Whether it was already part of the company structure or has recently been added due to COVID-19, many companies are offering employees the option to work from home full-time. No matter the size of the organization, this sort of shift comes with some challenges. That includes cybersecurity. Even if a business has a well-established security program for the office, they may not have the same protection set up for those working from home.
When the pandemic hit, many companies were in a rush to get employees up and running with at-home offices as quickly as possible. While this may have prevented loss in business for the short-term, the long-term cyber risks could become a detrimental problem very soon. According to some cyber experts, the potential for large-scale attacks is rising as more and more employees work from home.
There are also many threat actors with time on their hands, out there looking for these prime opportunities. One of those heightened risks may come from people using personal devices for work while at home.
Using a personal device for business purposes can introduce several new threats that may not exist on a work computer in the office. For instance, many corporate devices are set up to not allow personal use. That can include private emails, social media, and other browsing that is not deemed necessary for the job. These restrictions help prevent potential threats like phishing or malware. When someone is using a personal device and does not take the proper safety measures to separate business and personal use, new threats are being introduced through that personal device into the business network.
Think of it like this: Your company’s network is similar to a home. When you leave or go to bed you are able to lock the doors and windows for basic safety. If you want to be more cautious, you add security cameras or alarm systems. When you allow an employee to work from home on an unprotected device this opens the house windows and doors. The threats are not necessarily new, but they are much more likely with less protection in place.
So how can you begin to protect those remote workers if your company cannot afford to buy everyone a device with built-in protection? One way is to educate employees. Making sure your staff understands how surfing Facebook or Twitter could lead to a potential threat, or how opening Spam emails may put the entire company in jeopardy by risking loss of revenue or intellectual property. Education is a good place to start.
Next, offer protection. If you have an expectation of security for your business, you need to be sure to provide your employees with the tools to meet those standards. Consider looking into firewalls or extra security monitoring that will help protect your employees’ devices the same way you would protect a computer at the office. If you expect a certain software or device protection, you should be the one to provide it to the employees.
Another simple way to protect the network while using personal devices is to establish separate profiles. If an employee can separate their work activity from their private internet use, there will be more protection for the company. Talk to your IT department about how to communicate that process to your staff and give your employees clear guidance on what the expectation is for these separate profiles. While one may be used for business emails and company documents, the other can access social media or online shopping. Separation of the two could help prevent unnecessary risk.
As for the company’s responsibility, on top of providing education and security programs for remote workers, businesses can also set up systems to safeguard the network on the company’s end. One way to do that is to collect the IP addresses of all remote workers. This list can then be used to create restricted access to the company network.
With these IP addresses a business can allow access to only those addresses approved by the company. This approved list will allow remote workers the access they need, while limiting any outside intruders. Restrictions can also be placed on the time of day IP addresses are allowed into the network. If you prefer workers only see company data during business hours, set the limits and let your staff know their restrictions.
Now is the time to go over the current security measures in place. Whether it was a rushed decision to send employees to work from home, or a long-standing option for your business, this is a good time to be going over your policies and work from home procedures. Everything from VPN access to firewalls, and even the latest updates on software are important components of your security posture. Be sure everything is up to date and meets the same standards, if not higher, than what you expect from employees working within the office.
Working from home may be the best option for your employees at this time, and that can be done securely if you take the time to establish a proper cybersecurity program. Just because you may have rushed to make remote work possible does not mean you need to leave it as is now.
Educate your staff on cybersecurity practices. Provide the proper equipment and tools needed to keep their work secure. Setup extra security measures on the business network. And go over old policies and procedures to see what needs to be adapted to fit the changing times. With the right approach your staff can be more secure when working from home.
If you’re unsure of where to start with your business’s cybersecurity needs, reach out to a Pratum representative today to help guide you!
Is your organization secure from a cyber-attack? Unless you’ve done some thorough research, you may not be able to answer that question confidently. Knowing the strength of your security program is paramount in protecting your data, and your clients’ information!
