Contact Us      General Enquiries: +44 (0) 1273 834 000   Support / Service Desk: +44 (0) 113 360 9696

PAV IT

  • About Us
    • Careers
    • GDPR Statement
  • IT Certainty
    • Legal Sector
    • Manufacturing Sector
    • Case Studies
    • Customer Testimonials
  • Services
    • Backup and Disaster Recovery
    • IT Support Monitoring
    • Project Delivery
    • Cloud Services
    • Application Packaging
    • Pavilion Service Credits
  • News & Events
    • BLOG
    • Events
    • Newsletters
  • Technology Solutions
    • Communication and Collaboration
    • Modern Workspaces
    • Data and Governance
CONTACT SALESsupport
  • Home
  • Our latest Blogs
  • Blog
  • Security in a ‘Work From Anywhere’ World
April 16, 2021

Security in a ‘Work From Anywhere’ World

Thursday, 26 November 2020 / Published in Blog, Legal

Security in a ‘Work From Anywhere’ World

Crisis is a catalyst for change. No bigger crisis has struck the world in 2020 than the COVID-19 pandemic, and the effect this has had on how people work has been dramatic. The rapid transition to remote working has left I.T. teams worldwide desperately attempting to keep up. This has naturally led to oversights. Whether it is a single poorly configured VPN, or an Azure tenancy with a multitude of permission issues – the holes in the armour of corporations started appearing in March and have only been added too since. 

All roads lead to Rome, and all security flaws eventually lead to a breach. There have been a record number of such breaches in 2020 already, with the pandemic only exacerbating the frequency of attacks. The breaches themselves cause consumers to lose faith in companies, and in the event of ransomware attacks business can halt for hours or even days. But even if the beach only discloses information and the business can keep trading, the long arm of the ICO has been handing out large fines for breaking the GDPR. Rebuilding after a breach can seem an insurmountable task – but Penetration Testing is your friend here.

A blasé attitude towards being breached is a sure fire way to lose customers. A post breach pentest report goes a long way in assuring clients, and internal senior management, that this is being taken seriously. Thus, having a plan in the event of a breach is vitally important. Now, this plan should have many facets – but the primary goal is this; identify the attacked resource, identify how it was attacked, and remediate any issues. Pentest People’s expert consultants can help with step two.

The aims of penetration testing are normally straightforward, a consultant will assess each individual element of the target and see if they can identify and then leverage vulnerabilities in it. However, when Pentest People are involved in post-breach testing, the aims change. No longer are we looking for common misconfigurations like weak cipher suites, but instead are modelling a threat actor in order to conclude what the most likely attack vector is. This allows companies to focus their remediation efforts, whilst also reassuring consumers that the breach is being taken seriously. Tales from real engagements always demonstrate problems and their solutions more effectively, and what follows is an engagement that happened back in August. 

A company we had provided security testing to before (although we had not assessed this particular application) had been breached. A threat actor had successfully injected malicious code into their website, and defaced it. One of Pentest Peoples Managing Consultants was immediately given this assessment, and I was assigned to aid him. The most likely attack vector was a credential stuffing / brute force attack on the administrative console present. This was compounded by our OSINT investigation as part of the assessment, and that the client had only enabled verbose logging after the successful breach.

The second attack vector, whilst admittedly less likely, highlights one of the ongoing problems with third party resources. In technical terms, one of the third party resources wrote data from document.location.href to an ‘a’ tag. If an attacker found a way to influence document.location.href in such a way that they ‘broke out’ of said ‘a’ tag, they would be able to deface the application in this manner. Essentially, an attacker need not go after the application if the application relies on vulnerable resources. 

So, clearly getting penetration tests done after a breach is key in identifying how it happened and assuring customers that it won’t happen again. But these assessments should be being carried out yearly at the very minimum. A defence in depth approach is not just a buzzphrase to be bandied about in meetings, you actually have to do it. Applications, API’s and all the flavours of infrastructure must be subjected to stringent security reviews. More recently, previsions to allow employees to Work From Anywhere also need to be tested. Whether this is a swift transition to Microsofts Cloud Offerings, or a newly installed Remote Desktop implementation, penetration tests on these business critical services form the backbone of this defence in depth. 

However, all the security testing in the world cannot compete with good and regular staff training. If staff do not know how to avoid phishing emails or calls, then having bullet-proof application and infrastructure security is much of a muchness. Why would an attacker spend hours attempting to breach services when one or two well placed phone calls would achieve the same thing? This brings us onto one of the most important parts of the new world of work. Communication. Communication is one of the best ways to alleviate what is often a company’s largest threat landscape, their employees. 

