To help slow down the spread of COVID-19, companies around the globe have sent their employees home, requiring them to work remotely. For some companies this transition to remote working was easy to implement as there has been an ever increasing shift to enable employees to be highly mobile.
For many years South Africa has lagged behind the rest of the world, with many companies still refusing to let staff work from home. COVID-19 changed all of that, catching these companies unaware and unprepared.
The key question here is whether your business and your staff are equipped for this transition.
A Hike in Coronavirus Related Scams and Malware
Cyber criminals are exploiting the global pandemic by taking advantage of the surge in online content and activity related to the virus. People are naturally searching online for the latest updates on how the virus may affect them and it is predictable that cyber criminals will jump at any opportunity to take advantage of this situation for their own gain.
Ethical Hacking and Cyber Security Testing for Remote Workers
At face value, when taking on the task of managing cyber security for remote workers, the potential for cyber attacks may seem overwhelming, but once these risks have been identified, security mechanisms can be put in place and a variety of tests can be performed to ensure that your staff and your organisation is safe
“Social engineering attacks and misconfigured WiFi and VPN’s are common problems for remote workers that connect to the internet using their own or home devices,” says Robert Len, Lead Security Tester at Mobius Consulting.
Below are seven ethical hacking and cyber security tests that every company with remote workers should put in force today.
1. External Penetration Testing
The primary goal of these assessments is to determine whether it is possible to compromise a public facing host and establish a foothold on the internal network of the organisation. Additionally, external penetration testing allows for the opportunity to test whether the organisation is able to detect intruders via Intrusion Detection / Prevention systems in place and respond to these via the incident response capabilities of the organisation.
2. Recon and Host Discovery
Organisations may not be aware of all the information which resides publicly, either websites or subdomains which are created through DNS or a domain that one controls and forgotten, to user credentials being leaked in a breach, or API keys being posted on a GitHub repository. Recon and host discoveryprovides an organisation with an holistic view of all endpoints(known and unknown) which could be used by malicious actors to potentially compromise the organisation.
3. VPN Security Testing
As organisations have scrambled to enable remote working, Virtual Private Networks (VPN) is being heavily relied upon to provide secure channels into applications. The current VPN configurations and setups should be tested to ensure cyber security leading practices have been adhered to.
4. Web Applications Testing
With new web applications being introduced into the business in order to support remote working and business operations, stringent cyber security testing steps may have been reduced in order to meet operational deadlines. In instances where these web applications are publicly accessible, they are viewed as easy targets and potential entry points into the internal network.These should ideally be tested before going live, but if that were not possible they should be tested as soon as possible.
5. Home Network Assessment
A home network assessment focuses on identifying the level of risk that C-suite / executive management / other high-risk users are exposed to, especially if you consider the sensitive work being performed by these individuals. It is important to check misconfigured WiFi routers, outdatedoperating systems, and a lack of updated antivirus or malware detection software.
With increased phishing traffic coming from cybercriminals who are exploiting the Covid-19 pandemic, end users will be exposed to more of these social engineering type attacks. Also, end users are now more susceptible to Covid-19 based phishing attacks as misinformation is prevalent and their ‘guard’ may be down due to the perception of being safe at home. Companies should consider simulated phishing exercises to test their users security awareness, followed by targeted awareness exercises.
This takes the approach of calling a user and, perhaps impersonating someone from the businesses or IT department, in order to obtain the users credentials or other sensitive personal information such as banking details. This is especially relevant as users are isolated and vulnerable, making them a prime target for such an exercise. Companies should consider simulated vishing exercises to test their users security awareness, followed by targeted awareness exercises.
How Ready is Your Workforce for “the New Way of Working”?
In the battle against this online surge, it is important to maintain, or even increase, the amount of security testing performed as more of the company will be accessing systems outside of the secure company network. You should also make sure that your staff are aware of cyber dangers that the company is currently threatened by, and the most effective way to do this would be through an information security awareness campaign.