“The thing that should keep you up at night is, ‘What don’t I know?’ There may be things that you know you don’t know, and there may be things that No I know you don’t know.”
During the National Motor Freight Traffic Association (NMFTA) webinar in May, John Sheehy, senior vice president of research and strategy at IOActive, a research-driven security services company, offered that thought-provoking reminder. .
Sheehy’s presentation, hosted by Antwan Banks, NMFTA’s director of cybersecurity, is part of the organization’s cybersecurity series ahead of its October Digital Solutions Conference in Houston. The conference will be a gathering of minds to discuss emerging cybersecurity threats and related issues facing the transportation and logistics industries.
Cybercrime attacks on large transportation companies have been in the news in recent years, and as the industry becomes more attractive to attackers, companies of all sizes are vulnerable to system breaches. The range of threat techniques continues to grow as hackers adapt and develop ways to gain access to critical business information.
For transportation companies, the threats apply not only to internal digital systems, but also to the vehicles and equipment they use to move goods. Additionally, the way these systems interact with each other through telematics devices presents risks. With many entry points for hackers, the importance of cybersecurity is paramount.
The prevalence of these “hackable” interfaces on which organizations build their business provides many opportunities for malicious individuals and entities to breach an organization and wreak havoc.
“[It] it could be as simple as one of your employees’ laptops or something more complex, like your general wide area network. Or…from an operational technology perspective, something that could move cargo on the warehouse floor that is needed for shipping and receiving may also be affected,” Sheehy explained.
Identifying critical digital security flaws is the first step in defending your business from bad actors, who, at their worst, could pose an existential threat to your business.
Penetration testing is one of the most impactful ways to find out what you don’t know about vulnerabilities in your business, allowing you to mitigate risks before an attacker can exploit them.
During the webinar, Sheehy discussed what penetration testing is, as well as the methodologies and best practices you can implement to get the most value from it.
What is a penetration test?
By simulating an attack on your computer system or network using the same tools, techniques, and procedures as in reality, penetration testing allows an organization to assess its security and expose the business impacts of its vulnerabilities.
“These vulnerabilities may be the result of poor or improper system configuration, known and/or unknown hardware or software failures, or operational weaknesses in technical processes or countermeasures,” Banks said.
Penetration testing methodologies
Penetration testing is not a one-size-fits-all process; Sheehy identified three main types of testing methodologies, which fall on a spectrum of information limited to more provided to testers. The test an organization chooses often depends on budget, timelines, and other business requirements.
These three levels of penetration testing can uncover various weaknesses in the system, according to Sheehy:
Black box tests: This external analytics-focused approach provides the least amount of information to testers, closely emulating what real-world attackers would have. An example in the context of a web application would be that the tester is given only URL and IP.
Gray box tests: Gray box testing, also focused on external analysis, provides more information to testers early on. This mimics what the attackers would have gathered with more time. Instead of spending resources reverse engineering a protocol or API set, for example, testers receive this information immediately so they can focus on trying to find weaknesses within the application.
White box tests: This test provides testers with the most information up front, typically ADP documentation with source code, allowing them to focus on certain areas as needed. It also allows them to find the most vulnerabilities per unit of resource. Ultimately, this approach is a full scan, allowing testers to observe as much as possible.
How to use test results effectively
Your test results should include a detailed list of confirmed or probable vulnerabilities in the tested environment. Consultants give your organization a risk score based on how easy or difficult it is to fix and how easy an attacker could compromise the system.
Sheehy urges companies to act quickly to remediate issues based on effort, risk, and impact. She advised: “If it’s a very difficult fix and it’s a very low-risk problem, it’s something you probably want at the bottom of your list. If it is something that is very easy to fix and it is a critical hit. That’s something you want at the top of your list.”
Because all businesses are limited to some degree by time, budget, and resources, it’s critical to leverage the results strategically, including addressing issues that may be present outside of tested environments.
Sheehy explained: “One of the ways that you can get extreme value from this type of testing is that you can see in similar environments that you may have identical vulnerabilities or very similar vulnerabilities.”
In other words, by identifying one problem, you may be able to solve many others. For example, you might discover that there are risks at your outer perimeter that also apply to your internal applications, or you might discover that multiple areas are missing patches or misconfigurations because the same team worked on all of them.
Sheehy advises companies to ensure their test results are highly protected. Whether it’s an external network, an internal network, or a web application, it’s a “roadmap of how to get into” that particular environment.
Why some tests don’t provide value
Banks provided the following information about why some businesses are not getting value from testing:
- The tests do not include physical penetration tests.
- Companies do not allow the exploitation of critical systems.
- Testing is restricted to non-production systems.
- The hours/duration of the tests are restricted.
- Inadequate scope does not include all addresses.
- There is only external or black box testing, which does not include internal testing or pivoting.
- Teams patch or fix vulnerabilities only before testing.
- The organization only allows targeted attacks (for example, no social engineering or phishing to include leadership).
- There is a lack of focus on business risk and more focus on technical issues.
- There is a lack of follow up or remediation.
- There is a lack of collaboration.
Final thoughts and how to learn more
Whether a transportation provider is a small fleet or enterprise level, all organizations face the risk of system breaches, and the security and financial repercussions can be devastating. This is why it is vital that companies rigorously test the integrity of their systems to identify weaknesses and quickly implement solutions.
To learn more about how to protect your business through penetration testing, listen to the full NMFTA webinar. Sheehy provides an overview of adjacent and overlapping testing methods such as vulnerability scans, vulnerability assessments, and red and blue team exercises. Finally, it provides an overview of the steps involved in pen testing compromise, the other types of common threat techniques and terms related to social engineering attacks, and some of the bad actors that pose threats to companies. transport companies.
Click here for more information on NMFTA’s October Digital Solutions Conference on Trucking Cyber Security.