Editor’s note: this is the second and final installment of a two-part series on cyberattacks. Part one covered 5 tell-tale signs that an attack has occurred.
Transportation companies are more susceptible than ever to cyberattacks after a tumultuous year shifted the attention of employees in many different directions. People who have the primary responsibility of keeping companies safe are seeing a difficult road ahead.
Cybersecurity is a problem that will never go away, and in response, some transportation companies have given a person, or a department, the duties of chief information security officer (CISO) to enforce IT policies for connectivity among employees, customers and vendors.
With or without a CISO role, all companies have similar needs for tightening their defenses. Barry Lance, network administrator for AIM Transportation Solutions, compares his defense strategy to the rings of an onion. It will take a layered approach to have any chance for success.
Thwarting phishing attempts
The outermost ring should focus on the types of threats that can most easily infiltrate a computer network, said Lance. These include drive-by downloaders and phishing, a type of malware that uses email as a vehicle to get users to click on links and enter login credentials, among other information.
Most phishing attempts can be thwarted by training employees to recognize suspicious emails, he said. Girard, Ohio-based AIM (CCJ Top 250, No. 152) operates a full-service equipment leasing business with more than 12,000 power units and dedicated fleets for shipper customers.
Polaris Transport, a less-than-truckload carrier based in Toronto with more than 120 trucks, uses preventive measures to block phishing email attempts. The company’s email system is configured to automatically quarantine the most suspicious emails. Less suspicious emails are identified with a header, including emails that come from external servers, like Hotmail, that do not have a prerequisite transport layer security (TLS).
“Our people pick it up,” said Dave Brajkovich, chief information officer. If tagged emails are legitimate, employees will notify the senders about the potential vulnerabilities of their email system.
Securing the perimeter
The second layer of Lance's onion is focused on preventing outer-layer threats that occur on the perimeter of a network, such as port scanning on firewalls. This is a more difficult area to identify attacks, since a lot of the activity that takes place on the perimeter today is being done automatically by software programs looking for easy targets.
Lance said he uses software programs that monitor port utilization on network switches to look for traffic anomalies, particularly those that occur after normal business hours. His methodology pays special attention to messages that are moving in or out of AIM’s email domain to prevent attacks from reaching workstations and servers further downstream.
“The trick for me right now is to create a mechanism to provide real-time alerting of these violations out to IT staff without creating alert fatigue for them,” he said.
The last line of defense is to protect workstations and servers. Here, at the center of the onion, Lance said his focus is preventing specific types of threats by setting group policies for user access, and by monitoring for account lockouts, password changes, and security group membership changes.
To thwart more advanced types of cyberattacks on the network perimeter, Polaris is using a monitoring tool from Splunk that identifies possible infiltration attempts. Even the most advanced systems cannot predict when or where an attack will be made.
“Proactiveness is something that doesn’t really exist when it comes to security,” said Ted de Vos, president of Simnet, based in the Toronto area, which provides managed IT services for Polaris Transport. “You can’t proactively monitor but you can reactively monitor everything.”
The Splunk system monitors for different signs that trigger an event to manage. Examples of trigger events include a change in web traffic on a certain port that are combined with data transfers and a failed login. “Together that is an event, and it is what Splunk gives us,” de Vos said.
Insights from Splunk are used to build risk analysis models based on different types of events that can occur. Simnet is using about 20 models to monitor for events at Polaris.
Halvor Lines, a dry van and flatbed carrier based in Superior, Wis. (CCJ Top 250, No. 168), also uses a system that monitors network switches, routers and ports to spot suspicious trends, said Brett Corlett, systems engineer.
Small and medium-sized fleets have a difficult time affording more advanced systems to monitor network traffic, he said, which continue to become more necessary to spot and thwart cyberattacks.
The level of sophistication for cyberattacks is increasing. Many attacks are being done today with automated programs that use artificial intelligence to quickly find vulnerabilities and breach computer networks.
“It’s scary and keeps me up at night,” Corlett added, “and it’s never going to end.”