Employers have transferred employees to remote work to protect them from the coronavirus. But not all companies have taken care of their own protection, although remote access – VPN, DaaS, RDP, etc. – is a type of connection that requires a change in the monitoring focus and special measures to protect against cyber attacks.
These measures are somewhat different from traditional ones when employees (and their work devices) are inside the corporate security perimeter. There is a whole list of reasons for this – from vulnerabilities in protocols and technologies of remote access, to the fact that employees connect to the internal network from personal devices that are not even protected by antivirus.
To conduct a quick and comprehensive assessment of the security level of remote access, the best option is to organize a penetration test. The essence of the method is as follows. The company turns to a third-party organization – experts in information security (IS), who simulate various options for cyberattacks. Using special software and manual hacking methods, experts identify all kinds of risks, errors, and “holes” in the information system, including those critical for remote access. After that, the customer receives a detailed report with a description of the vulnerabilities and recommendations on how to close them.
According to the experience of global information security specialists, a large part of the attack vectors on the company’s corporate network from the outside is associated with vulnerabilities in web applications. There may also be disadvantages in the software configuration – for example, primitive settings for access policies, a simplified algorithm for registering new users, etc. – and the fact that employees are allowed to use simple passwords to log in. All this makes it easier for cybercriminals who seek to penetrate the company’s internal network – for example, the Intra-portal where commercial information is stored.
The exploitation of vulnerabilities in protocols and software used for remote access is also popular. Examples: Windows security bug – in 7, Server 2008 and Server 2008 R2 – known as BlueKeep (CVE-2019-0708), Citrix software bug CVE-2019-19781, Laravel framework vulnerability (CVE-2018- 15133), as well as a number of network equipment vulnerabilities for VPN connections.
Of course, companies that have their own information security department are likely to close known “holes” and errors. However, even skilled security guards are unlikely to protect against zero-day vulnerabilities. Needless to say, there are risks for companies that do not have an information security specialist on staff, and even an elementary update of applications and OS has not been established.
Not every organization allows itself to remotely connect employees through corporate devices – due to technical or financial constraints. This means that the conventional Tom Hence can use a personal laptop to install a “thick client” and connect to service services. It is good if Mr. Hence is a conscientious person: he does not visit dubious sites, bored with self-isolation, does not download questionable software from torrents, is not lazy to come up with complex passwords, updates the antivirus. Otherwise, using Tom Hence’s personal device, a cybercriminal can gain access to the company’s resources and infrastructure with full privileges.
Do not forget that employees connect from home via an Internet channel that is not controlled by anyone. Here, there are additional risks associated, for example, with the vulnerabilities of the home Wi-Fi network and the corresponding equipment – a router or an access point. It is hard to imagine that after switching to remote work, employees without exception rushed to check the security settings of their devices, even if they received strict instructions to do so.
Ideally, the company’s information security department uses a set of tools for monitoring and protecting remote access: SIEM and MDM systems, Web application firewall, DLP, NTA solutions, terminal server with two-factor authentication. But this is the ideal. Some companies can get by with more modest means. This is where penetration testing helps.
To analyze the security of remote access, specialists use vulnerability scanners that can detect vulnerabilities in applications, OS, and infrastructure in general. In addition, application software is used: Metasploit, Burp Suiite, nmap, and others. Also used are manual hacking techniques from the arsenal of cybercriminals.
Testing includes external and internal security analysis (Black Box and Gray Box models). Both are conducted remotely. It should be noted that information security experts do not “break” anything in the infrastructure and do not get access to internal information that is critical for the company. However, this possibility is tested and, if “successful”, is demonstrated to the client.
Based on the results of the work, the client receives a detailed report on the identified vulnerabilities. In addition, the report describes the testing methodology, which indicates which objects were tested, explains how critical the vulnerabilities are, and how to eliminate them.