The documented frequency of cyber attacks against the U.S. manufacturing industry increases year over year, making the financial losses from the successful breaches. It is more important than ever that manufacturers and producers undertake continuous vulnerability scans and penetration testing to identify susceptibility and ensure that cybersecurity controls are configured and functioning correctly to minimize losses.
The first reason penetration testing is necessary is to reduce loss magnitude associated with successful security breaches and resulting business disruption. When a business experiences a data breach, the costs of containment, recovery, public relations, and fines can quickly add up. Depending on the duration and level of business disruption caused by the breach, the costs of not manufacturing quality products shipped accurately and delivered on time can result in net annual losses. These cyber incidents can be fatal to businesses and family legacies in more severe cases.
The second reason penetration testing is necessary is to detect previously unknown vulnerabilities. The worst-case situation is to have exploitable vulnerabilities within your infrastructure or applications while the leadership team assumes assets are protected. The thoughts of being unassailable lead to decisions that cause a further lack of awareness, as attackers are probing your assets. Successful attacks, called breaches, can go undetected for months.
Another reason contributing to the importance of penetration testing is to provide feedback on the effectiveness of security tools manufacturers use in their day-to-day operations. Most manufacturers and producers use some form of security tools, such as backup software, anti-virus and anti-malware services, and system maintenance tools. While leadership teams may have confidence that these tools are practical, they cannot assign any confidence level until adequately tested. Penetration testers also identify misconfigurations and default configurations. These mistakes could allow criminals to disable security tools, allowing attacks to be successful and financial losses to occur.
Penetration testing is essential to manufacturers because of adherence to regulated guidelines. Manufacturers that follow regulated guidelines such as Defense Federal Acquisition Regulation Supplement (DFARS) or Cybersecurity Maturity Model Certification (CMMC) to enhance the protection of unclassified information within the supply chain must regularly conduct a penetration test to validate the level of security implemented.
Without regular tests and a list of other requirements, these manufacturers will fail to meet compliance and certification requirements. DoD contractors should begin planning for CMMC certification because failure to secure an appropriate certification level will render contractors ineligible for new awards starting September 2020.
What is Penetration testing?
Penetration testing is a controlled simulated attack to identify the potential flaws and weaknesses within a business’ network, devices, or applications resulting in a data breach and financial loss. Penetration testing, also known as ethical hacking or pen testing, can focus on the business needs and wants but can include internal network security testing, external network security testing, web application testing, and mobile application security testing.
The purpose of penetration testing is to help the business, and IT leadership identify vulnerabilities within their environment, leading to an attacker accessing privately-owned networks, systems, and sensitive business information. When vulnerabilities are discovered, penetration testers try to exploit these vulnerabilities to access information, elevate the privileges of a user’s account, or take control of the business network.
Penetration tests are conducted under strict rules mutually agreed upon by the company in charge of performing the penetration test and requesting the assessment. In some cases, companies will create “flags,” or proof markers, that penetration testers are asked to capture during the assessment.
What is the difference between internal penetration testing and external penetration testing?
With internal penetration testing, either the device used for the penetration test or the penetration tester is directly connected to the manufacturer’s or producer’s facility network. Internal penetration testing focuses on the vulnerabilities that affect devices on a local network level if one device on the network is compromised, such as an attacker connecting to a computer in accounting.
With external penetration testing, the goal for the pen tester is to gain access to the internal network of the business by exploiting external resources, such as company login portals, devices with remote access capabilities accessible to the Internet, or through the use of malicious documents in emails, known as phishing. External penetration tests are performed to simulate an attack from an external entity trying to access your internal assets.
What happens during a penetration test?
During a penetration test, the pen tester will begin the assessment by scanning the environment to understand better what devices are immediately accessible and learn about the processes and protocols in use. Once the network scan is complete, penetration testers will review the scan results to better understand the network devices and review useful items such as the operating systems used and what ports and services are being used by the systems, devices, and machines. Progressively, the penetration tester will begin reviewing the scan reports to identify vulnerabilities as they test the services in use.
Depending on the type of assessment requested, pen testers will either test all of the discovered vulnerabilities or begin testing the vulnerabilities in line with the assessment goals. From there, the penetration tester will begin safely exploiting the vulnerabilities. As the vulnerabilities are exploited, the penetration tester(s) will document their findings for reporting and remediation purposes.
As the assessment testing period concludes, the penetration tester will assemble the findings into a report that outlines the vulnerabilities discovered and how the pen tester(s) successfully exploited the vulnerabilities.
What are the limitations that can affect the outcome of a penetration test?
While there are various types of penetration tests available to manufacturers and producers, many limitations can also affect penetration testing effectiveness. A blog article from Tutorials Point covers seven limitations that can affect the effectiveness of a penetration test. The limitations are the length of time given for the penetration test, the scope of the assessment, the limitation of access to the system or network, the methods allowed, the skill-set of the penetration tester, access to known exploits, and that inability to experiment with custom exploits.
