Founder & CEO, Bulb Security
Georgia is an experienced penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding CEH, CISSP, NIST 4011, OSCP certifications. Her groundbreaking work in the field of smartphone exploitation has been featured in print and on television including MIT Technology Review, Ars Technica, PC World, Fox News and Global TV Canada. She has presented her research at conferences around the world including Shmoocon, Blackhat, Security Zone, and Bsides. Georgia has delivered highly technical security training at conferences, hacker spaces, and schools to excellent reviews. Building on her experience working in both the public and private sectors, Georgia founded Bulb Security, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security.
B04 Integrating Mobile Devices into Your Penetration Testing Program
Monday, April 4, 3:15 PM - 4:15 PM
Track: Information Protection/Cloud/Mobile
Though still an imperfect science in many ways, penetration testing is often our only way of assessing the effectiveness of our security programs against actual attackers. As mobile devices enter the enterprise en masse, much focus has been on securing them and limiting the risk of BYOD using EMM, MDM, MIM, pick your favorite security control acronym. While many shops are engaging in code review, static analysis, pen testing, etc. against custom mobile applications built in-house, even enterprises with mature security programs are often ignoring mobile devices and the surrounding infrastructure in their security testing. It seems like common sense to provide adequate security testing for all devices on corporate networks, particularly when spending large chunks of budget on security controls around BYOD. If we have a DoS protection, we put it in front of staging and hit it with DoS attacks. If it falls down, the control is not providing return on investment. If we have a patch management practice we make sure there are no missing patches leading to compromise during our penetration tests, and if there are, we augment our security program accordingly. We need to be doing the same around mobile. How secure are these devices really against attack? If they are compromised, what data on the device is in jeopardy? What other assets in the enterprise are now at risk of attack from the compromised mobile device? By using traditional penetration testing techniques augmented for the unique attack vectors for mobile devices we can assess these risks and get a clear picture of the risk of BYOD in the environment. In this workshop we will discuss techniques along with live demonstration scenarios of penetration tests on mobile devices and the surrounding infrastructure. From mobile phishing to undermining security controls to using compromised mobile devices as pivot points, the mobile risk is real and we need to be simulating it in our security testing. We will discuss how these techniques can augment and extend penetration testing and how they can be seamlessly integrated into your existing security program. • Learn the real risk of mobile devices on your network • Learn how to integrate mobile devices into the testing process • Understand what other assets in the enterprise are at risk if a mobile devices is compromised • Discuss pen testing techniques for mobile devices and the surrounding infrastructure