The automotive industry is undergoing cybersecurity standardization and regulation that enforces consistent analysis to provide work products to auditors. Requests for penetration tests to showcase the cybersecurity of products are being asked throughout the automotive supply chain.
Penetration testing is the act of identifying vulnerabilities and attempting to exploit a target using creative means within a defined scope. Often provided by a third party with a fresh set of eyes.
Penetration testing goes farther than standard validation and quality testing. Testing from the perspective of an adversary with malicious intent, penesting explores unique pathways to discover vulnerabilities which cannot be found through other types of testing.
Penetration testing engagements end with a report of any discovered vulnerabilities which might need to be mitigated and document all attempts and testing methods used.
Penetration tests offer insight into which channels your product is most at risk and thus what types of security controls you need to focus on in current and future products.
Many automotive companies and vehicles products have already been victims of cyber-attacks or security research publications causing harm.
Penetration testing has the potential to discover critical vulnerabilities, that if left uncheck, can cause loss of life, recalls, and severe financial and brand damages. Providing the penetration test reports to auditors will prove your due diligence and achieve compliance with regulations.
Block Harbor follows a standard process to ensure consistency and quality of our penetration testing. Our focus is on holistic assessments that ensure every basic security control is in place for interfaces in scope before we advance to more complex testing.
We Follow a 6 step process:
In order to test the right areas, it’s important to understand who and what the possible threats might be. That’s why the assessment begins by working with your team to develop a wholistic picture of your environment to determine what possible threats you might face and what the actors motivations would be.
Understanding what’s available for the attacker to target and what information that they can leverage is critical to building a practical attack narrative. In this phase of the assessment we canvass the attack surface of the application or software. The goal of passive reconnaissance is to use publicly available tools to gather information so we can build a picture of what areas are exposed to attack and determine what information exists in the wild that the attacker may leverage against you.
Our security experts will then run the vulnerabilities through test cases to canvas the internal attack surface laterally. As the internal attack surface expands during testing, the client and stakeholders are informed on a cyclic basis.
It’s important to not only test the weak spots but ensure the security defense’s you put in place are working. That’s why in this phase test to verify the defense mechanisms you currently have in place are working and detect any vulnerabilities that they may have.
Using automated tools and vulnerability scanners can only get you so far. This is is where we take the gloves off and leverage our previous findings, extensive knowledge, experience, and expertise in order to attempt to exploit the vulnerabilities we found as well as craft creative attacks that may be used against your product or environment.
The findings of the engagement will be encapsulated in a document in order to help visualize the attack surfaces that need to be hardened or refactored. The report will consist of exploitation point of concepts, processes, remediation plans, and assessment of risk.
To stay consistent with your development cycle, a roadmap will be established to meet the scope and requirements of the engagement.
Decide on who within the organization will coordinate efforts during and after testing.
Deliverables that are generated during the engagement will be communicated to the client and shareholders.
Contact us today to learn more about partnering with Block Harbor.
