What is pentesting?
Penetration testing is an ethical cyber security assessment conducted to identify, safely exploit and help eliminate vulnerabilities that reside across an organisation’s IT environment.
Is penetration testing mandatory for Shipping Companies?
The first two IMO functional elements a) Identify and b) Protect as described in the MSC-FAL.1/Circ.3 clearly note that each company should complete a risk assessment for their assets and take relevant actions to minimize the risk to the acceptable levels.
Frameworks and policies take time to implement, often requiring process and cultural change. In the meantime, ships and terminals are still being hacked.
A tactical security audit of your vessel and shore systems is a great way to find the security pitfalls in the short term.
Penetration testing is such a process that will assist shipping companies and will prove that they have completed the required process properly and as per international standards.
It is recommended that all organizations commission security testing at least once per year, with additional assessments following significant changes to infrastructure.
Shipping Companies with vast IT estates, as well as those that process large volumes of personal and financial data or have strict compliance requirements to adhere to, should consider conducting pen tests more frequently.
Types of pen testing: White box vs black box vs grey box
The amount of information shared prior to an engagement can have a huge influence on its outcomes. Testing style is usually defined as either white box, black box or grey box penetration testing.
White box penetration testing
White box penetration testing, sometimes referred to as crystal or oblique box pen testing, involves sharing full network and system information with the tester, including network maps and credentials. This helps to save time and reduce the overall cost of an engagement. A white box penetration test is useful for simulating a targeted attack on a specific system utilising as many attack vectors as possible.
Black box penetration testing
In a black box penetration test, no information is provided to the tester at all. The pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organization. However, this typically makes it the costliest option too.
Grey box penetration testing
In a grey box penetration test, also known as a translucent box test, only limited information is shared with the tester. Usually this takes the form of login credentials. Grey box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause. Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter.
When commissioning a pentest, it’s important to ensure the company has the necessary expertise to not only detect a wide range of vulnerabilities, but also provide the assistance you need to remediate them as quickly as possible.