We have come to the realization that the distributed workforce due to the coronavirus will last well into 2021. With many organizations now planning their annual penetration tests ("pentest" for short), a change is needed in order to accommodate remote workers.
While some organizations may continue to use previous pentest templates and procedures, remote workers change the attack surface and add a new wrinkle that needs to be addressed. Their contribution now forces the question of what constitutes a valid end-user pentest? It also begs what are you allowed to test versus what is now considered taboo considering end-users may be operating with their own personal equipment? And, most importantly, what permissions may you need to obtain if your penetration test extends beyond the equipment that you’ve issued those employees?
To begin, let’s start with assets that are typically out of scope for any corporate pentest of remote workers. These include:
- Home personal networks, wired and wireless, including network reconnaissance and device inventorying. This is a question of whether you have permission to inventory, classify, and perform a risk analysis on the networks supporting a home user’s environment.
- Devices owned by other companies that may be using the same network, wired or wireless, due to other family members working from home. This is clearly a scoping issue and never should be allowed for any pentest.
- Personal and IoT devices, including personal digital assistants, alarm systems, and any other home automation. While these represent a potential critical attack vector, including end of life vulnerable devices, ownership by an employee does not allow corporate assessment without explicit permission.
- Personal email addresses that may be on the same BYOD (Bring Your Own Device) assets. These are off limits regardless of where the BYOD is located, and organizations should use a Mobile Device Management (MDM) solution to provide email segmentation and data management.
- Home phone numbers that may be used by others in the same household after work hours or even during the day by other family members for business. Essentially, will anyone else potentially answer the phone if it rings? A pentest should not be conducted if the receiver’s identity is not predictable with high confidence. For example, imagine a corporate pentest of a remote worker if a child answers the phone.
- Social media accounts associated only with personal, non-business usage. This has not changed with remote workers and should not be considered as part of any new policies and scope.
While it is widely considered that any one of these could be a new entry point for a threat actor, they are off-limits due to legal ramifications, jurisdiction, property, ownership, and local laws, and can only be assessed if given explicit permission by an employee. Odds are, your employee code of conduct and security policies do not contain any such provisions, nor would teams sign off on their inclusion.
Therefore, what are valid methods for penetration testing remote workers during this pandemic? Consider adding and reinforcing the following to your plan.
PhishingPhishing is an electronic cyberattack that targets a user by email and falsely poses as an authentic entity to bait individuals into providing sensitive data, corporate passwords, clicks on a malicious web link, or execute malware. The information can then be used to access other accounts associated with the individual, install malware, initiate a ransomware infection, or conduct identity theft impacting the business. Organizations should double down on pentesting using phishing against remote employees since this is the best method to identify risk and design mitigation plans such as training or the removal of local administrative rights. In addition, pentesting using phishing should target all users regardless of role, from executive to receptionist, and not exclude any methodology for access including webmail, mobile device, and full-blown mail client installations. This includes not announcing the pending test and potentially leaving the scope open to all users with need to know rights only to key staff that might triage the requests. This includes specialized email phishing attacks like spear phishing and whaling that might be more appealing targets to remote workers.
Vishing is another form of social engineering that targets users via telephone calls to landlines, cell phones, Voice Over IP (VOIP) phone systems and applications, and potential POTS (plain old telephone system) home phones. Depending on how the end-user accepts phone calls, and ensuring they are the only ones answering the call, vishing provides a risk assessment of how verbal social engineering can be leveraged against the business, especially as people work from home. If your company allows, vishing remote workers should be allowed as a part of your annual pentest, especially if the phone numbers associated with users are never shared with other people, and the social engineering aspect is potentially realistic posing as clients, vendors, or other employees in distress or need for information.
SMishing is social engineering in the form of SMS text messages. While most end-users will not respond to a random text as easily as a well-crafted phishing email, SMishing is an excellent secondary attack vector when disguised as two-factor authentication or the CallerID is spoofed to appear to come from a known caller (like a company’s main line) or a local phone number. SMishing realistically only has two attack vectors: replying to a text or clicking on a link. While replies can generally reveal sensitive information in real attacks, links front-ending fake authentication pages tend to work best when trying to exploit users. If your company allows, consider SMishing attacks to registered mobile devices authorized to process work calls and emails. If the device is truly personal but the phone is registered in the company’s directory only, it is probably off limits to include in your scope.
Social Media used by employees to promote work events, sales, news, and activity is fair game for a pentest, regardless if they work from home or not. All pentesters need to do is reply to an existing work-related post to begin their attack. This is no different than a threat actor in the real world and should be included in your exercise to vet out potential risks. In fairness, you will probably find that training end-users on this attack method is just as important as email phishing, especially if they are very active on social media on behalf of the organization.
Remote accessRemote Access is the hottest attack vector for threat actors during this pandemic. Threat actors have been targeting all of the scenarios above from a social engineering perspective but also have included all the plumbing needed to make remote access possible in the first place.
- Infrastructure is absolutely fair game for a remote worker pentest. This includes everything from VPN clients to VPN concentrators and dedicated remote access technology used for remote workers to access resources. The network topology for remote access should not be given to a pentester during an exercise, but rather they should be asked if they can map out the vendors, network, and process for remote access. If they can, then all they need to do is use social engineering or a vulnerability exploit combination based on vendor or technology to infiltrate the organization when one is available. If a threat actor understands how your remote employees gain access on a granular level, it is only a matter of time before they find a weakness and exploit it.
- End-users using company owned assets are a valid target during a pentest when they are working remotely. This may seem contradictory to everything previously presented, but the method of attack is what is important. While you cannot scan the device via the user’s home network, you certainly scan the device if a protocol-based network tunneling connection exists via a VPN. It is the attack vector that matters. If you can exploit the end-user remotely via VPN, then the pentester’s goal has been achieved. Lateral movement to home devices is not acceptable, as previously discussed, but lateral movement to other visible devices via VPN certainly is allowed. The pentest must stay within the confines of the corporate network, including VPN tunnels, and not leverage devices outside of their legal permissions. In addition, if the organization is using remote access technology that does not use protocol tunneling, the only valid attack vectors are the application itself and supporting infrastructure. There is nothing in between to route network traffic; only render screens and session data. Therefore, there are no targets to acquire except potentially a man in the middle attack which must occur outside of the remote worker’s home environment.
While the pandemic has potentially changed our lives for a very long time, information security must continue to address risks and threats to the business. Annual penetration tests that previously included office workers now need to evolve to include remote workers. Unfortunately, the risks of these employees cannot be fully assessed because the assets and resources in their home networks are not valid targets and out of scope for a corporate penetration test. To that end, the scope must evolve.
Social engineering is the best methodology for pentesters to leverage against remote employees, and the variations are much more than a simulated phishing email attack. Businesses need to consider their options and ensure that their assets, people, networks, and applications are properly identified in and out of scope for annual penetration tests. Some resources are just off limits even though they do represent an unmitigable risk.