The documented frequency of cyber attacks against the U.S. manufacturing industry continues to increase year over year, as do the financial losses from the successful breaches. It is more important than ever that manufacturers and producers undertake continuous vulnerability scans and penetration testing to identify susceptibility and ensure that cybersecurity controls are configured and functioning properly to minimize loss magnitude.
The first reason why penetration testing is important is the reduction of loss magnitude associated with successful security breaches and resulting business disruption. During the event that a business experiences a data breach, the costs of containment, recovery, public relations, and fines can quickly add up. Depending on the duration and level of business disruption caused by the breach, the costs of not manufacturing quality products, shipped accurately, and delivered on-time can result in net annual losses. In more severe cases, these cyber incidents can be fatal to businesses and family legacies.
The second reason why penetration testing is important is to detect previously unknown vulnerabilities. The worst-case situation is to have exploitable vulnerabilities within your infrastructure or applications while the leadership team assumes assets are protected. The thoughts of being secure lead to decisions that cause a further lack of awareness, as attackers are probing your assets. Successful attacks, called breaches, can go undetected for months.
Another reason that contributes to the importance of penetration testing is to provide feedback on the effectiveness of security tools that manufacturers use in their day to day operations. Most manufacturers and producers use some form of security tools, such as backup software, anti-virus and anti-malware services, and system maintenance tools. While leadership teams may have confidence that these tools are effective, they cannot assign any level of confidence until they are adequately tested. Penetration testers help identify misconfigurations and default configurations that could allow criminal enterprises and hackers to disable these security tools, which could allow attacks to be successful and financial losses to occur.
The final reason why penetration testing is important to manufacturers relates to adherence of regulated guidelines. Manufacturers that follow regulated guidelines such as Defense Federal Acquisition Regulation Supplement (DFARS) or Cybersecurity Maturity Model Certification (CMMC) to enhance the protection of unclassified information within the supply chain must regularly conduct a penetration test to validate the level of security implemented. Without conducting regular tests, as well as a list of other requirements, these manufacturers will fail to meet compliance and certification requirements. DoD contractors should begin planning for CMMC certification now, because failure to secure an appropriate certification level will render contractors ineligible for new awards starting September 2020.
What is Penetration testing?
Penetration testing is a controlled simulated attack that is performed to identify the potential flaws and weaknesses that exist within a business’ network, devices, or applications that can result in a data breach and financial loss. Penetration testing, also known as ethical hacking or pen testing, can have various focuses based on the business needs and wants, but can include internal network security testing, external network security testing, web application testing, and mobile application security testing. The purpose of penetration testing is to help business and IT leadership identify vulnerabilities that exist within their environment, that can lead to an attacker accessing privately owned networks, systems, and sensitive business information. Once the vulnerabilities are discovered, penetration testers try to exploit these vulnerabilities in order to access information, elevate their privileges of a user’s account, or take control of the business network. Penetration tests are conducted under strict rules that are mutually agreed by both the company in charge of performing the penetration test and the company requesting the assessment. In some cases, companies will create “flags,” or markers of proof, that penetration testers are asked to capture during the assessment.
What is the difference between internal penetration testing and external penetration testing?
With internal penetration testing, either the device that is going to be used for the penetration test or the penetration tester is directly connected to the network of the manufacturer’s or producer’s facility. Internal penetration testing focuses on the vulnerabilities that affect devices on a local network level in the case that one device on the network is compromised, such as an attacker connecting to a computer in accounting. With external penetration testing, the goal for the pen tester is to gain access to the internal network of the business by exploiting external resources, such as company login portals, devices with remote access capabilities accessible to the Internet, or through the use of malicious documents in emails, known as phishing. External penetration tests are performed to simulate an attack from an external entity that is trying to gain access to your internal assets.
What happens during a penetration test?
During a penetration test, the pen tester will begin the assessment by scanning the environment to better understand what devices are immediately accessible, and learn about the processes and protocols that are in use. Once the network scan is complete, penetration testers will review the scan results to better understand the devices on the network, and review useful items such as the operating systems that are in use, and what ports and services are being used by the systems, devices and machines. Progressively, the penetration tester will begin reviewing the scan reports to identify vulnerabilities as they test the services in use.
Depending on what type of assessment is requested, pen testers will either test all of the discovered vulnerabilities, or begin testing the vulnerabilities that are in line with the goals of the assessment. From there, the penetration tester will begin safely exploiting the vulnerabilities. As the vulnerabilities are exploited, the penetration tester(s) will document their findings for reporting and remediation purposes. As the assessment testing period concludes, the penetration tester will assemble the findings into a report that outlines the vulnerabilities that were discovered, and how the pen tester(s) successfully exploited the vulnerabilities.
What are the limitations that can affect the outcome of a penetration test?
While there are various types of penetration tests available to manufacturers and producers, there are also many limitations that can also affect the effectiveness of the penetration testing. A blog article from Tutorials Point covers seven limitations that can affect the effectiveness of a penetration test, those being the length of time given for the penetration test, the scope of the assessment, the limitation of access to the system or network, the methods allowed, the skill-set of the penetration tester, access to known exploits, and that inability to experiment with custom exploits.
- Time: Penetration testers are usually given a time period when the assessment is to be performed. Depending on what is agreed between the business requesting the assessment and the group conducting the assessment, penetration tests usually last for one to two weeks. Compared to penetration tests, attacks conducted by cyber criminals and hackers focused on exploiting vulnerabilities can last for weeks, months, or even years.
