14 November, 2011

MobiSec Live Environment DARPA Project

Secure Ideas
Author: Secure Ideas
Mobile devices have become the most common computer technology available today, as indicated in a recent report from the CTIA stating that the United States now has more mobile phones than people; a staggering 327.6 million phones!  In the past year, the number of smartphones and wireless-enabled PDAs (tablets, e-readers, etc.) has risen 57%, to a total of 95.8 million devices.  These mobile devices have increased in computing capabilities and features, typically remaining connected to the Internet a majority of the time, if not constantly.  These devices have also become a major target to attackers due to these increased capabilities and features, resulting in large amounts of data stored on the devices or removable media.  Organizations are challenged in understanding the security concerns and risk related to both these devices and the applications running on them.
One of the challenges organizations face is the expense and complexity in designing, developing, and building test environments to adequately evaluate the security controls and risks around their mobile devices, applications, and infrastructure.  Consequently, the complexity and expense increases by orders of magnitude when taking into account the variety of mobile devices, operating systems, application versions, supporting infrastructure, and the various potential configuration settings that an organization may include in their mobile environment.  Given these challenges, very few organizations are actually testing mobile device security as it relates to their environment.
Secure Ideas is working to solve this challenge that organizations face with the development of the MobiSec Live Environment, which will be a live testing environment that is preconfigured and installed with all the tools and configurations needed to perform security assessments and testing of mobile platforms.  The benefits will provide penetration testers, mobile IT administrators, and information security professionals the ability to assess mobile environments with a suite of tools that are structured and organized based on an industry-proven testing methodology, all within a testing environment that has been tested and validated to support each of the testing tools.  This relieves the testers of having to research mobile testing tools independently and build an environment to maintain and launch the testing tools, with all the prerequisites required for all the tools.  With the MobiSec Live Environment, the operating system includes all the prerequisites required for all the tools and scripts, which have been tested and validated to work correctly.  
This live environment will also provide the ability to update the tools over the Internet with little effort by the tester, again relieving the requirement for constantly maintaining the tools and the environment from which they are launched.  The MobiSec Live Environment can run as a “read-only” environment, ensuring the integrity of the tools and environment each time it is used, or it can be installed into an environment that can be updated or enhanced with additional tools as the tester deems necessary.  This gives the tester the flexibility needed to customize the MobiSec Live Environment for specific needs and requirements.  
The MobiSec Live Environment makes mobile penetration testing more streamlined for the tester, allowing more time to focus on the test objectives and progress, and less on the tools or the testing environment.  These benefits all come without any cost or expense to the tester as the MobiSec Live Environment will leverage an operating system and tools with licenses based on free or open source software.  The intent here is to provide a comprehensive mobile testing environment, organized and structured based on an industry-proven testing framework, openly available and financially accessible for all organizations, improving the testing capabilities and overall security posture in the mobility space.
In order to financially support the development of this project, Secure Ideas turned to the DARPA Cyber Fast Track (CFT) Program.  The objective of this program is to support multiple small cyber projects with a focus on short time frames, low cost, and with the expectation of results demonstrated in less than 12-month periods.  This is an excellent program for small security companies, like Secure Ideas, to obtain financial support for quick and inexpensive security projects.  The process for submitting a project proposal is rather straightforward and simple, and the time for the CFT program to review proposals and provide a response is less than 2 weeks.  For the MobiSec project, Secure Ideas received approval within 5 days!
The CFT Program requires submitters to provide documentation that complies with their very specific requirements for both formatting, length, and content.  However, compared to the typical proposals for Government programs, this process was a breeze.  The proposal must include an executive summary, a detailed technical description of the proposed solution, metrics that will demonstrate the performance of the project through the entire life cycle, a statement of work with a detailed task breakdown, a schedule of milestones and deliverables, and a detailed list of costs and expenses.  Details of the program and how to submit a project proposal can be found at  http://www.cft.usma.edu/resources/DARPA-RA-11-52_(CFT)-1.pdf and more information about the program is available at  http://www.cft.usma.edu/.
The completion of the MobiSec Live Environment Mobile Testing Framework project, which will be performed solely by Secure Ideas, is targeted for release in February 2012.  Secure Ideas plans on using the MobiSec Live Environment in a future release of the SANS SEC571 Mobile Device Security class, which will make its debut at the SANS Cyber Defense Initiative 2011 conference in Washington, DC.  Additional blog entries will be posted as we build out this environment identifying tools and utilities that will be included, as well as lessons learned.  Stay tuned.

Join the professionally evil newsletter