By Bram van Pelt and Diederik Perk.
The combination of consumerization and BYOD introduces a major dilemma to enterprise security. Security is losing control over the devices that host corporate data, applications and communications, and with it, the fight against cybercrime. With the increasing number of malware attacks targeting smartphones and tablets equally this dilemma is growing legs. Security officers and developers cannot afford to sit idly by: the industry, however, has yet to produce a practical framework of how to use penetration testing methods a network of mobile devices as a whole.
Some guidance is available, though based on the biased assumption that the two worlds of mobile devices are chronically separated. However, this is the situation: there are no good methods to distinguish between the categories of mobile devices for lack of solid device identification. The existing methods hinges on the use of device certificates, a use not foreseen- and not really supported by- the X.509 standard and related technologies. As it stands, a certificate is a file on a device but by no means bound to it, making device identity theft as easy as pie.
Especially in cyberspace war is waged with the army you have, not with the army you want. Below you’ll find some principles and tools to kick-start the debate. Corporate culture and budget being what they are, testing every client configuration is out of reach due to sheer number. Whether or not security guidelines are enforced on the client device will therefore always be somewhat of an unknown. The flow of data between enterprise apps and commercial apps then becomes untraceable, both on the mobile network as in the devices. What can be done and therefore must be done is to take one step back, before going several ahead:
Define the Policy
A policy should translate strategy into actionable guidelines. Updating the security policy to include robust mobile security is a fundamental instrument to enhance the grip on corporate data on mobile networks. Having staff sign a statement declaring to comply with corporate policies (or potentially face sanctions) is a step that creates awareness and accountability. Security becomes a matter of shared responsibility, such as it should have been from the start.
Validate where Possible
For each policy it must be established by which means it can be validated. Obviously, much of it will defy remote validation; however some measures can be remotely validated. For instance by the use of device fingerprinting technologies; not to block unknown devices (as implemented in many tools) but as a trigger to catch anomalies. When a user makes a device assume the identity of another device (aka device identity theft) it is obvious that something is very wrong indeed.
Scan the Device platform
The first layer of mobile device security is the platform of the mobile device itself. Some platforms are better than others, and old versions clearly fail the test. Keep in mind that some mobile platforms may in themselves may be more secure than the standard corporate workstation. This means check and log the operating system of the mobile device. This is a step which is also common to the penetration testing of static devices. The goal of this first step is to check if users are not using old systems that are easily compromised. Consider a setting that excludes communication with older operating systems.
Device port security
Because mobile devices are granted access to company WIFI internet access these devices will have comparable ports as static devices. This includes TPC and UDP ports. Ports which will have to be checked and the applications behind them scanned for versions. This is not unlike scanning static systems, and should be done regularly. Capture outcomes in metrics that enable trend analysis.
Perform sample surveys. The fact that one cannot test everything shouldn’t block those indicators which can be tested. The most effective test for mobile platforms is a validation of system rights. Mobile apps need certain system access. Compromised version have usually more access rights than is actually needed. A simple check on a few commonly downloaded applications (Flappy Bird etc.), and a comparison of the original list of access rights as intended by the maker against the rights actually given on the application is a clear guide: when the lists don’t match, alerts should be raised.
Applications on mobile devices can use several application endpoints. An endpoint is a connector through which an app can connect to an application. This endpoint can be used for instance to download adverts or enriched content. Needless to say is that these endpoints need to be hardened so that an attacker cannot use the endpoint to exploit a system. A market review list of tools is available, but no longer updated. Ensure your information position includes the scarce listings of vulnerabilities and compromise of mobile apps.
From the mobile apps marketplace, some significant innovations are made to increase security. It is always recommended to update apps automatically, providing some near-continual patching. A wide range of elaborate security apps from trusted vendors are available as well. These can be familiar tools, such as anti-virus and firewalls, but some more hidden gems can also be retrieved. Take for instance the zANTI Android based security testing platform that allows the owner to do network scans, Man-in-the-middle attack simulations and overall vulnerability assessments. And the best part is it has a free version, and the good people of Zimperium have an iOS version in the works.
In mobile pen-testing, be it off the shelf or custom-made, the supply-side is taken care of. What needs to be done is to assess which tools and techniques fit into a specific organization. Mobile hardening is one side of the coin, which often leads to negligence on the monitoring side. As with all defensive measures in immensely complex environments, finding complementary mechanisms aimed at detecting anomalies are at the core of its success. No single scan can or ever will be complete, therefore it is key to bring together measurements, preferably in real-time. By applying available best practices methodology within information security and fine-tune it towards a mobile pen-testing monitor, your organization will gain actionable intelligence. Essentially, the best starting point is to make it a point to start testing.