Posted on March 31, 2020, by Secarma

In a new mini-series, Secarma’s Technical Director Holly Grace Williams, investigates how recent news events are impacting companies. In part one she takes a look at how we perform effective internal infrastructure tests, remotely.

Here at Secarma, we’re all working from home. I’m trapped in a home-office myself. I’ve been thinking about how being at home, and having your whole team at home, affects the threat landscape for businesses.

I’ve seen a lot of people talking about phishing attacks and using COVID-19 as a scenario, however I thought I’d talk about my usual day job and what I’ve been up to this week.

What have I been up to this week? I’ve been hacking an internal corporate network. I managed to compromise the entire corporate network to domain administrative level, and I even managed to get their WiFi password – all from the comfort of my home office.

I think this is an important topic to talk about, to get the message out that we can perform internal infrastructure assessments remotely.

I hope every single company who have made the change to operating from home have either conducted, or have at least scheduled for very soon, an internal infrastructure penetration test. Most companies testing policies state that you should have a penetration test on a schedule (often that’s annually) after any major change. If sending all your staff home doesn’t count as a major change, then I don’t know what does!

Some of you might hear that and disagree. You might be thinking – but we’ve always had a VPN and we haven’t reconfigured anything so there’s no actual system change. Well, yes, but consider the risk exposure, consider the fact that many staff are now entering the network from a different point. They’re not hooked into your physical access layer; they’re coming over the VPN. Their traffic is different, their attack surface is different, how you’re logging their activity is possibly different. Some companies are deploying BYOD given very little notice. There’s a big chance for a lot of companies that the risk is higher now.

But let’s not get ahead of ourselves. If you’re a company and your staff are operating remotely now, what kind of assessments should you consider?

External Infrastructure Assessment including a VPN Assessment

If you’re making changes to your external services to allow for staff to work from home, you should get those changes assessed. For example, maybe you found your old VPN solution didn’t have the capacity to handle all staff being home, so you’ve upgraded it. That’s the kind of change we would recommend you assess.

External infrastructure assessments can look for the points of entry into a network and highlight common misconfigurations such as known weaknesses or missing patches – vulnerabilities likely to be discovered by external threat actors.

However, that doesn’t cover all risks. What if a staff member is caught out by phishing? What if they’re working on a personal device under your brand-new BYOD policy and that device is compromised? What if their home WiFi network just sucks and an attacker could break the key easily?

Internal Infrastructure Assessments

Whilst it would be possible to supply us credentials to your VPN solution and we could perform many of the tasks associated with an internal penetration test remotely – we’ve got an alternative solution.

Our Virtual Onsite Tester (VOT) solution allows flexibility within the way we deliver services. What would traditionally be seen as internal or onsite security assessments, can be delivered fully remotely.

If you’re interested in this service and how it works then get in touch – but for now, I really just wanted to highlight the fact that this is possible. We can still deliver full internal infrastructure assessments, we can still assess internal web applications, and we can do build assessments for corporate devices – fully remotely.

If you’re organisation isn’t having security testing done because you didn’t think it was possible and you’ve therefore felt compelled to accept the risk of having no internal penetration testing done, Secarma can help out.