Scoping for Your Annual Pen Test with Hybrid Work Environments

Article Penetration Testing
Scoping for Your Annual Pen Test with Hybrid Work Environments


Organizations expect 44% of their workforces to remain in a hybrid model (both in office and remote work environments) over the long term. With hackers continuing to take advantage of this shift to remote working, attacks targeted at these environments are on the rise. And unfortunately, the most recent IBM Cost of a Data Breach report revealed that the average cost increased $1.07 million when remote work was a factor in the breach. The report also highlighted that organizations with more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches.

The attack surface for most organizations has completely changed. Security used to be confined within the four walls of the office, but with that perimeter gone, devices and organizational data are scattered across un-policed home environments and on un-vetted machines. Do you know if employees are switching between office workstations and home devices to perform job responsibilities? Are they logging in on their personal mobile devices to access organizational information? Many employees are also using their own routers and wi-fi connections at home, so it becomes more difficult for IT to verify each workstation is secure before it connects to the organizational network.

Penetration testing is one of the best ways to ensure environments are secure before an intruder finds out otherwise. As organizations prepare and plan for their annual penetration tests, be sure you are considering how best to incorporate remote environments into the overall scope. Some factors to consider:

Endpoint Configuration:
End user endpoints have largely become the weakest link. It can be extremely challenging for organizations to manage and control endpoint devices like laptops and workstations now that they are operating outside the traditional security perimeter. Even if your institution has a defined baseline configuration that is deployed on all issued devices, users are constantly wanting to add and change software, install new applications, etc., without always understanding the potential risks they may be creating.

It can also be difficult to monitor and ensure that all necessary patches and updates are installed. Endpoint configuration testing can help evaluate and determine if: 1.) your baseline image has been deployed consistently across organizational systems; and 2.) if the image should undergo additional hardening. Testing can help identify, classify, and prioritize security misconfigurations or weaknesses present on endpoints.

Vulnerable VPNs:
Employees still need to be able to gain access the same files and applications they were accessing onsite, so servers and services that used to be only internal have been opened up to allow employees access from home. Most organizations set up this access through the use of a virtual private network (VPN). Attackers know this and will scan for vulnerable or unpatched VPNs to gain entry to the network. An internal penetration test can check for potential vulnerabilities on the VPN, and also test to see if and how an attacker could move laterally once connected to the network to gain access to other internal systems and resources.

Cloud Services:
Remote work environments have also led to the expanded use of cloud services. Cyberattacks on cloud services have grown by more than 600%, with attacks like Solar Winds highlighting the massive impact a breach at a well-known cloud services vendor can have. Use of a cloud service does not completely absolve your organization from any security responsibility. How a service is configured, user roles, permissions, data classification, etc., all still play a role in how organizations ensure cloud services are used properly.

Web application pen tests can reveal gaps in elements the organization may not have considered. Testers can be granted limited access to see how they might be able to escalate privileges within the application (i.e., could a student gain access to sensitive information from their standard student account?). Most cloud service providers, like Microsoft Azure and Amazon AWS, allow for penetration testing against their applications and services, and the user environment.

Social Engineering:
Remote work also provides more opportunities for phishing attacks to be successful, with the number one attack vector in successful data breaches remaining compromised credentials. If employees (and their family members) have other computers connected to their home network, a successful phishing attack within a personal email on a home computer can also lead to consequences on the corporate laptop once that home network is connected to the work network.

Organizations may want to consider including phishing and vishing simulations as part of their annual penetration test to ensure employees are vigilant and understand how to recognize and respond to phishing emails. Incorporating these tests into the annual pen test allows the testers to utilize any information gained to further illustrate the consequences of compromised credentials and test how far they could get within the organization.

Remote working is no longer a short-term solution that was implemented during the onset of the pandemic. It is here to stay, so organizations must adapt accordingly and work to address any new risks that have been introduced.

It is also difficult to enforce the same cybersecurity policies that were originally written for the office environment only. Your teams should take this into account during your annual review of policies and procedures and revise current policies or develop new documentation for remote work environments that detail how employees should be connecting to internal resources, what data can be accessed from personal devices, etc. It is also important that employees know what to do if a system they are using is compromised, and that your help desk is prepared to initiate the appropriate response based on if that employee’s workstation is within the office or residing at home.

It is more important than ever to include remote environments within your annual risk assessment process and ensure that appropriate security controls are put in place to protect your organization and staff against potential exposures and vulnerabilities.

Some additional guidance from our Offensive Security Services Team:

[Campbell]: There exists a sliding scale with security on one side and convenience on the other. Finding that balance between the two that works best for your organization is extremely difficult.

In the midst of remote work, we often find that organizations are deploying laxer security measures on remote workers’ endpoints which slides that scale closer to the convenience side. A seemingly clear action to take in order to alleviate time spent on support tickets, right? Meanwhile an invisible force of impending doom grows ever closer.

This invisible force doesn’t warn when it strikes – making it extremely important for an organization to conduct regular penetration tests on these vectors that a malicious actor characteristically attacks with the goal of gaining access to your environment. Attack vectors such as your VPN, compromising endpoints, and social engineering attacks.

Avoid discovering that you’ve been compromised when you notice systems on your network “acting up” and harden your security today with regular penetration tests!


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.