How safe are organisations’ homeworking facilities?


For organisations, the homeworking facility has never been as important as it is now. Because of the COVID-19 measures, most of the work is done from home. It is important to be able to securely connect to the corporate network to reduce the risk of cyber incidents. What can you do as an organisation and have agreements been made about how to work safely from home?

NFIR can test the safety and technical resilience of home working environments by performing a pentest. In addition, we can provide targeted advice to companies on safe working from home. This article describes general ‘tips and tricks’ about facilitating working from home in a secure way.

Nowadays, when almost everyone is asked to work from home, the pressure on many organizations to offer homeworking solutions is also increasing. Facilitating a secure homeworking solution unfortunately does not (yet) seem to be possible for all companies. Critical vulnerabilities are regularly found in software that can be used to work from home. The most recent example is a vulnerability in the software of Citrix.

In these turbulent times, it is extremely important to have a number of crucial steps in place for homeworking solutions. In this way, the continuity and safety of organisations can be guaranteed.

To what extent is your homework facility technically resilient to hackers?

A homeworking environment is almost always available via the internet, which entails risks. In order to mitigate risks, we provide six recommendations that help to provide a secure homework solution:

  1. Care that the software is up-to-date: This advice sounds obvious, but too often after a security incident it turns out that the systems were not up-to-date. The software used as a homeworking solution needs to be updated to the latest version in order to facilitate organizations to work from home in a secure way.
  2. enable two factor authentication: Enabling 2FA or two factor authentication reduces the chance that an attacker who has stolen passwords from employees can actually use them. Many applications, such as Office365 or VMWare Horizon, allow administrators to enable this option.
  3. Get a clear and strong password policy: It is important that employees use strong passwords. From within the organization this can be enforced by means of a clear and strong password policy. It is advised to keep a password length of at least 12 characters and to include special characters, numbers, uppercase and lowercase letters all in the password. The length of a password is more important than the complexity. Use a password manager to generate and store strong passwords or use password phrases.
  4. Use only business devices: Through the use of business hardware (managed by employers), organizations have control over the software installed on the devices. In addition, employers can require employees to take certain security measures on that hardware and only allow the business hardware within the homework solution. .
  5. Let the homework solution be tested: To get more certainty about the digital security status of a homework solution, it is extremely important to have it properly pen tested. A pen test detects potential vulnerabilities and advises on how these vulnerabilities can be remedied so that they cannot be abused by potential attackers. A pen test also checks whether the ports that are open to the Internet should actually be open or can also be closed in order to reduce the chance of unauthorized access through those ports.
  6. Security monitoring as digital intrusion alarm: In order to be able to detect whether an attacker is trying to penetrate the (home) network, it is important to apply a form of security monitoring. Especially the servers that are being worked on need to be monitored. Security monitoring is used to monitor data traffic and detect abnormal behaviour. If attackers try to penetrate a network, this is detected at an early stage and action can be taken.

Pentesting of home working facilities

Why pen tests at home now?

Because many employees are now forced to work from home, it is important that the home working facility remains available and that any vulnerabilities cannot be exploited by malicious hackers. Hackers take advantage of this period and carry out slick attacks. For example, targeted phishing attacks are carried out on COVID-19, with which hackers try to give themselves access to companies’ systems.

What kind of pen test is suitable for home working facilities?

During the pen testing of the homework facility, it will be checked, among other things, to what extent the above six advices have been implemented. In addition, NFIR uses international standards by means of checklists when carrying out pen tests in order to be able to make a complete assessment of the security status of the home working facility.

A pen test will be started from the black box attack perspective. In a black box pen test, apart from the URL and/or IP address, no further information and user account is shared with the hackers of NFIR. Our ethical hackers will work in the same way as unethical hackers during this pen test.

Next, it is interesting and desirable to test the homework facility from the Greybox perspective. This tests the scenario in which a user’s login details have been captured by a hacker. The ethical hackers of NFIR receive login details from a normal user. The grey box pen test is used to investigate the possibilities of this account and if it is possible to increase the privileges so that the account can for example do the same as an Administrator (with the highest privileges).

Would you like to know to what extent the homework facility your organisation uses is technically resilient to hackers? Please contact us. During a free intake, we will work with you to determine the scope and desired attack scenarios. After this intake you will receive a specified quotation for this pen test.

Penetration test?

NFIR classifies pen testing vulnerabilities using the Common Vulnerability Scoring System (CVSS 3.1).

  1. A vulnerability scan provides a general picture of how IT security is organised. A pen test provides a more detailed picture of current IT security. A pen test provides a more detailed picture of current IT security.
  2. A vulnerablity scan is used to find commonly known vulnerabilities. In a pen test, attention is paid to all potential weaknesses
  3. Vulnerability scanning uses automated scans to detect vulnerabilities. A pen test also makes use of automated scans and the researcher actively seeks out vulnerabilities through a dose of creativity.

Penetration test or vulnerability assessment? – Penetration test? – Contact NFIR now

read 7 important questions in pentesting

Our penters have a large amount of experience, a lot of creativity and up-to-date expertise. The NFIR pen testers have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements.

How long a pen test lasts strongly depends on the environment that needs to be tested and the agreements made with the client about the attack scenarios to be used.

A Black Box pen test means that no information about the environment is shared with the pen testers beforehand. With a pen test based on the White Box principle, all information about the environment is shared in advance. If you are having a pen test performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.

A Black Box pen test is especially suitable when you are testing an environment for the first time and want to get an overall picture of the security. A Grey Box Penetration Test is an intermediate form of the Black Box and White Box Penetration Test, in which the researchers have limited login details and information at their disposal. The Grey Box pentest is generally used to see how safe an environment is from the perspective of an employee or customer.

Make arrangements with each other when the information must be delivered, when the pen test will take place, what the pen test means for the daily operations within your company and when the report will be delivered. The assignment must be clear and the information required in advance must be provided on time, otherwise a pentest cannot start.

The NFIR Pentest: how impenetrable is your network?

With the NFIR Pentest you can get certainty and advice about the safety of your network. NFIR for non-binding advice: 088 – 323 0205

The three main standards used by NFIR (depending on the environment to be tested) are the Penetration Execution Standard (PTES), Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP). The Common Vulnerability Scoring System (version 3) is used to determine the severity of a vulnerability. Furthermore, NFIR uses input from the client to apply a CIA weighting to the vulnerabilities found.