Well, hopefully everybody had a great weekend. Mine was full of work, churning out articles and working on my new book. Today I wanted to touch on the topic of Penetration Testing. This is something I have eluded to before, but felt now is a good time to explore it in more detail. I have always talked about how important it is to have that all important balance between human vigilance and having the right security based technologies at hand.
But, one thing I have failed to mention was that in all of this, you also need to have the right tools as well in order to see where the weak spots are in your business or corporation. For example, you may think that you have everything in place, but alas, you may be quite surprised to find that there quite likely hidden gaps or holes in your defense perimeters that you may never even thought existed.
So, the question is, how does one find these? The answer lies through Penetration Testing. It an be specifically as defined as follows:
“A penetration test, also known as a pen test, is a simulated cyberattack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF).
Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.” (SOURCE: https://www.incapsula.com/web-application-security/penetration-testing.html).
So, as you can see from the definition up above, a Penetration Test, involves three components:
- An analysis of the Security weaknesses in your current lines of defense;
- An analysis of the Security weaknesses in any or all of your hardware and software applications;
- A formal write up of key findings/takeaways and suggestions/recommendations for any immediate action items.
But, what is so unique about a Penetration Test is that the people who are involved in doing these exercises take the exact same mindset as a Cyber attacker would when they start launching their hacks. But, with a Penetration Tester, you can trust who are working with, because they are totally ethical and honest in what they do, and they are totally on your side. All of this may sound simple in theory, but there is a lot and a lot that goes on with this, and future blogs will cover this. I just wanted to cover the very basics in this post.
So now, with all of this in mind, I came across a news article in which a Penetration Testing organization, known as “Pen Test Partners”, just recently Pen Tested over 20 different ECDIS (Electronic Chart Display and Information System) units that ships use to navigate. They found several vulnerabilities that could allow a Cyber attacker to control the Operation Technology (OT) systems used to control the steering gear, engines, ballast pumps of any kind or type of ship, whether it is cargo, commercial, or even a cruise line vessel.
If a Cyber attacker gained control of any one of these units, the ship would not necessarily sink per se, but rather, it would be sent in the wrong direction or even trick/deceive crew members into taking certain actions that could affect the systems of a ship, or even make them think that they are headed in the right direction when they really are not.
In this instance, the Penetration Testing exercises revealed the culprit of these particular Security vulnerabilities:
- The misuse of default credentials;
- The usage of old and outdated systems such as Windows NT;
- Key interfaces being linked up over telnet and HTTP (this is where cleartext messages are sent, and this is a huge no-no);
- The ability to edit the entire web application running on the terminal;
- Easy access to administrative based login credential info.
Apart from sending the ship in the wrong direction, other vulnerabilities that were discovered also include the following:
- Gaining control of the ship’s ECDIS. This will allow the Cyber attacker to change the ship’s route by altering the data used to communicate with GPS satellites;
- Potentially crashing the ship, particularly in fog, and other types of inclement weather;
- Maliciously crowding shipping lanes by spoofing the position of the GPS satellite receiver on the ship thus causing ships to collide with another;
- Track and hack ship’s satellite communications to develop a clickable map highlighting the victim ships in their real-time position.
Man, even as I just wrote all of this, I remember the times I used to watch the “Love Boat” episodes with my parents on the weekends. Back then, who would have ever thought that this was possible? Heck, even GPS was not even heard of back then. Anyways, the Penetration Testing organization did submit a formal report to the company that requested all of this.
Of course, they can’t reveal much, but there are two key takeaways that they specifically revealed:
- Some of these vulnerabilities can be fixed by simply enforcing stronger password policies (it was even recommended that a Password Manager should be used);
- The crews of these ships, rely too much technology to make key decisions rather than simply “looking out of their window” to see what is really going on. In other words, because of this sheer dependency on technology and GPS, the Cyber attacker has the upper hand into tricking the crew in sending the ship into the wrong direction, potentially on a collision course, when really they should be using their analog instrumentation to confirm the ship’s routing.
Wow, now that ships are prone to all of this, what about commercial aircraft, especially passenger jets? Airplanes rely heavily upon technology much more than ships do, and just imagine a worst case scenario: The Cyber attacker alters the course of the flight path of two airplanes, tricking the crew into believing that they are on the right course, when they really are on a collision course?
This is a lot to think about. Hopefully the airlines, all of them, will start to use Penetration Testing to discover any hidden holes or vulnerabilities in their IT Infrastructure. The clock is ticking . . . .