Remote vulnerable laptops - fertile attack targets

Billy Austin

vault_secure_laptop.png

What third party apps do remote workers have installed?

Remote workers are nothing new, but the challenge of hunting down employees on-the-go and assessing their devices can be a task in and of itself. With the increase of cyber incidents triggered by remote connectivity & insecure third party apps, one would think these devices are in scope for security and compliance quarterly checkup scans. After speaking with security and auditing colleagues, I found that it proved to be quite the opposite.

Why you should care about third party client software
When analyzing exploit development and attack trends, one will find concentration is centered around popular client applications such as browsers, Adobe and Java. Attack code that takes advantage of such third party apps is known as client exploits. Poor configurations and unpatched laptops are still the norm, while unknown or forgotten installed vulnerable software is often overlooked — but not by the bad guys.

Hackers understand this and so should the rest of the industry tasked with protecting remote employee computing. Penetration testers find a high success rate when simulating a client exploitation attack against remote workers. A few takeaways here: Attacks targeted around the telecommuter are increasing as BYOD laptops tend to be juicy un-patched systems that allow attackers to gain entry to the corporate fortress. The attack process is merely to entice an employee to click a link, connect to an insecure wifi access point or visit a website, whereby the exploit takes advantage of the non-patched third party client software.

Why bang away at external network devices where border security is increasingly tightened, when what's in your pocket or briefcase is where hacker fertility awaits?

Our Managed Service Provider partners here at MAX Risk Intelligence understand that endpoint, systems management and RMM footprints appear to be growing as teleworkers increase. Scanning, patching and configuring are equally important for internal devices, although the "what's in your pocket and briefcase" tend to be neglected by most. If you don't use a service provider or have a challenge answering "How vulnerable are my employees' devices", let's look at another option of discovering exactly what third party software is on such endpoints.

How to discover what's installed, simple and fast

A. Run the free sample script provided below
B. Try MAX Risk Intelligence's free Inventory scan to enumerate all HW/SW details

dos.pngDOS Prompt + Script

Whether you’re a skilled consultant or a novice technological enthusiast, this script is simple but loaded with information and takes roughly a few seconds to perform. In Windows, navigate to your terminal window, aka a DOS or CLI prompt and enter:
C:\> dir /s “C:\Program Files” > myapps.txt

This will create a file called myapps.txt discovering your installed apps with the name of the application, last patch date, versions and more. Once you have performed this exercise, open the "myapps.txt" file to have a peek. If you assess or audit systems, this script should come in handy down the road.

MAX Risk Intelligence Inventory Scan or Script
For consultants and service providers with an MAX Risk Intelligence account, additional hardware and software details are uncovered. MAX Risk Intelligence's Inventory scan type takes roughly 2-3 seconds and produces results in HTML, PDF or JSON. 

Removing the barriers of assessing the remote user, MAX Risk Intelligence includes several delivery options and sample usage:

CLI executable - Utilize any systems management tool to initiate the script, create login scripts or add it to your batch file, scanning users upon VPN connectivity. Active Directory can also initiate and schedule tasks with the MAX Risk Intelligence binary.
Browser Plugin - Send an email with a URL where the user initiates the inventory. Alternatively, a MAX Risk Intelligence HTML snippet can be embedded into any web app that can also auto-facilitate the scan discovery
Executable plus a visual - This creative example illustrates a CLI Script that will trigger a browser to automatically open, scan and present the results to the user
Regardless of the method or script chosen, inventory assessments take two seconds and in most cases, provide a wealth of value to the assessor. This should not be a substitute for scanning and keeping remote laptops updated, but purely another method of discovering potentially vulnerable apps.

In short, ensure your consultant or service provider is assessing 100% of your devices and not conducting a partial assessment for what is physically at the office. If you have challenges assessing remote on-the-go employees or teleworkers, drop us a line to learn more about MAX Risk Intelligence's compliance, vulnerability and data discovery scanning solutions.