Worried about Hackers? Take Proactive Measures by Hiring Someone to Test Your Network
By Eva Lorenz
You may be an in-house attorney at an organization subject to specific compliance requirements or you may work at a law firm and handle sensitive client information, including information subject to laws such as the N.C. Identity Theft Protection Act. In either case, you need to show your business partners that data managed by your organization is protected. You, as an attorney in the room, can help your organization or law firm reduce the risk of a high-profile breach or ransomware attack. Read on to learn about technical approaches to address these concerns.
The move to working from home has shifted the network from a centralized office to a number of endpoints in houses and apartments that also serve as the location for homeschooling, streaming movies and facetiming with relatives. In this environment, how secure is the client data? You may be familiar with security patches that are regularly deployed to desktops and laptops. But a more in-depth assessment is needed to truly assess how protected your firm is against hackers. Verifying that users click to allow these patches to be applied is not enough (especially as hackers are adjusting also to a work -from-home culture too). Hackers and other bad actors are attacking software needed for a remote work environment and attacks are up, including both Zoom and Citrix attacks. In addition, hackers buy valuable time to exploit networks until alarms are raised when they target laptops that are now at home and not as closely monitored as when directly on the corporate network.
What options for assessing the security of a network do organizations have? To test whether users allow the security patches to deploy to their computers and not keep opting to delay downloading and installing these patches, most organizations will regularly assess through a tool called a vulnerability scan. This process is automated and tests for the presence of the latest security patches, and it will provide an alert if a patch is missing. The process also checks for some weaknesses (such as default passwords being in place). But these tests are not comprehensive due their automated nature and may miss weaknesses in organization-specific programs that are not used in other verticals. For example, a diligent penetration tester will verify that a vulnerability scan was comprehensive by performing additional manual verification since most vulnerability scan platforms only pick up common applications. Some applications, found specifically in law firms, such as document management tools, are not encountered frequently enough for the developers of scan software to add them to their database. Therefore, the scan will pick up if patches are missing for programs like Microsoft Office or Adobe and Java — programs that are found in most office environments. But it may miss backup software or document management software that does not have such a broad customer base.
So, if a vulnerability scan is not allowing you to be specific for organization applications and may miss issues that can be exploited by hackers, what solution is out there and how can organizations reduce the chance of getting hacked? We know that hackers may start with a scan for specific vulnerabilities to find low-hanging fruit, but they may also specifically target an organization due to the information associated with the law firm or the client list. The good guys should take a similar approach by starting outside with public-facing devices and seeing if they can work their way to the inside of the network and possibly gain ownership of a critical server or service. In particular, databases with client data are highly sought after since personal information can be sold on the dark net for money.
Organizations should leverage a “penetration test” of their systems. A penetration test will usually scan the public face of an organization’s environment for weak spots and determine whether an attacker could gain access to a system. Possible means to gain such a foothold include applicable weaknesses that can allow an attacker access to back-end devices or scan the environment for weak passwords that can be cracked offline and allow access to email account. And yes, scanning for weak passwords can be done while sitting in a lobby or the parking lot. If externally no access to the inside can be obtained, the penetration tester will then be provided with access to the internal network and explore what an attacker could do once inside.
This last step is where the penetration test shines, identifying what a hacker can target in terms of systems and applications because of vulnerabilities, misconfigurations or even no passwords being in place. The tester will start off by doing a vulnerability scan and then analyze the issues found to verify any security gaps that can be exploited. The penetration test will use the scan findings to gain access to devices and determine what information can be retrieved. It should be noted that besides missing security patches, some of the most common findings are misconfigurations, including default passwords for specific applications that can be retrieved using a simple good search or using application versions that are no longer supported and have weaknesses that allow an attacker or the penetration tester access to the system using known exploit code; again, this code can be found using a simple online search. And even if the penetration tester does not find sensitive information, the test may point out exploit code that, if attempted by an attacker, could crash a service, causing a possible serious disruption of the business.
A penetration test will be more expensive than a vulnerability scan because it requires a human to think like a hacker (remember that a vulnerability scan is fully automated). But a penetration test has several advantages. Not only can the test be adapted to the respective organization, including to cover a main location and various satellite locations. But in the current time, the test can also be focused on the remote infrastructure, such as VPN connections. To save costs as well as to comply with social distancing requirements, penetration tests are now often done remotely — allowing them to continue in a situation that has most staff working remotely. A remote approach means a device will be shipped to the office, with all the tools included, and once connected to the network, the penetration test can begin.
Despite the higher costs for the penetration test, it is still an option to consider as part of the security plan for the organization and can give valuable information for the organization in mitigating security threats, even in our work-from- home environments. Penetration tests are ranging from a person sitting in your office, to a totally remote engagement with only select devices being tested or only the remote infrastructure being assessed. This allows an organization to use a penetration test to meet a specific compliance requirement or focus on a certain component of their network. Besides the remote infrastructure, such as VPN, that organizations have to rely on during the COVID-19 pandemic, the scope of a test can also focus on cloud-specific resources, such as Amazon, or can focus on a single location, if the firm recently underwent a merger.
If you are worried that you may be vulnerable to hackers, especially given the very unexpected move to a total work-from-home environment, hiring the white hats or ethical hackers can provide the much needed answer in a very customizable approach.