Penetration Testing and Vulnerability Scans Provide the Foundation for Secure Remote Access

In a previous post, we discussed some of the cybersecurity risks associated with remote work during the COVID-19 pandemic. For example, hackers are exploiting weaknesses found in virtual private networks (VPNs) that remote workers use to access corporate IT resources. If vulnerable VPNs aren’t hardened, hackers could gain unauthorized access to the company network.

The National Security Agency (NSA) issued a cybersecurity advisory in October 2019 warning of vulnerabilities in several popular VPN solutions. Some of these vulnerabilities allow hackers to intercept or hijack encrypted traffic and remotely download files. Remote code execution vulnerabilities could allow a hacker to gain control of the system, execute commands and access sensitive information.

These types of attacks are difficult to detect. The NSA recommends that organizations use penetration testing to determine if VPNs and other network perimeter devices are vulnerable.

Penetration testing safely mimics real-world attacks by running exploits against systems and devices on the network. The test team uses some of the same techniques hackers use to gain unauthorized access, such as port scanning, system fingerprinting and service enumeration. The goal is to determine the effectiveness of technical, operational and physical controls to stop a cyberattack.

Hackers often begin with basic reconnaissance, and the test team takes the same approach. They gather information about the environment, including operating systems, applications and their patch levels and associated vulnerabilities using commercial, open source and custom tools. The team may also use tools such as a password cracker, which makes brute force attempts at cracking password files, or other techniques such as password spraying.

The next phase would be to use the gathered information for exploitation. Exploitation could be as simple as using compromised credentials to log in to resources or could incorporate specially crafted packets to exploit existing vulnerabilities. The team then uses any successful exploits to traverse the network to find sensitive systems and demonstrate the type of exfiltration that could occur after the exploitation phase.

Some penetration testing providers can conduct internal tests to identify gaps in technology configurations and security controls that could give a malicious insider unauthorized access. Specific tests may also be performed on the physical infrastructure, web applications, employees and the wireless network.

The deliverables of penetration testing are executive-level and detailed technical reports that outline precisely where a network could be penetrated, the risks associated with such a security breach and what corrective action should be taken. The key is to provide upper management with clear information to facilitate decision-making and IT personnel with enough detail to handle any needed remediation.

Penetration testing can be complex and expensive to sponsor. An additional service is managed vulnerability scanning. Vulnerability scanning can be performed more frequently to identify known weaknesses due to the automated nature.

An external scan tests the ability of perimeter security tools to stop an attacker, while an internal scan looks for an assumed perimeter breach or malicious insider. When the scan is complete, organizations receive reports detailing the identified vulnerabilities so that a remediation plan can be developed. The scan should be conducted again after remediation to assess the success of the effort.

Penetration testing and vulnerability scanning are a lot like a night watchman testing for unlocked doors and holes in the fence. Locked doors and mended fences will make cybercriminals move on to find easier prey. By performing these tests against network resources, organizations can help ensure that access to their network is not abused no matter where the service is accessed from.