As the COVID-19 pandemic continues to force organizations all over the world to adopt varying degrees of remote work postures, new cybersecurity risks are being introduced. Can pen testing by used to help security – despite the limitations of lockdowns and other restrictions? To find out, we talked with Mark Whitehead, Global Vice President, Trustwave SpiderLabs Consulting. Find the full interview below.
Q: How has penetration testing changed when the majority of a company's workforce is working remotely?
Mark: With penetration testing (pen testing) there are a lot of different options. When you think about adversaries who are trying to break into an organization, they don’t care where the data is, they just want to steal it. So, when you think about it from the point of view of someone who’s trying to break into organizations, even though many people are working from home, not that much has really changed.
From a pen testing point of view, I would say that right now there’s a lot more emphasis on applications, whether they are in the cloud or hosted natively. Many different organizations are looking at cloud penetration testing right now, due to the sudden shift to remote work and the consequent reliance on cloud infrastructure.
Organizations are suddenly wondering if their AWS, Azure, Oracle and Google cloud instances are secure – and if it turns out that they aren’t, what could have happened during that time frame. One area that I’m really encouraging organizations to focus on right now is credentials and using multi factor authentication. Authentication is becoming more and more of a boundary, especially with multi sphere security environments spread across the cloud. Employees are using single sign-ons across networks, across cloud environments — if those credentials are compromised you can get caught up in attacks, even if they weren’t initially targeted at you.
Q. Have there been non-pandemic instances where remote pentesting was required?
Mark: At Trustwave, we’ve built our whole practice largely on remote pentesting. We still look at physical risks – if you have a building, you obviously want to pen test it. But a large portion of an organizations’ pentesting portfolio will generally be based on remote pentesting, pandemic or no pandemic, so some of the things that needs to be done today are really business as usual.
Q. Would pentesting potentially impact an employee’s home network? If so, are there any legal or compliance issues that need to be accounted for?
Mark: Usually it shouldn’t really be an issue. At Trustwave, organizations will give us network ranges: an IP that their company owns or a cloud instance where their servers are hosted or their applications are, depending on scope.
The one spot you may have an issue, depending on how it’s configured, would be if employees were on a home network using non-work devices. As an example, say your security team was doing an advanced kind of pen test, like simulating a type of really advanced phishing attack, and that compromise were to detonate on an employee’s personal computer, you might run into some complications with compliance issues.
While these would generally be very rare cases, I have had clients ask me to break into their employee’s home wi-fi networks, which of course brings up all kinds of legal issue that are generally best to avoid.
Q. How does pentesting change or adapt to a remote working environment— what are the risks you look and test for?
Mark: Remote workforces have been around long enough now where there really aren’t too many changes to the way we need to pen test. We base our services on availability and ease-of-use. When you do take a look at some of the new services that are coming online, it seems like many organizations are opening up new cloud platforms. That’s where organizations can be potentially more vulnerable, especially on the cloud communications platforms, like Zoom. These new apps can bring risk – they essentially are opening up a door to your network that you didn’t have previously.
Q. Are there any limitations to pentesting in this scenario?
Mark: The only limitations are really around travel – can people physically go to sites? During the time of COVID-19, many organizations are in this hybrid mode, where the building is partially staffed. But there’s still IT infrastructure… there’s probably less security in the office. That’s where the limitation really come in, and that’s where risks are probably being introduced.
Testing the Depths of Your Security
Proactive security testing can help you understand where your risks and vulnerabilities reside, enabling you to better prevent, detect and respond to security incidents and continuously improve your overall security posture. Read our latest Trustwave SpiderLabs infographic for insights on how to follow the best practices in security testing.