In light of COVID-19 and the toll it is taking on the business community, today we will discuss the types of remote security assessments that can be performed and some alternative tweaks to assessments to ensure your security program is still evaluated and working properly. Unfortunately with all of the chaos, attackers know that they may be able to more easily take advantage of enterprises given the current state of affairs. Luckily, with the tools and techniques available today, there are still many options available when it comes to completing a security assessment that are just as practical and, often times, more budget friendly as there is no need for travel.
Remote Security Assessments and Alternative Solutions:
External Penetration Test: An external penetration is already conducted remotely as it mimics an attacker trying to break into your organization from the Internet. We completely respect the fact that IT teams are bogged down right now, trying to adjust to whole companies moving to a completely remote work force. External penetration testing is extremely low impact, when it comes to security assessments, and there is not a need for much interaction from your team aside from providing target information and reviewing the report. Additionally, this type of testing is extremely unlikely to cause any issues or network instability. But if you simply don’t have the bandwidth to support this kind of testing right now, consider a vulnerability scan In lieu of an external penetration test for the time being. A vulnerability scan is certainly not as robust as an external penetration test as it is sim ply an automated scan, but it’s much better than nothing and if you don’t have the ability to do this internally, it’s something to consider. You can ensure no glaring holes have popped up with this massive shift to more externally accessible resources, and then delay your annual external penetration test until things begin to get back to the new “normal”.
Internal Penetration Test: At Triaxiom, we generally perform our internal penetration testing remotely by shipping a system to you and having it placed on your network. The difficulty here lies in the fact that if we ship the system to an office, no one is there to accept it and get it set up. Another option is to have the laptop shipped to someone directly that has access to the office, who can then place the laptop on the network if they have access. Just this week we did just that for 3 separate clients with no issues. Additionally, we’ve also done some more creative work-arounds such a testing through the VPN (depending on configuration/segmentation) and utilizing virtual machines that can be set-up and configured remotely. If you need to have an internal penetration test performed, there are a lot of ways we can make that happen that will result in very little extra work/disruption on your part.
Social Engineering: Social Engineering assessments are intriguing during this current environment. On one hand we have some clients that do not feel it would be appropriate to target employees while working at home in these trying times, which is certainly understandable. On the other hand, these are the times that attackers thrive on, launching campaigns based on current events and preying on these circumstances. So some clients are asking us to proceed with social engineering assessments to help remind employees that they still need to be vigilant. Generally speaking, we include phone-based vishing attacks as part of our campaigns, but we have been asked by some clients to keep it strictly to email campaigns for the time being, which we are happy to do.
Web Application Penetration Test: All things considered, web application penetration testing is one of our least impacted assessments. All testing is conducted remotely anyway and it is a very low impact process for the client. Usually, the only aspect that requires the client’s attention is getting credentials setup to facilitate testing prior to execution and reviewing the results after the assessment. Further, if testing is performed in a QA, dev, test, UAT, etc. environment, there is a very limited risk of experiencing any testing-related downtime.
Physical Penetration Test: As you could expect, physical penetration testing (along with wireless penetration testing) has been one of the most impacted assessments as it requires travel and attempting to gain physical access to buildings. One of the many aspects of physical penetration testing is relying on the presence of employees and elements of social engineering to blend in, tailgate, provide unauthorized access, etc. With the lack of employees at office locations, the value of a physical penetration test is definitely diminished. However, a remote physical audit is still a possibility. This involves interviews to discuss the physical security of buildings, discussions of the safeguards that are in place, etc. It could also entail a remote walkthrough of the building leveraging video conferencing techniques, if anyone involved with the assessment still has building access.
While everyone is still adapting to the current COVID-induced working environment, you should not let your enterprise security go completely forgotten. The business processes and sensitive data you need to protect are still at risk of being compromised and threat actors are still active during these times. By continuing to focus on your security program, coming up with viable assessment alternatives where needed and conducting remote security assessments, you can continue to thwart potential attackers during these difficult times.