Topic - As new technology becomes adopted by organizations, standards must also adapt to meet the change. Using mobile device technology as an example, discuss the differences that will need to be addressed for penetration testing. What about vulnerability assessments?
The changing landscape of technology with regard to mobile computing requires a reassessment of potential access points into a network. Wireless access points were already dangerous, as they extended the accessibility of your network outside of the relative safety of your walls. Connecting a mobile phone to the wireless network is directly creating a bridge between the network and the Internet by way of the cellular data connection.
Such a bridge opens up new pathways, and expands existing ones, to be tested via penetration testing.
- New pathway: ARM Malware. Mobile devices with ARM processors are miniature computers that cannot run the executable binaries which are created for traditional Intel-compatible x86 and x64 processors and desktop operating systems. Such malware requires a toolset designed for analyzing mobile applications to be analyzed. Malware for popular mobile operating systems, iOS and Android, are in the wild and on the rise (Schmidt, et al, 2009).
- Expanded pathway: Social Engineering. Because the mobile device doubles as a phone three additional vectors of social engineering attacks are made available.
- The most straightforward is simply asking an employee to use their phone to make a phone call.
- Spear phishing via SMS can send links to malicious web servers. Due to the reduced character count, there is less room for explanation with the link, which can lead to users being less suspicious of concise messages containing links.
- QR Code exploits and links to malicious web servers. Due to the opaque nature of QR codes, a user does not know where they point until they scan them. A malicious QR code sticker can be placed on any number of signs, objects, or such where a target is likely to go (Kieseberg, et al, 2010).
- Expanded pathway: Man in the Middle. The data connection of the phone to the cell network can be attacked Man-in-the-Middle style by an actor impersonating a cellular base station (Meyer & Wetzel, 2004).
Vulnerability assessments are impacted because it can become very difficult to inventory the systems on the network and to assess their potential vulnerability if the network is suddenly and unexpectedly no longer homogeneous (Bace, 2009). An easy-to-see example of this is a fully managed windows domain. All of the expected systems run Windows 7, so the VA tools utilized are designed for identifying and scanning Windows 7 systems. When an Android device is connected it changes the network make-up. Now the VA tools fail to identify all the devices or, even worse, fail to even find all the devices if discovery was being done by reading the expected devices via Active Directory.
Bace, R.G. (2009). Vulnerability assessment. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.
Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010, November). Qr code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (pp. 430-435). ACM.
Meyer, U., & Wetzel, S. (2004, October). A man-in-the-middle attack on UMTS. In Proceedings of the 3rd ACM workshop on Wireless security (pp. 90-97). ACM.
Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., Albayrak, S., & Yildizli, C. (2009, October). Smartphone malware evolution revisited: Android next target?. In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on (pp. 1-7). IEEE.
No comments:
Post a Comment