Fact : When teams work from home and connect to office network, the internal vulnerability assessment actually becomes more important than ever.
Said by : IT admin of Small scale IT services company
“Since we are working from home due to COVID pandemic, teams sit at home and connect to office network via VPN. But since everyone is at home, we dont need any internal vulnerability assessment. Only external assessment would be good enough”
Myth Debunked With The Fact Below
During COVID pandemic, most of the companies worldwide, chose to work from home. For many of those, the data was still centric to the office and each individual had to connect to the company network. For the yearly VAPT testing, companies chose to not perform internal vulnerability assessment, and instead only chose to perform the one for external IP addresses. This is incorrect and insecure. This is because when teams work from home, they still connect to company network using VPN.
This poses 2 situations from cyber security stand point. First being, teams started using their home computers or laptops which might not have been very secure, from the point of view of antivirus, patching, susceptibility to ransomeware etc. Secondly, when they connect over the VPN, they are still pretty much within the internal LAN network segment. This allows them to access internal servers and databases with the access level control as when they were working at company premises. Since most of the internal network attacks are indeed from the employees, it becomes more important to perform the internal assessment.
Time and again it had been seen, that more focus is given to external attacks while actually it should be to the internal attacks.
Senior management must update their knowledge about information security. They must open their minds up about compliances such as ISO27001, as well as the vulnerability assessment penetration testing (VAPT) which is imperative for their corporate networks, web and cloud applications and also the mobile applications. Right approach for companies, is to find a best cyber security vendor company or a top of the class information security consulting partner, and improve their organization’s data security via threat modelling and various other apt approaches.
#cybersecurity #mythbusters #myths #ethicalhacking #datasecurity #ciso #cio #cisos