Whether it’s a much larger remote workforce than in prior years, greater flexibility, or even a remote-first work strategy--we are coming to the realization that the new normal is here. Many organizations remain cautious about returning to pre-pandemic office environments, and the new normal is allowing flexibility to remain working from home—at least through late 2021.
As for cybersecurity, the testing, monitoring, and management of risks and threats has had to adapt to the changes for the past year. We covered the changing risk landscape in depth recently in this blog: The Cyberattacker’s Path of Least Resistance is Shifting: Here’s How You Must Adapt. In this blog, we turn our focus on sussing out risks in this changing landscape via pentests.
Currently, many organizations are now planning their annual penetration tests (‘pentest’, or ‘pen test’ for short), and are adding a new scope to accommodate remote workers. While some organizations may continue to use previous pentest templates and procedures, remote workers change the attack surface and add a new insider threat wrinkle that needs to be assessed.
What constitutes a valid end-user pentest when the target is not in the physical office? What exactly are you allowed to test? For instance, are personal devices off limits? You also must consider what permissions you may need to obtain if your penetration test extends beyond the equipment that you’ve issued, and electronically traverses home networks and consumer internet providers.
Problematic, or Non-Permissible, Pentests for Your Remote Workforce
First, let’s cover the types of assets and scenarios that are typically outside of scope for any corporate remote worker pentesting. These include:
- Personal, home-based networks, wired and wireless, including network reconnaissance and device inventorying. Rarely are these part of a pentesting scope. However, should you want to pentest these areas, you would need to obtain explicit permission from the end user to inventory, classify, and perform a risk analysis on the networks supporting their home-based environment. Your company policy would also have to allow for this type of testing. As obvious as it sounds, most home users will probably reject this request and businesses have no legal right to perform it without a user volunteering permission and access.
- Devices owned by other companies that may be using the same network, wired or wireless, due to other family members working from home. This clearly represents a scoping issue and never should be allowed for any pentest. This creates a dilemma even if permission is granted.
- Personal and IoT devices, including personal digital assistants, alarm systems, and any other home automation. Such devices and software represent a potential critical attack vector, such as from vulnerable end-of-lifed devices. A corporate assessment of these devices is only permissible with the explicit permission of the employee/device owner. Additionally, keep in mind that the target (device, etc.) may be rendered inoperable from an aggressive pen test.
- Personal email addresses that may be on the same BYOD (Bring Your Own Device) assets. These are off limits regardless of where the personal device is located. Organizations should enforce use of a mobile device management (MDM) solution to provide email segmentation and data management.
- Home phone numbers, whether sometimes or frequently used to conduct business, and which may also be used by others in the same household as the employee. Will anyone else—other than the employee—potentially answer the phone if it rings? Do not conduct a pentest if the call recipient’s identity is not predictable with a high confidence. For example, consider if a corporate pentest of a remote worker got a child on the other end of the phone.
- Cellular phone numbers used for answering work calls are a gray area with regards to pentesting, especially if they are BYOD and the mobile phone number is used for business. To be fair, if the device owner expenses their cellular phone, it is BYOD for business and is fair game for a pentest during normal business hours. However, it is still a personal device and the scope needs to be considered, from vishing to smishing (voice and SMS phishing), depending on your business’ code of conduct policy and regional laws.Social media accounts associated only with personal, non-business usage. This is unchanged with remote workers and should not be considered as a part of any new policies and scope.
While any one the vectors in the above list could be exploited by an attacker, they tend to be off-limits, or at least problematic, for pentesting due to legal ramifications, jurisdiction, property, ownership, local laws. In these instances, organizations can only legitimately perform pentests if the targeted employee has given explicit consent. Odds are, your employee code of conduct and security policies do not contain provisions allowing pentests for the above use cases.
The Top, Permissible Pentests for Remote Worker Risks
Now that we’ve covered the types of pentests that would likely run afoul of company policies and be off limits, let’s explore the valid methods for penetration testing remote workers.
- Phishing is an electronic cyberattack that targets a user by email. The email sender falsely poses as an authentic entity to bait the targeted individuals into providing sensitive data or corporate passwords, or to entice them into clicking on malicious web links or execute software that is malware. A successful phishing attack may enable a threat actor to pivot laterally to access other accounts associated with the individual, install malware, initiate a ransomware infection, or conduct identity theft impacting the business. Pen testing phishing against remote employees is the best method to identify remote worker risks. Once the risk is identified and the nature of it well understood, your organization can design mitigation plans, such as training, or the removal of local administrative rights. Pentesting using phishing should target all users regardless of role—from executive to receptionist, tenured employees through new hires—and not exclude any methodology for access. Webmail, mobile devices, and full-blown mail client installations are all fair game. The scope of phishing pentests can also encompass specialized attacks, like spear phishing and whaling. Consider not pre-announcing phishing pentests and potentially leave the scope open to all users, with need to know rights only to key staff who might triage an end-user identified phishing attempt.
