The documented frequency of cyber attacks against the U.S. manufacturing industry increases year over year, making the financial losses from the successful breaches. It is more important than ever that manufacturers and producers undertake continuous vulnerability scans and penetration testing to identify susceptibility and ensure that cybersecurity controls are configured and functioning properly to minimize losses.
The first reason why penetration testing is important is reducing loss magnitude associated with successful security breaches and resulting business disruption. When a business experiences a data breach, the costs of containment, recovery, public relations, and fines can quickly add up. Depending on the duration and level of business disruption caused by the breach, the costs of not manufacturing quality products, shipped accurately and delivered on-time can result in net annual losses. In more severe cases, these cyber incidents can be fatal to businesses and family legacies.
The second reason why penetration testing is important is to detect previously unknown vulnerabilities. The worst-case situation is to have exploitable vulnerabilities within your infrastructure or applications while the leadership team assumes assets are protected. The thoughts of being secure lead to decisions that cause a further lack of awareness, as attackers are probing your assets. Successful attacks, called breaches, can go undetected for months.
Another reason that contributes to the importance of penetration testing is to provide feedback on the effectiveness of security tools that manufacturers use in their day-to-day operations. Most manufacturers and producers use some form of security tools, such as backup software, anti-virus and anti-malware services, and system maintenance tools. While leadership teams may have confidence that these tools are effective, they cannot assign any confidence level until they are adequately tested. Penetration testers help identify misconfigurations and default configurations that could allow criminal enterprises and hackers to disable these security tools, allowing attacks to be successful and financial losses to occur.
The final reason why penetration testing is important to manufacturers relates to adherence to regulated guidelines. Manufacturers that follow regulated guidelines such as Defense Federal Acquisition Regulation Supplement (DFARS) or Cybersecurity Maturity Model Certification (CMMC) to enhance the protection of unclassified information within the supply chain must regularly conduct a penetration test to validate the level of security implemented. Without conducting regular tests and a list of other requirements, these manufacturers will fail to meet compliance and certification requirements. DoD contractors should begin planning for CMMC certification because failure to secure an appropriate certification level will render contractors ineligible for new awards starting September 2020.
What is Penetration testing?
Penetration testing is a controlled simulated attack to identify the potential flaws and weaknesses within a business’ network, devices, or applications that can result in a data breach and financial loss. Penetration testing, also known as ethical hacking or pen testing, can focus on the business needs and wants but can include internal network security testing, external network security testing, web application testing, and mobile application security testing. The purpose of penetration testing is to help the business and IT leadership identify vulnerabilities within their environment, leading to an attacker accessing privately-owned networks, systems, and sensitive business information. Once the vulnerabilities are discovered, penetration testers try to exploit these vulnerabilities to access information, elevate their privileges of a user’s account, or take control of the business network. Penetration tests are conducted under strict rules mutually agreed upon by both the company in charge of performing the penetration test and requesting the assessment. In some cases, companies will create “flags,” or markers of proof, that penetration testers are asked to capture during the assessment.
What is the difference between internal penetration testing and external penetration testing?
With internal penetration testing, either the device used for the penetration test or the penetration tester is directly connected to the manufacturer’s or producer’s facility network. Internal penetration testing focuses on the vulnerabilities that affect devices on a local network level if one device on the network is compromised, such as an attacker connecting to a computer in accounting. With external penetration testing, the goal for the pen tester is to gain access to the internal network of the business by exploiting external resources, such as company login portals, devices with remote access capabilities accessible to the Internet, or through the use of malicious documents in emails, known as phishing. External penetration tests are performed to simulate an attack from an external entity trying to access your internal assets.
What happens during a penetration test?
During a penetration test, the pen tester will begin the assessment by scanning the environment to understand better what devices are immediately accessible and learn about the processes and protocols in use. Once the network scan is complete, penetration testers will review the scan results to better understand the devices on the network and review useful items such as the operating systems used and what ports and services are being used by the systems, devices, and machines. Progressively, the penetration tester will begin reviewing the scan reports to identify vulnerabilities as they test the services in use.
Depending on what type of assessment is requested, pen testers will either test all of the discovered vulnerabilities or begin testing the vulnerabilities in line with the assessment goals. From there, the penetration tester will begin safely exploiting the vulnerabilities. As the vulnerabilities are exploited, the penetration tester(s) will document their findings for reporting and remediation purposes. As the assessment testing period concludes, the penetration tester will assemble the findings into a report that outlines the vulnerabilities discovered and how the pen tester(s) successfully exploited the vulnerabilities.
What are the limitations that can affect the outcome of a penetration test?
While there are various types of penetration tests available to manufacturers and producers, there are also many limitations that can also affect penetration testing effectiveness. A blog article from Tutorials Point covers seven limitations that can affect the effectiveness of a penetration test, those being the length of time given for the penetration test, the scope of the assessment, the limitation of access to the system or network, the methods allowed, the skill-set of the penetration tester, access to known exploits, and that inability to experiment with custom exploits.
- Time: Penetration testers are usually given a time period when the assessment is to be performed. Depending on what is agreed between the business requesting the assessment and the group conducting the assessment, penetration tests usually last for one to two weeks. Compared to penetration tests, attacks conducted by cyber criminals and hackers focused on exploiting vulnerabilities can last for weeks, months, or even years.
