There is no doubt that COVID has changed how the world conducts business, so it’s no surprise that security assessments have as well. The increase in remote employees and the need for availability of applications and resources from afar has disrupted organizational security postures. Below we’ll share what we’ve been seeing on assessments since the coronavirus has appeared and how you can better prepare.
External Network Assessments
1) Increased password attack opportunities
One of the largest changes we’ve seen during the COVID timeframe is remote working. With this shift, organizations have had to give their users the ability to reach data and applications they would have normally not allowed. With these new users and services exposed, it has generated a greater attack surface for password attacks such as password spraying, credential reuse, and brute forcing. Additionally, the rush has caused some organizations to bypass their change control processes allowing for the widespread of default credentials on external services.
What you can do: Multi-factor authentication should be utilized for as many external resources as possible. Password reuse and weak passwords continues to plague organizations so ensure a proper password policy that prevents common weak passwords (such as [Season][Year], [Company Name], [Password][Numbers or Special Characters]). Conduct external network assessments and vulnerability scans to ensure proper patching and security practices are adhered to. Test login portals for user enumeration, weak passwords, and default credentials.
2) Increased phishing activity
In the haze of rapidly transitioning employees to remote work has incited an increase in phishing opportunities. We’re finding that malicious actors are focusing on compromising endpoints and remote workers to gain access to sensitive data and systems.
What you can do: Ensure your employees are aware of phishing activities and have training on how to spot a phishing attempt through unannounced campaigns and mandated training. Multi-factor can assist as a deterrent but should not be relied on solely as employee training has shown to have the greatest impact. Ensure employees are only allowed access through company managed laptops that have updated antivirus, remote wiping capabilities, and encrypted hard drives.
Internal Network Assessments
3) Decreased spoofing attack opportunities
One of the most common avenues of attack during an internal penetration test is LLMNR poisoning to grab NetNTLM hashes for offline cracking and in some instances credential relaying. However, many of these attacks require that your attacking machine be on the same subnet as other users. With the uptick in remote working, VPN usage has been at an all time high and often puts these users on another subnet than the attacker.
What you can do: While this is great for businesses, this doesn’t mean that your organization is not at risk. Ensuring that client isolation is turned on for your VPN users is critical, otherwise it’s just more of the same.
Wireless Network Assessments
4) Decreased usage and need for wireless capability
Wireless assessment need has greatly been reduced due to remote working. Many organizations have found that they no longer require a physical facility to be successful or they have temporarily closed their on-site presence.
What you can do: Any decrease in attack surface is welcomed but do keep in mind that just because your staff are not on-site does not mean attackers can’t be there. Be sure to monitor your wireless traffic, patch, and practice overall good wireless security hygiene. If you no longer require wireless capabilities at your facility, you should disable them until you do.
Physical Security Assessments
5) Decreased physical social engineering opportunities but decreased detection
In the security community humans are often seen as the weakest link in terms of physical security deterrents. This lack of human presence at facilities decreases the opportunities for an attacker to socially engineer their way inside a secured area. However, with the lack of personnel on site we’re seeing that organizations are not detecting malicious actions as quickly.
What you can do: Ensure your security personnel have updated their practices with the changes from COVID. You may find that you require security personnel whereas you may not have needed it pre-pandemic. Investing in detection controls with off-site backups such as motion detection and cameras may assist in detecting abnormal behavior at your facilities. Most importantly, you should be inspecting your facilities regularly and any controls in place such as camera footage should be reviewed consistently.
About the Author: Heath Adams
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers. Pentest Services: https://tcmdev.tcmsecurity.com/our-services/ Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | InstagramContact Us: sales@tcm-sec.com