CASE STUDY

Penetration Testing as part of the Shipping Company’s Risk Assessment Strategy

How Marpoint IT Managed Services have facilitated a series of shipping companies in conducting successful cybersecurity vulnerability assessments (penetration tests) for their vessels.

What is pentesting?

Penetration testing is an ethical cyber security assessment conducted to identify, safely exploit and help eliminate vulnerabilities that reside across an organisation’s IT environment.

Is penetration testing mandatory for Shipping Companies?

The first two IMO functional elements a) Identify and b) Protect as described in the MSC-FAL.1/Circ.3 clearly note that each company should complete a risk assessment for their assets and take relevant actions to minimize the risk to the acceptable levels.

Frameworks and policies take time to implement, often requiring process and cultural change.  In the meantime, ships and terminals are still being hacked.

A tactical security audit of your vessel and shore systems is a great way to find the security pitfalls in the short term.

Penetration testing is such a process that will assist shipping companies and will prove that they have completed the required process properly and as per international standards.

It is recommended that all organizations commission security testing at least once per year, with additional assessments following significant changes to infrastructure.

Shipping Companies with vast IT estates, as well as those that process large volumes of personal and financial data or have strict compliance requirements to adhere to, should consider conducting pen tests more frequently.

Types of pen testing: White box vs black box vs grey box

The amount of information shared prior to an engagement can have a huge influence on its outcomes. Testing style is usually defined as either white box, black box or grey box penetration testing.

White box penetration testing
White box penetration testing, sometimes referred to as crystal or oblique box pen testing, involves sharing full network and system information with the tester, including network maps and credentials. This helps to save time and reduce the overall cost of an engagement. A white box penetration test is useful for simulating a targeted attack on a specific system utilising as many attack vectors as possible.

Black box penetration testing
In a black box penetration test, no information is provided to the tester at all. The pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organization. However, this typically makes it the costliest option too.

Grey box penetration testing
In a grey box penetration test, also known as a translucent box test, only limited information is shared with the tester. Usually this takes the form of login credentials. Grey box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause. Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter.

When commissioning a pentest, it’s important to ensure the company has the necessary expertise to not only detect a wide range of vulnerabilities, but also provide the assistance you need to remediate them as quickly as possible.

Phases of Penetration Testing

Penetration Testing Case Studies

Having successfully implemented Marpoint Governor Cyber Security Suite and Marpoint IT Managed Services, a series of shipping companies have requested from cyber security services provider for a network penetration test to be performed in one of their fleet vessels.

Methodology

The scenarios implemented by the Pen Testing companies were the following:

External attacker scenario (Black box):
The scenario scope examines the potential vulnerabilities that the vessel may have from attacks happening from the public/external interfaces of the vessel (WAN IP addresses). In other words, anyone in the world with internet access may be a potential attacker.

Testing procedure included external port scan and intelligence lookup of the public IPs of the vessel.

Internal Attacker scenario (White box):
This scenario’s scope examines the potential risk that the vessel has from threats or malpractices inside the vessel’s networks. These threats could include malicious users, but the most significant aspect is that any compromised computer/host (from malware or other threat) can further compromise the vessel and company using its insider visibility of the network.

Testing procedure included network isolation, client isolation, brute force penetration testing on all network devices, Ethernet ports accessibility, scan for open ports and services.

Findings

There were NO findings that could be considered as CRITICAL threats, hence the network infrastructure designed and implemented by MarPoint proved to be fully secured from either external or internal threats.

MarPoint’s tools to remotely self-manage and monitor the vessel’s IT hardware and software infrastructure such as accessing a terminal server using thin clients were deemed to be successful towards eliminating potential threats.

Marpoint Philosophy with regards to Penetration Testing lies on the following principles:

Planning and Preparation

Before a pen test begins, the testers and the Shipping company need to be aligned on the goals of the test, so it’s scoped and executed properly.

Marpoint, in cooperation with the Shipco’s IT department, will assist the nominated pentesting company to familiarize with the Shipco’s cybersecurity procedures, inventory lists and network maps as well as external IP addresses and domains.

Mature Products Organisations with a mature penetration testing program may manage most of their operations in-house, while those who are less mature may depend entirely on third parties. Marpoint proactive IT Managed Services, hardware and software wise, facilitate the preparation of a mature penetration testing program in terms of the following: • People, process, technology and information • Requirements, testing and follow up.

SOC – Marpoint Security Operations Center Roles and Responsibilities

The Marpoint SOC team has many responsibilities that they are expected to manage across a number of roles, among which, maintaining security monitoring tools and investigating suspicious activities.

Maintain Security Monitoring Tools
To effectively secure and monitor a system, there are many tools that the team must maintain and update on a regular basis. The security operations center roles and responsibilities require team members to maintain tools used throughout all security processes. This includes the collection of data. This data must extend to all systems in the network, including cloud infrastructure. Those logs must then be passed to a SIEM and a log analytics tool. A single break in the chain of information flow could have serious implications.

Investigate Suspicious Activities
The Marpoint SOC team is responsible for investigating suspicious and potentially malicious activity within the networks and systems. The penetration test team of analysts then examine the alerts, perform triage, and determine the scope of the threat.

Post-penetration testing actions

Marpoint assists shipping companies to evaluate the Penetration Testing Report and engage into continuous improvements of processes and low risks in order to eliminate possible problems in specific scenarios.

Maintaining an adequate security level over time is a challenging process that Marpoint via proactive IT Managed Services undertakes via a series of never–ending actions like updating systems, monitoring infrastructure, training humans, intelligence gathering and repeating assessments.

Want to get started?

Accelerate your company’s digital transformation