Features, Insight, Opinion

How to design the ideal penetration test for the hybrid-work reality

By: Michael Byrnes, Director, Solutions Engineering, iMEA, BeyondTrust

According to a survey published in January this year, 70% of Middle East-based professional workers now want at least half their time to be spent working remotely and 38% want full-time work-from-home (WFH) options. Such goals may be more realistic in some countries than others. Internet penetration for Arab Gulf states, for example, is higher than the regional and global average. This is a strong indicator that GCC countries are more able to support remote- and hybrid-work environments.

But the new paradigm carries with it extensive risks for organisations’ cybersecurity. Even if they do not operate in highly regulated sectors, firms will be anxious about the stray click that leads to an infiltration. More remote workers mean more unpoliced environments and unvetted machines, including the possibility of third-party equipment used by non-employees that share home networks with corporate staff.

Penetration testing (or “pen testing”) must account for remote workers. To be effective, it must probe everywhere corporate traffic goes, but as we have just seen, this may now include personal machines and third-party equipment. CISOs and their teams must ask themselves if they should, either for legal reasons or out of respect for the wishes of their employees, ask for explicit permission from the end user before gathering data on their personal devices or home network. And they also face quandaries in trying to understand the totality of their risk as it relates to other companies’ devices and networks. We must remember that in the age of IoT, these elements may not just be from a non-employee’s activity; it could be from any device connected to the home network.

Finding the line

So, today’s CISOs must not only worry about personal computing devices, home networks and third-party routers. They must consider everything from domestic security-alarm systems to digital assistants. They also must consider how pen testing would be impacted by including personal home landlines and cellphones. Testing for vishing and smishing (voice and SMS phishing) vulnerabilities may impact local laws, so security professionals should account for this. Indeed, legal restrictions regarding employee rights and privacy, as well as regulations around property ownership, should be thoroughly explored when reconfiguring pen-testing approaches.

But security professionals who now oversee these hybrid environments should not be frozen into inaction. Pen testing of, for example, phishing vulnerabilities, is still viable and should not run afoul of legal frameworks. Here, the organisation merely sends communications (emails) to individuals to observe their behavior and categorise it in terms of risk. Actions taken to rectify this risk are within the purview of decision-makers. Training is one course of action; the downgrading of digital credentials is another.

Additionally, if pen testers can devise a method for guaranteeing that only the employee will answer the call, then there is nothing to stop vishing pen tests, where security personnel pose as customers, suppliers or other parties associated with the employee’s role and try to entice them to part with sensitive information over voice calls. The same goes for smishing, especially since it is easier to guarantee the recipient of an SMS and hence know that it is within the scope of the pen test. Knowing how many employees would answer a text or click on a link in an SMS is vital for assessing risk.

Remote-access attacks

Any social media account used to promote company products, services, activities, or events is also squarely within the scope of any pen test. Whether the employee is WFH or office-based, the principle is the same — if pen testers concentrate on work-related posts as the foundation of their attack, any resultant employee behavior is in scope.

Beyond employee behavior, some infrastructure is also inside the purview of pen testing. Remote-access attacks have become a worry regionwide as more people work from home. One investigation showed that the UAE saw a 193% increase in brute force attacks on Remote Desktop Protocols (RDP) in 2020. This surge occurred from February to March, following implementation of the nation’s first lockdowns.

Pen tests must therefore cover remote-access technologies used by remote-working employees. For the most effective simulation, pen testers should be left to learn for themselves how vendors, networks, and processes stitch together to deliver remote access. A simple combination of social engineering or exploits can then be used to infiltrate an environment and assess risk level.

The clearest possible picture

As has always been the case in the cybersecurity realm, organisations are in a race to discover their weaknesses before bad actors do. Since regional workforces are likely to remain in a hybrid-work state even as COVID passes into history, penetration tests must include remote workers if they are to deliver a viable assessment of risk. But in doing so, CISOs and their teams should be mindful of the challenges the hybrid IT world presents. They will face jurisdictional and internal-policy restrictions that curtail the reach of pen tests and so they must adapt their methods to paint a clear picture of corporate risk.

In the end, the picture may remain blurry. After all the social-engineering and internal-infrastructure tests have been exhausted, some off-limits resources may still have question marks hanging over them. And those off-limits elements may prove to be the origin of future incidents. That leaves a need for sound policy management, thorough security training and robust contingency planning, to absorb the impact of the unknown.

Previous ArticleNext Article


The free newsletter covering the top industry headlines