Companies across the transportation and logistics industry – from trucking companies to brokers and the many software providers they use – connect their networks via application programming interface (API). If your trucking company uses a transportation management system and telematics, you’re using APIs, but cybersecurity experts say make no mistake in thinking a fancy API means your company’s data is secure.
API security and how to mitigate the risk of a bad actor infiltrating your company via that route was a hot topic at the National Motor Freight Traffic Association’s annual Digital Solutions Conference on Cybersecurity held in Houston, Texas last week.
David Samples, chief technology officer at Transcard, a global payment platform that serves multiple industries, including freight, told the small trucking companies in attendance that they may not consider themselves a target of a cyber threat because they’re not the Schneiders or J.B. Hunts of the industry with billions of dollars flowing through their networks. But think again, he said, because it’s rare for a sophisticated attacker to attack a larger player directly. They go through the smaller, more easily penetrated networks to get to those larger targets.
“Perhaps you have a web portal where your clients can pay their bills. Odds are the CFO of your customer who’s logging in to pay their bills is probably using a variant of that password for something else: maybe their bank, maybe some of their systems. So what you start to become is an avenue to bigger and bigger targets,” he said. “The last thing you want to do as that carrier for that vendor is find out that they came through your network to get to your customer because then the real cost of cybercrime comes into play. The real cost is reputational.”
Kleinschmidt President and CEO Dan Heinen said carriers need to ask their vendors how they build APIs and be wary of third-party solutions as you bring them into your environment; don’t just trust that what they say is true. Validate and verify and ensure they’re doing their part to keep those API connections secure because they are not secure by default.
But even if those third-party vendors are secure and your company has security measures in place, Heinen said it is estimated that 85% of cybersecurity failures are the result of a human element. And that’s usually as simple as a low-level employee clicking a link in a phishing email.
So everyone – from the executive suite to the front desk administrator – has to be wary of security.
“The idea is you don't want any open gateways, any opportunities for that human being to effect change in a system or in a given dataset beyond what you are comfortable with a single person doing by themselves. One of the terms we use a lot is the zero-trust environment, and that's not just for the software; it's for the folks as well,” Smaples said. “If you have a billing clerk who has access to data they genuinely don't need, that's an opportunity to evaluate. It’s not that the billing clerk is going to be bad or do anything wrong, but it's a human element.
“A lot of the big hacks we see and read about start with social engineering or phishing. It's just the human side is the weaker element,” he added. “Like it or not, good or bad, computers do what you tell them to. Humans don't, and that's where you have to work through that and think through your security.”
Heinen said if Kleinschmidt goes 30 days without an employee clicking a link in a phishing email, they’re rewarded with a free lunch. That’s one way the company has ingrained security within its company culture.
Michael Oberlaender, eight times prior Global CISO, said it’s about building a culture of security within your company from the ground up.
“The most important piece is the culture – having an understanding in the employee base. It starts at the top and trickles down to all the different layers,” he said. “Really make people part of the solution. You cannot prevent people from bypassing the security controls if they don't understand why.”
While it may be tedious, he said making employees contantly aware of cybersecurity and training them regularly is key.
In addition to things like multi-factor authentication, firewalls, API gateways and encryption, have an incident response plan. Just like a disaster recovery plan, sit down with your team and talk through all the different things that can happen and how you can approach handling these situations if they occur. Oberlaender said create a playbook.
“There are easily hundreds of different types of attacks that could happen. Make sure you have a playbook for each of them,” he said. “Following an incident response plan makes things a lot easier and quicker to resolve the problem. You don't have to reinvent the wheel during a crisis. This is a ransomware; this is malicious code, and this is the response. Yes, you may slightly have to adapt to this specific case, but you know what the playbook is telling you.”
He said then to make sure everyone is aware of their role and train and test them on it.
Samples said an opportunity to improve is also having a solid communications plan locked in place. He said he has noticed many companies don’t have that, so when an issue arises, the business side of the company is asking the IT team every few minutes for answers, which hinders their progress in solving the issue.
“Your incident response team should not be part of that communication. They should feed data to a person or a group of people who can then disseminate it appropriately to your clients and customers,” he said.
He also recommends red team, blue team and purple team exercises as a means to prevent or mitigate cyber threats in the first place.
Before Transcard moves software out of the development environment, its teams perform penetration and exploit exercises in an effort to find any holes before it goes live.
“What you want to achieve is an opportunity for your own team, who already knows your weaknesses, they already know where the holes are… to challenge one another on their structures and what they're doing and how they're going about it,” Samples said.
SecDevOps and segregated networks
Oberlaender said companies need to implement a SecDevOps software development method, which places security first because security needs to be ingrained from the get go when developing a tech stack.
“That will really finally solve the problem because you eliminate the problems,” he said. “If you do security as it was done the last 20 or 30 years, after you have built your application or your infrastructure, and then you bolt it on, it's not effective, and it's not efficient, and it's way more expensive. Doing at the beginning is much cheaper, much better.”
Start with a zero-trust architecture, which focuses on network segmentation, he said, keeping data restricted to certain employees based on their needs.
“What you want to do is understand your crown jewels – where's the most important data and the processes that make the money for your enterprise – and then segregate that accordingly, making sure employees can access what they need to access,” Oberlaender said.
Samples said that zero-trust also applies to how applications interact.
At Transcard, none of their applications trust another application; every single one has to ask for permission before talking to one another, not just in the firewall layer but through the software layer as well, Samples said.
“It's fairly easy to determine if you have a segregated network. That tells the bad guy this is not going to be a walk in the park. Now I have to start asking myself, is the effort going to be worth it?
“As you do your security in these onion layers – security is a constant evolution of onion peels – as that gets harder and harder, you (referring to the bad actor) start to become disenfranchised; you're looking for the next person because you're looking for the score; you're not looking for the challenge,” Samples said. “You don’t want to be the easiest person in the room. Like the old saying, if you're running away from a bear, you don't have to be the fastest, you just can’t be the slowest.”