With the current Covid-19 crisis hammering all sectors around the world, organizations rushed to enable "Work-from-Home" infrastructures to save their businesses from an almost certain collapse. Many decisionmakers did, however, not immediately recognize the potential risk of this sudden transformation, whereas employees can now connect from their home Wi-Fi to their corporate network to do their job, no matter of how vulnerable their home setup is. On the other hands, this pandemic forced organizations to develop and launch new apps without proper testing to fulfil the increased demand. Consequently, this opened a lot of gaps and vulnerabilities that attackers can take advantage of to rule the game under the shade of Covid-19 pandemic.
In this post, I will breakdown potential threats that organizations are facing from threat actors :
1. Home Wi-Fi network
Connecting from a poorly configured home Wi-Fi network to the corporate network puts organizations at high risks. What decisionmakers might not realize is that it is much easier for attackers to break into home networks than corporate Wi-Fi networks due to default settings/credentials and obsolete encryption technologies such as WEB, widely used in most home Wi-Fi routers. Additionally, there are default credentials for each Wi-Fi router from different vendors, and most probably they are left without hardening. Once attackers successfully break into home Wi-Fi, they will attempt to use those default credentials to access the Wi-Fi gateway admin panel to have full control over the network. Another risk with home networks lays in the fact that often multiple devices are connected, with as a result that one infected device on the network might infect others.
In contrast with many beliefs, a VPN cannot protect organizations from attackers if attackers have already compromised employee’s laptop. Consequently, attackers might be able to reach organization's crown jewels by just compromising the security of employee’s home Wi-Fi.
First, organizations should prepare hardening guides and conduct cybersecurity awareness sessions to educate their employees on how to mitigate the vulnerabilities of home Wi-Fi networks. Secondly, they should perform periodic secure configuration reviews and penetration tests to assess the security of remote connection setup and VPN services.
2. Phishing emails
Email remains to be the largest threat vector for organizations and their people. As organizations send periodic awareness emails about Covid-19 to their employees, threat actors started to take advantage of this situation and launch phishing/spear-phishing campaigns against employees by imitating legitimate awareness emails sent from their organizations. As employees expect to receive such emails about Covid-19, there is a good chance they fall victim to such attacks.
I strongly suggest that organizations conduct awareness sessions followed by simulated phishing exercises to measure the potential risk and the effectiveness of awareness programs.
3. Fast-paced application development:
The Covid-19 pandemic rapidly created new demands for organizations to which they had to respond. This compelled organizations to develop and acquire whatever solution to meet their emerged needs as soon as possible, whereas security considerations were put aside. Skipping important phases in the software development life cycle (SDLC), such as secure code review and penetration testing will lead to more potential risks and vulnerabilities for the benefit of threat actors. We will explore the impacts of this practice in more details in a separate post.
My recommendation is that organizations outsource security testing for the long-term to consultation companies with certified staff to ensure all SDLC security-related countermeasures are met without delays. Security consultants can work shoulder to shoulder with development teams by integrating consultant's role into the SDLC to ensure proper penetration testing and secure code reviews are done during and after development.
My advice : “Better be safe than sorry”
Head of Penetration Testing and Ethical Hacking (Red & Purple Teaming)
Cybersecurity – KPMG in Saudi Arabia