Penetration testing is one of the most effective ways to ensure your business is prepared against an attack. Testing for both external and internal threats can help protect your company and give you some peace of mind. Knowing where your vulnerabilities are will help you secure your network, and knowing which tests are right for your organization is a good first step.
Penetration testing, often called “Pen Testing”, is done by a cybersecurity expert who tries to infiltrate an organization’s systems using a series of tests. The goal is to try and find vulnerabilities in the security protocol that could be used by criminals.
There are two steps to a “typical” Pen Testing process: external and internal. Each one offers unique insight into the security strength of your organization. Taking the time to understand what they involve and offer your company can help you prepare for the process.
External Penetration Testing is the practice of testing security programs through external access. That includes anything that has a public facing service or IP or URL. This could be a web application,firewall, server or IoT device. Depending on the motivation of the attacker, they could utilize a vulnerability or chain vulnerabilities in order to gain access to sensitive data. In various parts of the internet, zero day (0-day) exploits are often sold or exchanged for these purposes.
The goal of External Pen Testing is to find those vulnerabilities a threat actor may use to get into your company’s network to steal valuable information from within your company.
The tester may also try to gain access to external facing assets such as email, file shares, or websites.
During testing, the assessor will gather information on all assets within the scope of the test. That includes open ports, vulnerabilities, and other information about the company’s users. This can then be used for various attacks such as: brute forcing passwords, phishing attacks, precise operating system and service attacks.
The External Pen Test should reveal any areas that may be compromised and exploited to gain access to your network. This should also be utilized as an opportunity for clients to verify their current process for detecting anomalous activity. Once a perimeter is breached, testing depending on the rules of engagement, further attacks could be used to gain access to internal network assets, often referred to as pivoting or lateral movement.
Most organizations focus on the perimeter as far as security goes. Unfortunately, those with direct access to an organizations data pose the most significant threat overall. People are often easily manipulated and prone to mistakes (we are all human). Many times, what happens at the host level goes unmonitored and many organizations aren’t aware of what is entering or leaving their networks. Common misconfigurations are still seen to this day that often lead to full network compromise.
Internal Pen Testing is very important and can encompass many things. For those working from home that may be private networks such as home WIFI, cell phones, cable, streaming services, and the list goes on. All of these can be connected to each other. The threat comes from opening networks to external threats with one of these channels.
The office has potential internal threats, as well. The same systems in place at home can often be found at the office; such as phones, internet networks, and more. Also, if your business has a file sharing system that several employees have access to, and do not require a password, you may want to re-evaluate who is allowed to see the various levels of content. Not every employee needs access to the same data, and unnecessary access could leave you vulnerable to an attack. Not all employees have the interest of your company at heart and could be motivated by financial, vindictive or other means to cause harm to the network or overall company image.
A threat actor who is able to get in through one of these channels can then move about and gather private data by just observing from within. It may not always be an immediate attack. In fact, they may collect data to use later or sell to others. This could go undetected for weeks, months or longer if proper internal auditing, patching and testing is not performed on a regular basis.
During Internal Pen Testing the assessor is trying to find out just how much damage could be done by a threat actor or employee from the inside of the network. A poorly secured domain could lead to total control of a network, but most tests require multiple attack paths to complete the objective. This is often accomplished due to relaxed policies that focus on convenience rather than necessary mitigations.
Once the Pen Tester can access the internal system, the tester will sometimes move laterally within the organization’s system. The goal is to see how much of the internal network is vulnerable if an attacker were to gain access. Internal Pen Testing can also include privilege escalation, malware spreading, information leakage, and other malicious activities.
The tester will often use less important systems, that are easier to access, as a channel to get through to the more secure areas with higher levels of protection. This is typically where sensitive data or controls will be.
Internal Pen Testing is important, even if your External Pen Testing seemed secure. Threat actors may still be able to infiltrate your system. There could also be attacks from individuals from inside your organization. Knowing all levels of your security system will help you prepare and prevent a breach.
