New gadgets, new rules
One of the most interesting things about providing penetration testing services relates to the technologies that you come up against and how they gradually change and develop over time.
Each new technology provides a new challenge, requires a new set of knowledge to be absorbed by a consultant and can often provide stimulating security research potential.
With this in mind, over the past few months there has been a sizeable increase in the number of clients I work with that have chosen to integrate secure mobile communication solutions such as BlackBerry into their critical messaging infrastructure.
As a result, my colleagues and I have been ramping up our skills with BlackBerry and carrying out sophisticated vulnerability assessments of some infrastructure deployments, usually followed with dedicated penetration testing of the mobile applications themselves.
As expected with any newly deployed messaging technology, the security flaws we are finding in these engagements range from departures to best practices through to show stoppers such as the potential external compromise of all internal messaging services. In other words, sadly, nothing unusual there.
What is interesting, though, is how these organizations have ignored their own internal security procedures and failed to follow guidelines for deploying a critical infrastructure component which is capable of bridging their perimeter defense solutions.
For instance, they will deploy messaging hosts that have not been hardened. They will have default administrator accounts with passwords that are easy to guess, or include the installation of default or sample files.
They might even fail to install the appropriate network segregation devices between the mobile messaging platform and the corporate LAN.
Perhaps these failures can be attributed to a perception by IT departments that any deployment of BlackBerry is really just as an executive toy, or is part of an evaluation program, and is therefore not worthy of serious security consideration.
Or it may be that business managers have already decided that the ability to securely send and receive email or to access intranet resources on the move outweighs any probable security implications.
Or worse yet, perhaps everyone has accepted the product marketing department's promise of an "end-to-end security model" without verifying it for themselves?
Needless to say, the security implications of the vulnerabilities we are discovering during these assessments tend to have high-risk consequences to business continuity. Fortunately, the most serious flaws are easy to remediate and can be fixed pretty quickly.
In the next few months, as more security research teams turn their attention to BlackBerry – or any other popularly deployed new mobile technology – new vulnerabilities and ingenious methods to exploit them are guaranteed to appear.
It is really dangerous to work on the assumption that there are no vulnerabilities in a technology just because they have not been publicly disclosed so far to the general public.
Indeed, security departments of organizations which have deployed these technologies should keep a close eye on the popular vulnerability alerting services for the next wave of exploits and (hopefully) timely vendor patches. They could prove crucial in blocking a new wave of problems.
Certainly, the vulnerabilities which are unique to a default deployment of the mobile technology uncovered thus far during penetration tests means that organizations that have already deployed it – or which are thinking about deploying it (or any similar mobile messaging solutions) – really should call in a professional security team with prior knowledge of the technology before going "live".
Where possible, organizations should try to make use of any knowledge transfer possibilities to build up internal security expertise.
While I appreciate the business justifications for the technology, and the steps that BlackBerry and the other mobile messaging solutions have taken to address current security concerns; the continued blurring of the network perimeter and the increasing volume of confidential data accessible remotely means that organizations need to be even more vigilant in the technologies they select.
It is equally important that organizations update their computer and data usage polices to cover mobile messaging devices and ensure that all users fully understand the security significance of the devices they use, together with their limitations.
Gunter Ollmann is professional services director, Next Generation Security Software Ltd.