- Scope: The scope is used to define the penetration test rules, often preventing accidental damage or affecting business operations. The scope can limit the times of day when conducting the assessment, what machines are allowed to be targeted or exploited, and which employees to target during assessments involving phishing emails. When the assessment allows the penetration tester to have a wider assessment scope, the penetration tester can find and exploit more vulnerabilities that criminals could use in a real cyber security attack.
- Limitation of access: Depending on the simulation or scenario that the penetration tester is given, the pentester may be requested to test certain systems’ security but start the assessment from a different portion of the network. In these situations, this limitation is imposed on the penetration tester to test the security of the network from different entry points, which can provide the manufacturer a realistic representation of how far an attacker can get through their network from different starting points and show what information could a hacker gain access to during these situations.
- Limitation of methods allowed: Limiting the methods and exploits used is generally accepted by penetration testers. This is enforced to prevent accidentally crashing necessary systems and affecting productivity. While a penetration test’s main goal is to find exploitable vulnerabilities, the tester should be wary of any known exploit that could cause a system to shut down unexpectedly. In cases such as this, it is the penetration testers’ duty to inform the client of the vulnerability and the potential result of exploiting the vulnerability. If the client does not wish for the vulnerability to be exploited, the penetration tester should document the finding and include it in the final deliverable report.
- Known exploits and experimentation: These two limitations directly impact each other, as, without experimentation and lack of current known exploits, an unknown exploit could be later used against a business. These two limitations stem from the amount of time given for the testing period, as experimental testing may result in unintended damages or lack of provable results. Penetration testers are also limited to known exploits that have been approved for testing, as this prevents accidental damage to systems or system processes. Additionally, testing experimental exploits can take time to perfect and may need specific modifications for each scenario. Compared to penetration testers, malicious attackers often have the ability to develop and test custom exploits against various systems of a targeted environment.
- The penetration testers’ background and experience: While penetration testing can cover several topics or areas of testing, so can the skill-sets that the penetration tester can have. Penetration testers working within environments that they are not familiar with may miss commonly exploitable vulnerabilities while not fully understanding the assessment scope. To avoid this limitation, manufacturers and business owners should understand the background and limitations of the person conducting the assessment and address this limitation if it is a concern.
What should you do after penetration testing?
Upon completing the assessment and the review of findings, the leadership team should prioritize resources for remediation. Many companies tend to begin knocking off the easy issues that commonly have a little material impact on business risk. Some considerations for assigning priorities may include:
- Disclosure of assumptions and biases.
- Identifying the critical assets and workflows.
- Isolating the probable threats.
- The effects of the concerns related to probable threats.
- Determining specific scenarios to be included within the review.
Depending upon your agreed-upon definitions for how vulnerabilities and threat event frequency translate to lose event frequency and risk, teams can define their risk rating to categorize and prioritize remediation. A critical level risk rating could be an annualized loss of $1M-$2M for one company, while a critical loss could be $10M or more for another company. If these labels are clearly translated, then leadership teams can avoid subjective interpretations and assumptions. Resources are limited, and without a strategy and plan to determine priorities, you will likely expend resources with little to no impact to reduce your loss exposure.
How often should I schedule a penetration test?
When manufacturers ask how often they should conduct penetration testing, a few factors can affect how often a penetration test should be performed. According to the EC Council, 3 factors can affect how often a penetration test should be conducted for a company.
- The first factor that can affect how often a company should conduct a penetration test is its size. Large manufacturing companies and businesses will often integrate newer technologies for their internal and external components, requiring more penetration tests to ensure their networks and applications’ security. Compared to larger businesses, smaller manufacturers and businesses require fewer penetration tests, as new components are not frequently changed or installed. As companies change and utilize new technologies, criminals use new vulnerabilities to access sensitive information or internal networks.
- The second factor affecting how often a penetration test should be conducted can be due to regulations that a business needs or uses. For example, businesses that use or have to maintain Payment Card Industries Data Security Standard, or PCI DSS for short, must complete at least 2 penetration tests every six months. Manufacturers should understand their requirements for regulated compliance before defining the scope and scheduling a penetration test.
- The final factor affecting how often a company conducts penetration testing is the infrastructure where data is stored. As cloud environments for data storage continue to become more prevalent, rules against external penetration testing can affect who and when the penetration test is completed. Some cloud service providers will allow external penetration testing but require the account owner to inform the service provider in advance and wait for a response from the cloud provider, either approving or denying the penetration test. In some cases, cloud service providers will opt to internally conduct a penetration test against their own infrastructure to prevent accidental harm to businesses using shared resources.
In addition to the three reasons previously mentioned, manufacturers and producers should conduct a penetration test when manufacturers and producers make changes to the infrastructure and applications used in the network. As changes such as removing and creating new firewall rules or updates to the applications used are made, the network’s security should be considered unsecured until properly tested.
Certitude Security™ is an Ohio-based cybersecurity services company that provides penetration testing to manufacturers throughout the United States. If you are interested in learning more about our assessment services or talking about how your leadership team desires assistance to understand cyber risk better, please visit our website to speak to one of our representatives. During these troubling times, we also offer our remote penetration services as an option to our clients.