Trying to decide the right security path for your business is not always simple. When it comes to Penetration Testing, knowledge really is power. Being able to know areas of strength and weakness can help better prepare you for possible threats. Whether it’s preventing an outside attack from an external threat, or an internal issue that could put your company in jeopardy, there are ways to know what you’re ready to handle.
There isn’t a “standard” penetration test for every organization, everyone is different. No matter how large or small your organization is, Pratum can customize a solution that provides value to your organization. If you feel budgetary constraints are an issue for you, talk to one of our experts and you’d be surprised as to what you still can do.
If you’re interested in seeking a third-party expert to conduct Penetration Testing, or just discuss your options, be sure to reach out to a Pratum consultant now.
Penetration Testing, or Pen Testing as it’s often called, is a proactive approach to discovering exploitable vulnerabilities in your web applications, computer systems, and networks. It’s an overall test of your organization’s security.
A Pen Tester, or Ethical Hacker, will conduct a series of tests to make sure your cybersecurity posture is strong enough to withstand the potential threats you would face as a business. That is a simplified explanation, but the process as a whole is much more involved and important to the protection of your company in the long run. We’re going to explain what a Pen Tester is typically looking for, and why this process is a critical step in building up your cybersecurity program!
Before investing time and money into any project, you want to make sure it’s worth it for your business and the goals you have for the future. With Pen Testing, you have to ask yourself if you are 100% confident the security measures you have in place across the enterprise are suitable for the kinds of threats you may face. Through this process you can discover these vulnerabilities and begin to remediate the issues before an attacker is able to interrupt your business operations.
With a Pen Test, you’ll also be able to identify which threats need to be addressed more urgently. Cybersecurity risks are often considered at different levels. If the risk is high and would create significant issues for your company, it’s something you need to address quickly. Not knowing where threats are, or if they even exist within your company, could leave you open to more potential problems down the road.
Some breaches can be executed and used by attackers for years before anyone even knows they’ve occurred. A Pen Test can help identify gaps in your security process and trace any threats that may come up later or already exist within your network.
Not only is Penetration Testing a benefit for your company, it may also be a requirement within the industry you serve. Pen Testing is regulated and required within healthcare, government systems, and financial services. Someone who is certified in Penetration Testing should be able to help you reach the requirements and standards your company needs to meet. Even if the industry of your business is not required to do Pen Testing, it can still be a beneficial step in your cybersecurity process.
Three key reasons you need to be Pen Testing your organization:
Now that you have a better understanding of why Penetration Testing is so important, let’s look at what the process entails.
1. Scoping & Pre-Engagement – Defining what the success criteria are.
2. Reconnaissance – Gathering information.
3. Discover & Vulnerability Assessment – Testing authentication, data validation, and management.
4. Exploitation – Verifying vulnerabilities, and false positive and false negative elimination.
5. Analysis & Reporting – Consolidate and overview findings to report vulnerabilities.
Pen Testing addresses the overall security of a company. The tester looks at processes in place to protect your business against threats, how they react, and the reaction time. During this process the Pen Tester looks at a few different components of the security process; devices and people.
Think of all the devices used within your organization that may be connected to your internal network. Even seemingly harmless devices like printers and telephones could actually be a threat to your security if they’re not properly monitored and protected.
Any device that may be connected to your business network or internet connection can be used as a portal for threat actors to gain access to your system. That’s why Pen Testers take the time to evaluate the devices used in your organization to find where there may be gaps in security.
While software and electronics may seem like the obvious threat to a cybersecurity program, the biggest issues typically come from humans. People are the most vulnerable aspect of a security system. Not only do employees have access to highly sensitive data, they also are subject to possible scams that a device would not fall victim to.
While testing the human aspect of your security network, a Pen Tester will evaluate which employees have access to sensitive data, and if that access is necessary. Many times, employees will have access to data, or channels to data, that is not required for them to do their job. A Pen Tester will be able to spot those potential threats.