- Vishing is a form of social engineering that targets users via telephone calls to landlines, cell phones, Voice Over IP (VoIP) phone systems and applications, and POTS (plain old telephone system) home phones. Depending on how the end user accepts phone calls (and ensuring they are the only one answering the call), vishing provides a risk assessment of how verbal social engineering can be leveraged against the business. This is especially revealing to test on those employees working from home. If your company allows for it, incorporate vishing remote workers as part of your annual pentest, especially if the phone numbers associated with users are never shared by other people (typically softphones and cellular). Vishing pentesters could pose as clients, vendors, or other employees in distress or need for information.
- SMishing refers to social engineering in the form of SMS text messages. Most users will not respond to a random text at as high a rate as they would to a well-crafted phishing email. With that said, SMishing is an excellent secondary attack vector when disguised as two-factor authentication, or the CallerID is spoofed to appear to come from a known caller (like an organizations main telephone line) or a local phone number. SMishing realistically only has two attack vectors for a pentester: replying to a text or clicking on a link. While replies to SMishing attempts may reveal sensitive information, links front-ending fake authentication pages tend to work best when trying to exploit users. If your company allows for it, consider incorporating SMishing attacks into your pentesting. These pentests would be performed on registered mobile devices authorized to process work calls and emails. If the device is truly personal and the phone is not registered in the corporate directory, it probably falls outside your scope.
- Social Media used by employees to promote work events, sales, news, and activity is fair game for a pentest, regardless of whether the targeted employee works from home or not. All pen testers need to do is reply to existing work-related post to begin their attack. This is no different than a threat actor in the real world and should be included in your exercise to vet out potential risks. In fairness, you will probably find that training end users on this attack method is just as important as with email phishing, particularly if the users are highly active on social media on behalf of the organization.
- Remote Access became the hottest attack vector for threat actors since the early days of the pandemic as social distancing initiatives drove everyone who could to work-from-home. Threat actors are not only targeting all of the scenarios above from a social engineering perspective, they are also leveraging the command and control services necessary to make remote access possible in the first place.
- Infrastructure is absolutely fair game for a remote worker pentest. This includes everything from VPN clients to VPN concentrators and dedicated remote access technology used for remote workers to access resources. The network topology for remote access should not be given to a pentester during an exercise. You want the pentester to attempt to map out the vendors, network, and process for remote access. If the pentesting individual or team can accomplish this mapping, then all they need to do is use social engineering or a vulnerability-exploit combination based on vendor or technology to infiltrate the organization. If a threat actor understands how your remote employees gain access at a granular level, it is only a matter of time before they find a weakness and exploit it. And remember, there is always a way to penetrate an environment—no defense is 100% effective.
- End Users using company-owned assets are a valid pentest target, whether they are on-premise or working remotely. This may seem contradictory to everything presented in the “off limits” section we previously covered, but the attack method is what is important. While you may not be permitted to scan the device via the user’s home network, you certainly can scan the device if a protocol-based network tunneling connection exists via technology like a VPN. The scanning method is what matters. If you can exploit the end user remotely via VPN, then the pentester’s goal has been achieved. As previously covered, lateral movement to home devices via pentesting is not permissible. However, lateral movement to other visible devices via VPN certainly is allowed (barring split tunneling attacks). The pentest must stay within the confines of the corporate network, including VPN tunnels. The pentest must not leverage devices outside of their legal permissions. In addition, if the organization is using remote access technology that does not use protocol tunneling, the application itself and supporting infrastructure represent the only valid attack vectors. There is nothing in between to route network traffic—only render screens and session data. Therefore, there are no targets to acquire, with the potential exception of a man in the middle attack, which must occur outside of the remote worker’s home environment.
Identify & Address Your Remote Access Risks before Attackers Do
Remote work is here to stay at much larger scale than in pre-COVID-19 pandemic times. Consequently, annual penetration tests should evolve to encompass remote workers.
Unfortunately, the risks presented by many remote workers cannot be fully assessed by the employer because the assets and resources in the employees’ home environments are typically not permissible targets, and thus, are out of scope for a corporate penetration test. To that end, the pentest scope must evolve.
Social engineering is the best methodology for pentesters to leverage against remote employees and the techniques extend well beyond simulated phishing email attack. Businesses need to consider their options and clearly understand what is in scope versus out of scope for a penetration test. With that said, some resources remain off limits for pen testing. Of course, unknown risk does not spell “no risk”. Therefore, you still need to account for that unknown/indeterminate risk in your risk management policy and security operations.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.