- Time: Penetration testers are usually given a time period when the assessment is to be performed. Depending on what is agreed between the business requesting the assessment and the group conducting the assessment, penetration tests usually last for one to two weeks. Compared to penetration tests, attacks conducted by cyber criminals and hackers focused on exploiting vulnerabilities can last for weeks, months, or even years.
- Scope: The scope is used to define the penetration test rules, often preventing accidental damage or affecting business operations. The scope can limit the times of day when conducting the assessment, what machines are allowed to be targeted or exploited, and which employees to target during assessments involving phishing emails. When the assessment allows the penetration tester to have a wider assessment scope, the penetration tester can find and exploit more vulnerabilities that criminals could use in a real cyber security attack.
- Limitation of access: Depending on the simulation or scenario that the penetration tester is given, the pentester may be requested to test certain systems’ security but start the assessment from a different portion of the network. In these situations, this limitation is imposed on the penetration tester to test the security of the network from various entry points, which can provide the manufacturer a realistic representation of how far an attacker can get through their network from different starting points and show what information could a hacker gain access to during these situations.
- Limitation of methods allowed: Limiting the methods and exploits used is generally accepted by penetration testers. This is enforced to prevent accidentally crashing critical systems and affecting productivity. While a penetration test’s primary goal is to find exploitable vulnerabilities, the tester should be wary of any known exploit that could cause a system to shut down unexpectedly. In cases such as this, the penetration testers must inform the client of the vulnerability and the potential result of exploiting it. If the client does not wish to use the vulnerability, the penetration tester should document the finding and include it in the final deliverable report.
- Known exploits and experimentation: These two limitations directly impact each other, as, without investigation and lack of current known exploits, an unknown exploit could be later used against a business. These two limitations stem from the amount of time given for the testing period, as experimental testing may result in unintended damages or a lack of provable results. Penetration testers are also limited to known exploits that have been approved for testing, as this prevents accidental damage to systems or system processes. Additionally, experimental testing exploits can take time to perfect and may need specific modifications for each scenario. Compared to penetration testers, malicious attackers often can develop and test custom exploits against various systems of a targeted environment.
- The penetration testers’ background and experience: While penetration testing can cover several topics or areas of testing, so can the skill-sets that the penetration tester can have. Penetration testers working within environments that they are not familiar with may miss commonly exploitable vulnerabilities while not fully understanding the assessment scope. To avoid this limitation, manufacturers and business owners should understand the background and limitations of the person conducting the assessment and address this limitation if it is a concern.
What should you do after penetration testing?
Upon completing the assessment and the review of findings, the leadership team should prioritize resources for remediation. Many companies tend to begin knocking off the easy issues that commonly have a little material impact on business risk. Some considerations for assigning priorities may include:
- Disclosure of assumptions and biases.
- Identifying the critical assets and workflows.
- Isolating the probable threats.
- The effects of the concerns related to probable threats.
- Determining specific scenarios to be included within the review.
Depending upon your agreed-upon definitions for how vulnerabilities and threat event frequency translate to lose event frequency and risk, teams can define their risk rating to categorize and prioritize remediation. A critical level risk rating could be an annualized loss of $1M-$2M for one company, while a crucial loss could be $10M or more for another company. If these labels are translated, leadership teams can avoid subjective interpretations and assumptions. Resources are limited, and without a strategy and plan to determine priorities, you will likely expend resources with little to no impact to reduce your loss exposure.
How often should I schedule a penetration test?
When manufacturers ask how often they should conduct penetration testing, a few factors can affect how often a penetration test should be performed. According to the EC Council, three factors can affect how often a company should conduct a penetration test.
- The first factor affecting how often a company should conduct a penetration test is its size. Large manufacturing companies and businesses will often integrate newer technologies for their internal and external components, requiring more penetration tests to ensure their networks and applications’ security. Smaller companies need fewer penetration tests than larger enterprises, as new features are not frequently changed or installed. As companies change and utilize new technologies, criminals use new vulnerabilities to access sensitive information or internal networks.
- The second factor affects how often a penetration test is conducted due to regulations that a business needs or uses. For example, companies that use or maintain Payment Card Industries Data Security Standard, or PCI DSS for short, must complete at least two penetration tests every six months. Manufacturers should understand their requirements for regulated compliance before defining the scope and scheduling a penetration test.
- The final factor affecting how often a company conducts penetration testing is the infrastructure where data is stored. As cloud environments for data storage continue to become more prevalent, rules against external penetration testing can affect who and when the penetration test is completed. Some cloud service providers will allow external penetration testing but require the account owner to inform the service provider in advance and wait for a response from the cloud provider, either approving or denying the penetration test. In some cases, cloud service providers will internally conduct a penetration test against their infrastructure to prevent accidental harm to businesses using shared resources.
In addition to the three reasons previously mentioned, manufacturers and producers should conduct a penetration test when making changes to the infrastructure and applications used in the network. As changes such as removing and creating new firewall rules or completing application updates, the network’s security should be considered unsecured until adequately tested.
As a proud supporter of American manufacturing, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for supply chain businesses throughout the United States. When you are interested in learning about the empowering services that Certitude Security® can offer, visit our website or coordinate a time to speak to a team member today.