When the COVID-19 era began, many offices emptied out. Companies cancelled their coffee deliveries. They reduced the frequency of cleaning services. They even turned off cardkey access for some personnel transitioning permanently to remote work. And, they forgot to do their internal network scans for vulnerabilities. Oops.
Although we're ok with the coffee, cleaning, and cardkey changes -- the omission of internal network vulnerability scans is a mistake worth avoiding. Here's why.
Year-to-date there have been 13,354 new CVEs. Those are known, publicly-documented vulnerabilities with details published on the MITRE website. Every system you can imagine, has had one or more CVEs in 2020 so far. Microsoft products have had at least 931 new CVEs. Google products have had at least 649. Oracle, at least 603. Whatever the number, the point is, you've got systems in your office that have vulnerabilities that none of us knew about pre-COVID, but that are now common knowledge in the infosec community. Including the hacker community.
Because of that, it's essential to run internal network scans even if there is no one currently working from the office.
Most companies have become quite cautious about having non-essential personnel on-site, and for good reason. In many cases there is no additional benefit to having a vendor or contractor perform duties on-site, when their work could be completed remotely. That puts some penetration testing vendors in an odd spot: many depend on being able to physically connect a workstation or device to internal networks inside the office. These days, that leads to a discussion of whether their services are absolutely essential during this unprecedented time, or whether it would be reasonable to defer internal network penetration testing until the risks of COVID-19 are better managed.
Thankfully, there is a better way that avoids that difficult decision.
At Havoc Shield, we aren't a "penetration testing vendor" per se -- we're an all-in-one cybersecurity partner for small businesses, including everything from infosec plan creation to security controls orchestration. After initial cybersecurity evaluations in our platform, almost all of our clients decide that they want companywide business-grade antivirus, password managers, security training, phishing simulations, and penetration testing. Those are the basics that we've come to think of as "cybersecurity 101" -- and fortunately for our clients, all of those can be done remotely. In a contactless manner. Including internal network scans as a part of a broader internal/external penetration test.
To make a long story short, most companies are able to provide a workstation that has some type of remote access -- via RDP or similar -- and using the magic of virtual machines we have a straightforward way to conduct an internal network scan in a contactless way through that remote access connection. There is no difficult decision to be made about the tradeoff between inviting us (or another penetration vendor) on-site versus deferring a test until some safer era: we can complete business-grade internal network scans all through remote access.
Ready to get uncomfortable? What percentage of non-employees that have connected to your office wi-fi in the past few years still have the guest wi-fi credentials saved in their phone, tablet, or laptop? When I say "guests" I mean friends and family that have visited the office, sure, but I also mean former employees, job candidates that didn't get the job, vendors, contractors, the neighboring company when their wi-fi went out, and anyone else that had access. For most companies, the answer is going to be pretty big. Secondly, what are the odds that your telecom closet patch cables are so neatly organized that every lobby, hallway, and restroom vestibule is sure to have no active ethernet taps.
At issue here is the fact that in a mostly-vacant office, there are far fewer employees circulating to notice unusual patterns such as a passerby who does not seem to "belong" or a person lingering near the office with their laptop open, with no obvious connection to the company. Hardening an internal network by performing a business-grade internal network scan and remediating the results, is a great way to "upgrade" cyber perimeter robustness.
Cyber criminals love it when the status quo is disrupted. When our routines and norms get turned upside down, it's easy to forget the fundamentals of why we choose to do things like recurring internal network scans. And that's just what they want. However, CVEs don't stop, and wi-fi and physical network access vulnerabilities don't stop. So, it's best to stick to the internal network scans -- using a company that can perform the scan in a contactless way using remote access (hint, hint - we're here for you).