As we continue to adapt in these unprecedented times, many workplaces have remained fully remote. In fact, some organizations have seen enough benefits from remote work that they are planning a permanent shift away from a traditional office environment, instead having their workforce either partially or fully remote. Whether temporary or permanent, remote work has been a large adjustment for everyone, though perhaps even more so for each organization’s security teams.
Remote work presents security challenges that many businesses have never experienced. How can you ensure that you are not exposed to additional threats? How do you know that modifications to increase protection are working appropriately? Pen testing is more important than ever to answer these questions. In this blog, we’ll discuss why remote work can add new attack vectors, and what type of pen tests can help you uncover security weaknesses so you can reduce your risk.
The Increased Attack Surface of Remote Work
There are a number of ways that, if not properly managed, remote work can leave your organization vulnerable. One of the biggest risks is the expansion of the network perimeter. Many organizations had to expose servers and services that were internal so that employees could access them from their home. When internal servers are only accessed on-site from an office or office branches, they could be centrally managed by security teams with full visibility. Now each employee represents a new connection to the network that may or may not be secure. Additionally, employees are using their own router and wifi connection, so IT teams can’t even verify that each workstation is secure before it connects to the network.
Even organizations that had some teleworking in place are still vulnerable to additional risk. These businesses are still dealing with an influx of new remote employees, and possibly exposed servers that were only being used by onsite employees before. These organizations may have relaxed their remote access and network filtering policies to allow more users to connect and ease the provisioning of new users.
As remote work becomes more routine, organizations can begin to pivot from successful implementation to ongoing security. The best way to get visibility into where the biggest threats are is through pen testing. With remote work, internal and client-side tests are particularly important.
Internal Pen Tests: How Secure Are Your Network Connections?
Employees that work from home still need to be able to access the same files and applications that would be available to them if they were onsite. This is done using a virtual private network (VPN). An internal penetration test gives organizations an idea of the consequences of an attack through VPN.
With so many new remote employees, threat actors have pivoted their attack strategies. Scanning for vulnerable VPNs—those that have not been patched, for instance—allows an attacker to gain entry to the network. From there, they can access corporate assets, or escalate their privileges further to access sensitive data. An internal penetration test not only uncovers these vulnerable VPNs, but shows exactly how far an attacker would be able to go once they exploited them.
Client-Side Pen Tests: Are Your Employees Vulnerable to Social Engineering Attacks?
Transitioning to telework in the midst of a global crisis has understandably put employees on edge. Unfortunately, threat actors are exploiting this unrest for their own gain, unleashing a staggering amount of phishing emails. In fact, Google has reported blocking 18 million phishing emails a day that contain the keyword “COVID-19,” in addition to 240 million emails with the simplified term “COVID.” Such upheaval naturally makes employees less scrutinizing when checking their email.
Remote work also offers more opportunities for a social engineering attack to be successful. Even if an employee has a corporate laptop, once their home network is connected to their work network, so are all of their other devices. So even if an organization has a good spam filter in place, this won’t stop a phishing attack from getting through when the employee checks their personal email on their home computer.
Running a phishing simulation will help raise awareness for both the organization and the employees about who is susceptible to phishing attacks. A phishing campaign can give organizations data about the type of phish that employees are opening, and serve as educational opportunities to teach employees about ways to recognize and avoid getting phished from any email, on any device.
Best Practices for a New Normal
Ultimately, change of any kind can bring new security challenges, and the abrupt change to teleworking that many organizations experienced this year left security teams with little time to adequately prepare for a shift that would typically require careful consideration, additional resources, and a deployment that occurs in phases.
Though security teams may have been able to triage problems when this change first arose, ongoing processes and solutions must be implemented now that remote work is being used on a long term or even permanent basis. Though penetration tests are typically already part of an organization’s security program, regular pen testing will help organizations uncover any issues caused by remote work, prioritize vulnerabilities, and can validate remediations once they’ve been implemented.
Want to learn more about safeguarding your remote workforce?
The Penetration Testing Toolkit is designed to guide you through all the steps of managing an effective penetration testing program.