- Scope: The scope is used to define the rules of the penetration test, often to prevent accidental damage or affecting business operations. The scope can also be used to limit the times when the assessment can be conducted, what machines are allowed to be targeted or exploited, and which employees can be targeted during assessments the involve phishing emails. When the assessment allows the penetration tester to have a wider assessment scope, this allows the penetration tester to find and exploit more vulnerabilities that can be used in a real cyber security attack.
- Limitation of access: Depending on the simulation or scenario that the penetration tester is given, the penetration tester may be requested to test the security of certain systems, but start the assessment from a different portion of the network. In these situations, this limitation is imposed on the penetration tester to test the security of the network from different entry points, which can provide the manufacturer a realistic representation of how far an attacker can get through their network from different starting points, and show what information could a hacker gain access to during these situations.
- Limitation of methods allowed: Limiting the methods and exploits that can be used is generally accepted by penetration testers, as this is enforced to prevent accidentally crashing necessary systems and affecting productivity. While the main goal of a penetration test is to find exploitable vulnerabilities, the tester should be wary of any known exploit that could cause a system to unexpectedly shut down. In cases such as this, it is the penetration testers duty to inform the client of the vulnerability and the potential result of exploiting the vulnerability. If the client does not wish for the vulnerability to be exploited, the penetration tester should document the finding and include it on the final deliverable report.
- Known exploits and experimentation: These two limitations directly impact each other, as without experimentation and lack of current known exploits, an unknown exploit could be later used against a business. These two limitations stem from the amount of time given for the testing period, as experimental testing may result in unintended damages or lack of provable results. Penetration testers are also limited to known exploits that have been approved for testing, as this prevents accidental damage to systems or system processes. Additionally, testing experimental exploits can take time to perfect, and may need specific modification for each scenario. Compared to penetration testers, malicious attackers often have the abilities to develop and test custom exploits against various systems of a targeted environment.
- The penetration testers background and experience: While penetration testing can cover several topics or areas of testing, so can the skill-sets that the penetration tester can have. Penetration testers working within environments that they are not familiar may miss commonly exploitable vulnerabilities, while not having complete understanding of the scope of the assessment. To avoid this limitation, manufacturers and business owners should understand the background and limitations of the person conducting the assessment, and address this limitation if it is a concern.
What should you do after penetration testing?
Upon completion of the assessment and the review of findings, the leadership team should prioritize resources for remediation. Many companies have a tendency to begin knocking off the easy issues that commonly have little material impact to business risk. Some considerations for assigning priorities may include:
- Disclosure of assumptions and biases.
- Identifying the critical assets and workflows.
- Isolating the probable threats.
- The effects of the concerns related to probable threats.
- Determining if specific scenarios should be included within the review.
Depending upon your agreed upon definitions for how vulnerabilities and threat event frequency translate to loss event frequency and risk, teams can define their risk rating to categorize and prioritize remediation. Critical level risk rating could be an annualized loss of $1M-$2M for one company while a critical loss could be $10M of more for another company. If these labels are clearly translated, then leadership teams can avoid subjective interpretations and assumptions. Resources are limited and without a strategy and plan to determine priorities, you will likely expend resources with little to no impact to reduce your loss exposure.
How often should I schedule a penetration test?
When manufacturers ask how often they should conduct penetration testing, there are a few factors that can affect how often a penetration test should be performed. According to the EC Council, there are 3 factors that can affect how often a penetration test should be conducted for a company.
- The first factor that can affect how often a company should conduct a penetration test is the size of the company. Large manufacturing companies and businesses will often integrate newer technologies for both their internal and external components, requiring more penetration tests to ensure the security of their networks and applications. Smaller manufactures and businesses, compared to larger businesses, require fewer penetration tests, as new components are not frequently changed or installed. As companies change and utilize new technologies, new vulnerabilities can be used to access sensitive information or internal networks.
- The second factor that can affect how often a penetration test should be conducted can be due to regulations that a business needs or uses. For example, businesses that use or have to maintain Payment Card Industries Data Security Standard, or PCI DSS for short, must complete at least 2 penetration tests every six months. Manufacturers should understand their requirements for regulated compliance before defining a scope and scheduling a penetration test.
- The final factor that can affect how often a company conducts penetration testing is the infrastructure where data is stored. As cloud environments for data storage continue to become more prevalent, rules against external penetration testing can affect who and when the penetration test can be completed. Some cloud service providers will allow external penetration testing, but will require the owner of the account to inform the service provider in advance and wait for a response from the cloud provider either approving or denying the penetration test. In some cases, cloud service providers will opt to internally conduct a penetration test against their own infrastructure in an effort to prevent accidental harm to businesses using shared resources.
In addition to the three reasons previously mentioned, manufacturers and producers should conduct a penetration test when manufacturers and producers make changes to the infrastructure and applications used in the network. As changes such as the removal and creation of new firewall rules or updates to the applications used are made, the security of the network should be considered unsecured until properly tested.
Certitude Security™ is an Ohio-based cybersecurity services company that provides penetration testing to manufacturers throughout the United States. If you are interested in learning more about our assessment services or talking about how your leadership team desires assistance to better understand cyber risk, please visit our website to speak to one of our representatives. During these troubling times, we also offer our remote penetration services as an option to our clients.