There is no doubt that COVID has changed how the world conducts business, so it’s no surprise that security assessments have as well. The increase in remote employees and the need for availability of applications and resources from afar has disrupted organizational security postures. Below we’ll share what we’ve been seeing on assessments since the coronavirus has appeared and how you can better prepare.
1) Increased password attack opportunities
One of the largest changes we’ve seen during the COVID timeframe is remote working. With this shift, organizations have had to give their users the ability to reach data and applications they would have normally not allowed. With these new users and services exposed, it has generated a greater attack surface for password attacks such as password spraying, credential reuse, and brute forcing. Additionally, the rush has caused some organizations to bypass their change control processes allowing for the widespread of default credentials on external services.
What you can do: Multi-factor authentication should be utilized for as many external resources as possible. Password reuse and weak passwords continues to plague organizations so ensure a proper password policy that prevents common weak passwords (such as [Season][Year], [Company Name], [Password][Numbers or Special Characters]). Conduct external network assessments and vulnerability scans to ensure proper patching and security practices are adhered to. Test login portals for user enumeration, weak passwords, and default credentials.
2) Increased phishing activity
In the haze of rapidly transitioning employees to remote work has incited an increase in phishing opportunities. We’re finding that malicious actors are focusing on compromising endpoints and remote workers to gain access to sensitive data and systems.
What you can do: Ensure your employees are aware of phishing activities and have training on how to spot a phishing attempt through unannounced campaigns and mandated training. Multi-factor can assist as a deterrent but should not be relied on solely as employee training has shown to have the greatest impact. Ensure employees are only allowed access through company managed laptops that have updated antivirus, remote wiping capabilities, and encrypted hard drives.
3) Decreased spoofing attack opportunities
One of the most common avenues of attack during an internal penetration test is LLMNR poisoning to grab NetNTLM hashes for offline cracking and in some instances credential relaying. However, many of these attacks require that your attacking machine be on the same subnet as other users. With the uptick in remote working, VPN usage has been at an all time high and often puts these users on another subnet than the attacker.
What you can do: While this is great for businesses, this doesn’t mean that your organization is not at risk. Ensuring that client isolation is turned on for your VPN users is critical, otherwise it’s just more of the same.
4) Decreased usage and need for wireless capability
Wireless assessment need has greatly been reduced due to remote working. Many organizations have found that they no longer require a physical facility to be successful or they have temporarily closed their on-site presence.
What you can do: Any decrease in attack surface is welcomed but do keep in mind that just because your staff are not on-site does not mean attackers can’t be there. Be sure to monitor your wireless traffic, patch, and practice overall good wireless security hygiene. If you no longer require wireless capabilities at your facility, you should disable them until you do.
5) Decreased physical social engineering opportunities but decreased detection
In the security community humans are often seen as the weakest link in terms of physical security deterrents. This lack of human presence at facilities decreases the opportunities for an attacker to socially engineer their way inside a secured area. However, with the lack of personnel on site we’re seeing that organizations are not detecting malicious actions as quickly.
What you can do: Ensure your security personnel have updated their practices with the changes from COVID. You may find that you require security personnel whereas you may not have needed it pre-pandemic. Investing in detection controls with off-site backups such as motion detection and cameras may assist in detecting abnormal behavior at your facilities. Most importantly, you should be inspecting your facilities regularly and any controls in place such as camera footage should be reviewed consistently.