most information from the beginning, normally source-coded assisted design documentation, allowing them to target certain areas as needed. It also allows them to find the most vulnerabilities per resource unit. Ultimately, this approach is a full analysis, allowing testers to look at as much as possible.
How to use test results effectively
Your test results should come with a detailed list of confirmed or likely vulnerabilities in the tested environment. Consultants give your organization a risk rating based on how easy or hard it is to fix and how easily an attacker could compromise the system.
Sheehy urges companies to move quickly to remediate issues based on effort, risk and impact. He advised: “If it’s a very difficult fix, and it’s a very low-risk issue, it’s something that you probably want at the very bottom of your list. If it’s something that’s very easy to fix and it’s a critical impact. That’s something you want at the top of your list.”
As all companies are limited to some degree by time, budget and resources, it’s critical to leverage results strategically, which includes addressing issues that may be present outside the tested environments.
Sheehy explained: “One of the ways you can get extreme value out of these kinds of tests is that you might see in similar environments you may have identical vulnerabilities or very similar vulnerabilities.”
In other words, by identifying one issue, you might be able to solve multiple others. For example, you could find there are risks on your external perimeter that also apply to your internal applications, or perhaps you discover there are missing patches or misconfigurations in multiple areas because the same team worked on all of them.
Sheehy advises companies to ensure their test results are highly secured. Whether it’s an external network, internal network or web application, it’s a “map of how to break in” to that particular environment.
Why some tests fail to provide value
Banks provided the following insight on why some companies don’t gain value from tests:
Tests don’t include physical penetration testing.
Companies do not allow the exploitation of critical systems.
Testing is restricted to nonproduction systems.
Hours/length of testing is restricted.
Improper scoping fails to include all addresses.
There is only external or black box testing, which does not include internal testing and pivoting.
Teams patch/fix vulnerabilities only before the test.
The organization only allows directed attacks (e.g., no social engineering or phishing to include the leadership).
There is a lack of focus on business risk and increased focus on technical issues.
There is a lack of follow-up or remediation.
There is a lack of collaboration.
Final thoughts and how to learn more
Whether a transportation provider is a small fleet or enterprise level, all organizations face risk of system breaches, and the financial and security repercussions can be devastating. This is why it’s vital companies rigorously test the integrity of their systems to identify weaknesses and quickly implement fixes.
To learn more about protecting your business through penetration testing, listen to the full NMFTA webinar. Sheehy provides an overview of adjacent and overlapping testing methods, like vulnerability scans, vulnerability assessments, and red and blue team exercises. Finally, he provides an overview of the steps involved in penetration testing engagement, the other kind of common threat techniques and terms related to social engineering attacks, and some of the bad actors that pose a threat to transportation businesses.
The post Is your system vulnerable to cyberattacks? Here’s how to find out appeared first on FreightWaves.