Pentesting Employee Owned Devices?

Good old days of inventory control are long gone. Today’s organizations allow their users to bring their own devices to work. This means, devices are not always controlled by organizations policies and control systems. While a user’s computer will be restricted to business tools and protected behind network firewalls and intrusion detection systems, the user will take the computer home after work to play Angry Birds with no network-level defense. According to a Microsoft study, 67% of those surveyed bring personal devices to work. An alarming number of only 42% of companies surveyed have bring your own device (BYOD) policies.

When it comes to policies and standards, biggest change IT departments will realize is lack of budget. With BYOD, quantity and categories of devices have increased dramatically. However, the companies may have not picked up on costs related to implementation of BYOD practices. To perform an educated risk assessment, stake holders must do a thorough analysis of device platforms that will be allowed under BYOD policies. Once a BYOD policy is defined, users connecting to company network using personal devices must be required to sign a statement declaring they will comply with organization’s policies. Mobile penetration testing applications such as zANTI, Fing, and Zimperium allow network and system administrators to do vulnerability scans, man in the middle simulations, and network port scans on and against mobile devices. In contrast to traditional vulnerability assessments, BYOD bring in the complication of user-owned devices.

First step towards secure BYOD would be to make a distinction between company owned and personal devices. Any devices connecting to organization’s network must first be scanned for malicious software and installs applications must be updated to latest versions. Devices accessing an organization’s network may be flagged for vulnerability scans. Some state and national law might restrict company’s ability to perform vulnerability scans against employee owned devices. However there are other things we can do to prevent use of these devices for data breaches. Devices with access to organization’s data must be encrypted. Device and user validation is a key step to security in BYOD world. For example, when a device tries to assume identity of another, a device theft has occurred. Network and system administrators must be able to react to such situations swiftly. Network administrators can enforce policies that prevent rogue applications on users’ personal devices from accessing the network.

BYOD is a trend that is taking over today’s corporate world. Organizations need to update their policies and ramp up their defense to cover all sorts of hardware and software platforms. While penetration testing is a good way to learn a company’s weak points, it is not easy to implement in BYOD world. In this case, security policies described above can help mitigate cyber-attacks.

The author would love to hear your comments. Let us discuss at Twitter @hashtaginfosec.