Penetration Testing and IoT: A Conundrum
Penetration testing is a tried and tested formula, yes, it is somewhat expensive if the company chooses to hire the market leaders of the industry. The focus of the activity is to “allow yourself to get hacked, so as not to get hacked for real”. A simple premise if you ask anyone of us here in Hackercombat.com, but it really is a corporate IT security activity that must be done at the soonest. This is without regard to how large the company is or how long the company is in existence, someone from outside should check the cybersecurity readiness of an organization.
Of course, penetration testing in its most basic form covers only the most common devices: servers, NAS, TCP/IP network architecture, workstations and application/web-based software. The biggest number of devices in any company today are small internet-based devices: mobile phones, tablets and IoT. The first two are usually categorized to corporate-issued and personal devices. Corporate-issued devices can be regulated and administered by the company itself through its IT team or MSP (Managed Service Provider). This cannot be said on personal devices owned by the employees themselves, the one called BYOD (Bring Your Own Device).
So what can a company do as it threads into this very critical aspect of having external devices, not owned by the company but still used within the company’s official Wi-fi network? Any typical experienced system administrator will answer you with create a separate Wi-fi network for them. Indeed, that is the most practical and the cheapest way to still run these devices safely, in a separate network under a bandwidth-controlled Internet connection. We don’t like seeing a smartphone taking lots of bandwidth from corporate workstations if you ask us here on Hackercombat.com.
This arrangement is also a win-win solution for employees which use their own devices for work (let’s not kid ourselves, even the members of the board-of-directors in a company practices BYOD), while the company’s network remain a realm of devices that are strictly corporate-owned. Then it becomes a concern on how employees store corporate-information on their personal devices. What if these same devices are lost or stolen?
Encryption will help level the playing field, with security conscious individuals having a better defense against someone else that have not established encryption. iOS and Android devices have encryption implementation (in fact, in iOS it is enabled by default). A lost encrypted phone has garbled data, is useless to whoever picks it up and wish to extract the data off it.
Mobile devices earlier were very vulnerable to malware, and that still exists but in a very different, less-risky status. This is because Android itself provides a built-in antimalware that is maintained by Google named Play Protect. This scans for malware at regular intervals and updates automatically with the Google Play Store. Companies may ask penetration testing services if they cover penetration testing even for mobile devices. Many such services are often up-to-date with regard to the evolution of cyber attacks and malware, they can provide an acceptable level of penetration testing that is mobile device-aware.