Do You Need a Separate Penetration Test for Remote Access?

SepratePenTest_RemoteAccess

The short answer is: It's definitely worthy of serious consideration.

This blog post is going to cover:

Why we should be thinking about this now
Assessing the risk
What you should consider in looking for a provider
Where to go from here

Why We Should be Thinking About This Now

In the midst of the COVID-19 pandemic community banks and credit unions have been allowing remote access to their employees like never before.

Some financial institutions rolled out remote access for the first time ever. Others went from a handful of users to dozens or maybe hundreds of remote employees.

And that's OK.

In fact, it's more than OK, it's a good thing. Because the past month has been about survival; everyone is doing what they can to keep their businesses open, to keep their employees employed, and to try to take care of one another.

Community banks and credit unions have always been great at doing that. They take care of their customers, they take care of their employees, and they take care of their community. Because community financial institutions are so important to our society, they naturally do what is needed in the time of crisis. When it comes to pandemics, remote access has been, and will continue to be a vital tool in doing so.

But as we move out of survival mode, into a time where we begin to proactively manage this new world that we live in, now is the time to turn our focus from just making it through the day, to making sure that we’re strong for the future.

We must secure this new ‘normal’.

Some may argue that this is only temporary. But the reality is, remote employee access is not going away anytime soon. Remote Access will become part of some financial institutions in a way that will be just as integral as mobile banking, remote deposit capture, or even internet banking. All things that, at one time, some folks looked at and said, “we'll never do that.” And now, they can't figure out how they would do without them.

Said in a different way: remote access is not a bad thing, it’s a good thing. We need it for our society to continue like it has over the past month.

So, let's just assume that remote employee access for some banks and credit unions is here to stay for the foreseeable future.

Once we come to that realization, it's hard to argue that we shouldn't take some time and make sure that this technology is popular properly configured and secured.

Not only is it the right thing to do, but examiners and regulators will expect to see evidence that you manage remote access risk, either while you implemented it, or shortly thereafter. And they should expect this of our financial institutions.

Remote employee access, if not properly secured, has the makings of massive security breaches in our not so distant future. We have to take this seriously and make sure we're addressing it now rather than later.

Some banks are already beginning to ask this:

“Are we doing what we should to secure remote access?"

“Is there a way we can do a penetration test of our remote access environment?”

It Starts with a Risk Assessment

Just like any other situation where we're managing risk. It starts with a risk assessment, documenting:

What you have in place
What threats exist for your environment
What controls you have in place
Determining the effectiveness of those controls
Calculating Residual Risk

What to consider in a provider?

If from your risk assessment, you do decide you need to test some of your controls for remote employee access, here are some things to consider:

THIS IS NOT A CHECK-THE-BOX EXERCISE!
Because of that, your current pen tester may not be the right fit. Your standard auditing firm may not be the right fit.
You want someone who has done this before. You want someone that has developed specialized testing for the various components of the many different configurations that remote access can take on.
You want to make sure that your provider for this takes a layered approach. This isn't as simple as running a scan on your firewall and calling it a day. It starts there, but then, can they connect? If you give them credentials, does your MFA kick in? What does the security on your endpoints look like?

You need someone that can peel back the layers and tell you where your weaknesses are, through your entire stack.

So where do you start?

Unless you have a risk assessment nailed down, that's the first place to start.

I recommend using ours.

It covers the four common configurations for remote employee access. We've put all of the hard work into determining the threats and determining the inherent risks of the threats. All you have to do is identify the controls you have in place to get your residual risk.

It takes less than 30 minutes, and can be found here:
https://www.bedelsecurity.com/lp-remoteriskassessment

Even if you have a risk assessment done already. I recommend downloading it; it might give you some ideas.

If you're not comfortable performing your own risk assessment. I recommend getting in touch with someone who's experienced and capable of doing one. If you don't have anyone to help you contact us at support@bedelsecurity.com. We’ll walk you through the process customized to your environment.

And finally, if you determine that our remote access penetration test is the proper next step for your institution, I recommend taking a look at a couple solutions. If you don't have someone that you're comfortable with or you're just not sure if you can vet-out a provider like this, let us know if you need our help.

We've been in touch with, and vetted out, several providers that have experience in this space. Contact us if you want an introduction by emailing support@bedelsecurity.com.