Dr. Chase Cunningham, chief strategy officer at Ericom Software, pointed to a slide in his PowerPoint presentation that contained a QR code to access a “free book.” Many people in the audience grabbed their phones and found when they clicked the link to the code that it was a phishing scam.
That’s how easy it is to get hacked, Cunningham demonstrated at the National Motor Freight Traffic Association Digital Solutions Conference in Alexandria, Virginia, where he spoke about cybersecurity.
Cunningham said the human element – at 82% – continues to drive security breaches, and in today’s age of technology – when everyone has a cellphone in their hand, including truck drivers using it to access systems remotely – it is more important than ever to implement cybersecurity measures.
“Mobile is just as valid an avenue for exploitation as your computer … We don’t have a technology problem in cybersecurity; we have a people problem. People click on stuff,” Cunningham said. “We're talking about 18 wheelers and truckers. I'm not counting on how good I am at driving to not get in a wreck. I wear a seatbelt. That's a technical control that will keep me alive if things go wrong, hopefully.”
He said it’s best to rely on technical controls to prevent breaches rather than continually performing phishing training and hoping people don’t get it wrong.
Email phishing is one of the easiest scamming opportunities hackers can take advantage of, and such a simple process can lead to big problems for trucking companies, said NMFTA Chief Technology Officer John Talieri.
NMFTA this week opened up its annual Digital Solutions Conference to professionals across the entire industry – not just researchers and tech experts – including carriers, to collaborate and learn about the highest concerns and best practices to protect their organizations from end-to-end.
Accroding to NMFTA's survey ahead of the event, training and education; vehicle cybersecurity; implementing security by design: build-it in rather than adding it as an afterthought; SOC solutions and services; shift from on-prem to cloud securely; cybersecurity for heavy vehicle electrification and charging infrastructure; enterprise security; and end-to-end security (from customer to office to truck) were among the top concerns and challenges survey respondents had.
“Even if you protect your trucks, if somebody’s front office is down, they can’t send trucks out anyway. So you have to look at it end-to-end. That’s why we have to bring everybody together and focus on the different aspects, not just one area,” Talieri said. “They’re moving from pencil and paper to digital, so we’re expanding the opportunities for bad actors to attack us. It’s a critical time to educate the industry and better protect ourselves, our partners and our customers. It’s beneficial to us to make sure that, as we introduce these technologies, we add security.”
Cunningham said the transportation sector has been low on the totem pole when it comes to hacker demand. According to data from Verizon, he said there have been 305 cybersecurity incidents and 137 actual breaches in the transportation industry this year. By comparison, finance, public administration, manufacturing and information, among others, had more than 2,000 incidents.
Why? Because the industry has been slow to adopt technology. But that’s changing.
“If everyone else gets better and you're still back here, guess who gets eaten? It's you. If you're the slow gazelle in the cyber Serengeti, the lion’s gonna get ya,” Cunningham said. “Trends indicate that they’re starting to target that type of infrastructure. You can expect trucking, logistics, transportation, those types of activities to be targeted more in the very near future.”
And Talieri said the likeliest target isn’t the larger carriers because they’re better at security; it's the smaller carriers that are more vulnerable to attacks because they lack the capital to invest in solid cybersecurity solutions but they have access to larger systems of companies they contract with, opening those back doors.
“I would attack a couple of small carriers with less security, and I'm not necessarily going to attack them to take them down. I'm going to use them to try to infiltrate their partners or providers,” he said.
Cunningham said, to protect themselves, their customers and their providers, trucking companies should start with the basics: i.e. phishing training.
Here are some things he noted:
• Legitimate companies do not send emails requesting sensitive information.
• Don’t trust the name in the “from” field of an email. If it looks suspicious, don’t open it.
• Hover – but do not click – over links to see what address it takes you to; open a new browser and type the website address directly into the browser rather than clicking the link. Most companies use secure web addresses identified by using https://, not http://.
• Look for obvious grammar or spelling errors.
• Look for strange message structures, such as generic greetings and urgent language.
• Review the email signature for lack of details on contacting the company.
• Don’t click on email attachments.
• When in doubt, click the “reply all” button, which could reveal the true email address.
“That’s coloring with crayons,” he said, but then there’s the dark web and additional ways to extort information.
Cunningham said be mindful of things like social media presence, where hackers can obtain useful information, in-home and in-office cameras, and wireless systems such as printers that were never changed from their default configurations, which could allow a hacker to access your network.
Hackers can purchase jump servers on the dark web for about $10 a pop, he said. Those servers were already owned by some criminal organization and probably have access to other corporate systems via VPN connected to your organization, which leaves you liable during investigation.
He said it’s also important to protect things internally and build segmentation between systems.
“Segmentation is not something that's too well practiced on those systems that are out there today. If I can get somebody to give me access, especially with the right levels of creds based on the phish, I can move laterally in the system,” Cunningham said. “You don't have to be a super expert to build phishing emails. You don't have to be a super expert to do ransomware-type operations anywhere; you can just go buy the service. It's actually ransomware as a service, phishing as a service on the underground. It costs about $15 a pop.”
He recommends companies use browser isolation, multifactor authentication and password managers and move from VPN to ZTNA, which will provide policy control so things that should be dark are kept dark. He personally uses a password manager and biometrics for identity management.
But he said 80% to 90% of problems occur with the low-hanging fruit like bad passwords and usernames.
“Use the cloud, Google, O365, because they spend more on security than you ever will in your entire life; No. 2, team up with an MSP (Managed Service Provider) or MSSP (Managed Security Service Provider) that can take that stuff off your hands and actually be 24/7 real operations and respond to threats as they are present,” Cunningham said to the smaller carriers in the audience. “Last thing is the basics: the password manager, the multifactor authentication, not using crappy passwords. Go to haveibeenpwned.com, put your stuff in there and see if your stuff shows up; if it shows up, you need to fix that problem. Those basics make a heck of a lot of difference.”