There is often a gap between companies internal I.T. departments and the rest of their workforce. This gap is borne by nature of the kind if interactions that normally happen between these two sectors; that is, normally something has stopped working and both parties need it fixed quickly. This kind of stress leads to primarily negative interactions, and this has to be counteracted by (you guessed it) more communication. Fostering a true team spirit will make all your employee’s more productive, and will ultimately ensure a higher level of security.

The primary takeaway from all of this is simple; security should be prevalent in all areas of a business. Achieving that security takes a lot of work, and playing catchup is no easy feat, but it all starts with people. Get everyone talking to your I.T. department, and more importantly get your I.T. department talking to everyone. Educate staff, don’t lecture them. And most importantly test, test and test again.

Security in 2020 is no easy thing, but getting secure doesn’t have to be an overwhelming challenge. Stay safe out there,

Pentest People.

The Importance of Managing and Securing Your Network in the New WFA world

Virtual Round Table Event – January 14th 2021

With the WFA (work from anywhere) culture expanding, PAV i.t. services have brought together a consortium of organisations who have significant insight or provide key technologies that we believe are essential for all organisations such as yours at this point in time. The consortium includes Wells Technology, Gauntlet Group as well as Comstor and CISCO. The consortium represents an organisation focusing on CISO / CIO guidance, the insurance industry and world-wide suppliers of networking and security products. Additionally, @PAV is an IT services company which has more than 250 customers and brings a unique service first approach to the technology considerations as outlined within this campaign.

Over the coming weeks, the consortium will provide you with tailored blogs and webcasts where our sole intention is on the provision of knowledge that helps you to formulate a plan that addresses the following key questions:

  • How can your organisation maintain effective communications between applications, clouds, staff when more often than not, your staff are increasingly working from anywhere (WFA)?
  • How can high levels of organisational collaboration be secured within an online / digital world?
  • How can your organisation provide efficient management of networking solutions in this ever more complex IT environment?
  • Should your organisation be worried about the costs of being breached?
  • What are the legal ramifications of being breached and having proprietary / sensitive / PII information exposed?
  • What are the key recovery considerations following a breach?
  • What are leading / innovative organisations doing and what lessons should less WFA aligned companies learn?

For more details and to register your interest in attending our virtual round table even on January 14th CLICK HERE

What you can read next

Why data over-sharing is making you an easier phishing target
Why The World Needs To Cloud Responsibly
The Modern Workplace is Everywhere

Recent Posts

  • Which cyber attacks most commonly target small businesses?

    So, you think you already know the good, the ba...
  • Disaster Recovery waits for no one

    Improve backup and restore performance, while l...
  • Sophos MTR in Real Time: What is Astro Locker Team?

    A recent incident with a new Sophos Managed Thr...
  • Adapting to Industry 4.0 in Manufacturing

    Three Meraki solutions accelerating digital tra...
  • IT’s About Time…for our Spring Newsletter

    There is an awful lot to be positive about righ...

Categories

  • Blog
  • Cisco
  • Commvault
  • Events
  • Legal
  • Manufacturing
  • Microsoft
  • Mimecast
  • Networking
  • News
  • Newsletters
  • Other News
  • Retail
  • Sophos
  • Uncategorized
  • Watchguard

A leading IT infrastructure solution and support provider that has been delivering flexible and modular solutions and consultancy to businesses across the UK since 1988.

GET IN TOUCH

  • General Enquiries: +44 (0)1273 834 000
  • Support Desk: +44 (0)1273 834 433
  • Email: info@pav.co.uk
  • PAV I.T. Services
  • Mending Rooms, Sunny Bank Mills, Farsley,
  • Pudsey, West Yorkshire, LS28 5UJ
  • View on Google Maps
  • About Us
    • Careers
    • GDPR Statement
  • IT Certainty
    • Legal Sector
    • Manufacturing Sector
    • Case Studies
    • Customer Testimonials
  • Services
    • Backup and Disaster Recovery
    • IT Support Monitoring
    • Project Delivery
    • Cloud Services
    • Application Packaging
    • Pavilion Service Credits
  • News & Events
    • BLOG
    • Events
    • Newsletters
  • Technology Solutions
    • Communication and Collaboration
    • Modern Workspaces
    • Data and Governance

Pav IT © 2021 All rights reserved.

  • GET SOCIAL
TOP