Penetration testing is a vital component of a Threat Management Solution and is now used widely as an effective method of detecting vulnerabilities in an organization’s systems, applications, and infrastructures. During a penetration test, the pen tester utilizes various assessment techniques to detect vulnerabilities in the network, and various other methodologies to exploit them and gain the full picture of the extent of damage that could be done. These vulnerabilities are then assessed, prioritized, and fixed accordingly.
Carrying out a pen test is not an easy task and requires training and experience. This 6 part series will focus on how to improve your pen testing skills.
Mobile, Mobile Everywhere
Mobile devices are everywhere. Twenty years ago, the IT network assets to employee ratio was around 1.5 devices per employee. That calculation was simple; every employee gets a desktop (that’s the 1.0) and then there are network shares and printers (that’s the 0.5). With the rise of mobile, that ratio has grown significantly. At the high end of the ratio, you may have a desktop, laptop, phone and tablet assigned to a single employee. Add to that a movement towards Bring Your Own Device (BYOD) and the ratio continues to climb. And mobile is not just about the actual device, it is also about the infrastructure that supports them; wireless networking (but that’s the next installment).
Within an Enterprise; a mobile device inhabits any number of official and unofficial capacities. Your first priority as a penetration tester in dealing with mobile devices is to understand their relationship to the Enterprise (your client). In general a mobile device will be in one of the following categories:
1. Fully Supported
In this case, the Enterprise owns and provides the mobile device to the employee. The devices are supported by the Enterprise technical support infrastructure and typically returned upon employee termination. In some cases, the device may be authorized for personal use (surfing, app installation/deletion, calls & texts). In other cases, the device may be authorized for work use only.
2. Bring Your Own Device (BYOD)
In this case, the mobile device is owned and controlled by the employee. They retain possession of the device upon termination. Furthermore, the device is typically allowed on the Enterprise network. It is up to the employer to further define whether or not the device is solely for personal uses or may be used for work related tasks/communications.
3. Not Authorized
In this case, the Enterprise does not support any mobile devices, nor are they allowed on the Enterprise network. While the employer cannot prevent an employee from owning a device, they can restrict its use and physical access.
The best method for documenting this relationship is to ask for a copy of the Mobile Device Policy. This is the document typically used to define the use and limits of mobile devices within the Enterprise.
The second priority is to document the rules of engagement with regards to mobile devices. The tricky part here is the possibility of damaging personal property or compromising personal information. The mobile device and its use allows for the co-mingling of personal and corporate data. This increased risk of personal hardware and data must be addressed through careful analysis. Go too far, and you run the risk of damage to personal possessions and data. Don’t go far enough and you run the risk of an incomplete assessment.
Unless given very clear, written rules of engagement that allow you to go after the phones, I suggest not compromising individual’s personal devices. Instead, I offer you another suggestion. If your client issues the mobile devices, have them issue a standard device to you and use that to run your attacks on. You can populate the device with fake data and document its vulnerabilities. If your client supports BYOD, things are even easier. There are only so many choices of OS out there for mobile devices and as a pen tester, you should have a couple of those in your kit bag. Again, populate them with fake data and document their vulnerabilities.
An advantage to using your own devices is that it allows you to conduct a more thorough test of the mobile device at your own pace. The tricky part of including mobile devices in a pen test is that they are mobile. If you are targeting and working against an employee’s device and they leave the building and network, then all your work is for naught. By using your own device, or one issued to you by the client, you may take your time and not worry about the device disappearing in mid test.
This edition is the second in a six-part series on ways to be a better pentester. Take a look at the first part on the importance of firewalls and if you are a pentester, then don’t forget to keep an eye out for the next edition of this series!