A comprehensive pentest methodology which quickly and cost-effectively assesses the security posture of a vessel even while it is underway, has been launched by Cyprus-based cyber security specialist Epsco-Ra Security Systems.
Known as RASP (Rapid Attack Simulation PenTest), the process provides a deep dive into an IT infrastructure’s critical security measures to test and expose deficiencies. It very quickly highlights critical areas in a vessel’s networks and recommends ways to improve and fix the faults.
Results are normally produced within 24 hours providing full reporting through quantitative scoring, threat matrix, endpoint configuration analysis, firewall and network assessments as well as malware and command and control simulation.
Andreas Ioannou, Managing Director of Epsco-ra, said: “The beauty of the system is that it is carried out remotely and is based on the observation we have made that people spend a lot of money on pen testing before they have their core controls optimised or are even off their system’s default settings. So, we said let’s test those first and give the whole process a lot of value.”
Executing a RASP is very straightforward and can be finished in a day if a vessel has good connectivity. This is needed for the network scanning portion of the process.
Andreas Ioannou again: “So when you execute a RASP you download it from us and we work with someone onboard and start to test how well your firewall functions and how well it is configured. We test the anti-virus software to see how up to date and functional it is and then we do a vulnerability assessment scan on the bridge network.
“With all that data we can assess how well the vulnerability management process is doing? How is your configuration management doing? How is your core control configuration doing? And then we wrap that up into a quantitative score and outline where you can improve, what areas you performed well in and areas not so.”
Gideon Lenkey, Director of Technology at Epsco-Ra, said that what made the process unique, was its quantitative approach.
“People buy pentests and get a lot of information they don’t necessarily need. It is not so much about unrealistic attack scenarios but how your security controls and processes are performing onboard your ship that matters. It is also remotely actioned which is a big selling factor,” he added