If cyber-attackers decided to come after your truck fleet and its digital operating systems, what would they find?
How hard would it be to breach your system? How easily could they access data? How much damage could they cause? How effective would your defenses be?
You’d like to think the answers to all these questions would be favorable, but until it actually happens you don’t know for sure. That’s why many companies in the trucking industry would be wise to get their own answers through a process called penetration testing, or pentesting.
In a pentest, authorized attackers launch a cyberattack on your system, evaluating the security of your computer system or network by simulating an attack from a malicious source. They’re doing it so you can determine where your vulnerabilities might lie, and what the implications might be.
Three different approaches
The Black Box pentest is where the testers start with very limited information, much like real-life attackers would. The idea here is to emulate as closely as possible what a real attacker would experience, then conduct an external analysis of what happened. This should help the company fortify its defenses against system penetration in the first place.
In a Gray Box pentest testers have certain key information, like protocols or API documents. This is less like what a real-world attacker would experience, but not entirely dissimilar, and allows for external analysis on a different level.
A White Box pentest provides testers with extensive information, such as source-code-assisted design documents. This allows the testers to delve more deeply into your system, which means they can be more thorough in identifying the vulnerabilities in each resource unit. The White Box results in the most complete analysis of your overall system and its vulnerabilities.
In addition to these, other types of pentesting include a vulnerability scan, which is an automated, tools-based approach that is often used in the reconnaissance of more advanced tests; a vulnerability assessment, which combines automated and manual techniques to identify and assign severity levels within a given timeframe; and a red team exercise, in which one team (the red team) simulates an attack and the other team (the blue team) is responsible for monitoring and response.
To get the most out of pentesting, it helps to focus on areas that have recently changed or have not been tested before.
Attackers can use a lot of methods, including social engineering attacks that can trick your own employees into helping the attackers get access to your system. Terms like phishing, spear phishing, smishing, vishing, and whaling may not be well known to trucking company executives, but they are very familiar to cyberattackers. The testers who conduct your pentests know what to look for to see if your company is vulnerable to them.
Pentesting can be critical for trucking companies that want to identify and shore up vulnerabilities. But it is only as effective as a company allows it to be.
Sometimes companies limit the effectiveness of pentesting by failing to include physical testing, or by refusing to allow the exploitation of critical systems as opposed to nonproductive ones.
I have seen pentests fail because the testers weren’t given enough time to do their work, or were forced to operate under a very limited scope. Other tests produced limited results because they only allowed directed attacks and had no focus on social engineering or phishing attacks.
Finally, the follow-up and analysis can fail because critical steps are not taken or because not enough attention is paid to business risks in addition to technical issues.
WarningHaving testers perform a pentest of your system is not for the faint of heart. You might be disturbed by some of what the testers reveal. But it’s better to have friendly testers uncover this information and give you the opportunity to address it than to wait until real attackers have their way with it.
Pentesting, done right, could help prevent a disastrous attack that cripples both your digital assets and your assets on the road. That is well worth the investment required.
To learn more about NMFTA’s upcoming events that offer insight into cybersecurity issues, visit our events page at www.nmfta.org/nmfta-events.