A growing threat to many organizations is personal mobile devices used by employees at work and the risk of data loss created by these devices accessing sensitive company information. After a program is in place to effectively manage vulnerabilities in PCs, organizations should begin to take a look at other areas of exposure and mobile is a leading candidate.
We recently added mobile device discovery and vulnerability assessment capabilities to Nexpose to support organizations that are looking to shore up their security program and help reduce the risk of data exposure from mobiles. This new capability is free to all Nexpose Enterprise and Ultimate customers with mobile assets not counting against your licensed IPs.
How it works
We work with a company's Microsoft Exchange - on-premise or Office365 - to discover and identify the device and its operating system. The discovery process uses Microsoft's PowerShell technology to query Exchange for devices that have established an ActiveSync connection with the server, or alternatively, LDAP to query ActiveDirectory for the same information. The query collects data that is used in conjunction with our extensive mobile device fingerprint database to identify the device along with its mobile operating system.
Once the operating system version and device type is known we are then able to assess the device for vulnerability risk and provide a risk score like other assets scanned by Nexpose. One of the nice benefits of this integration through Exchange is that a traditional physical scan of the device is not required. It's more of a virtual scan based on information already provided to Exchange as part of the ActiveSync protocol.
Step 1: Mobile Connection
To setup a mobile site in Nexpose you'll need to first create an “Exchange ActiveSync” connection. In the Assets tab of the Site Configuration wizard select the “Connection” button and then the “Create Connection” sub menu. Here you'll notice three different Exchange ActiveSync connection type options – LDAP, WinRM/Powershell and WinRM/Office365. While the LDAP may be the easiest set-up, we recommend using the Win/RM options if possible as it provides more detailed information (such as when the device last connected) which enable users to zero in on the most relevant device data, ignoring “stale” devices.
This option is only available for on-premise Exchange installations. It requires the FQDM of your AD server and credentials for a user that has been granted rights to view msExchActiveSyncDevice objects.
The WinRM/Powershell and WinRM/Office365
These connection types are very similar. The WinRM/Powershell option is meant for on-premise Exchange installations and the Office365 is for organizations that are on Microsoft's hosted solution. Both options require two sets of credentials as well as the FQDN name of an on-premise Windows server that has WinRM enabled and configured. Access to a WinRM enabled machine is required to allow Nexpose to run the PowerShell scripts used to query Exchange. One of the credentials are for a user that has been granted access to WinRM on the specified WinRM server and the other is for a user that has been granted View-Only Organization Management access on the Exchange server. Finally, for on-premise installation the FQDN of the Exchange server is also required.
Step 2: Creating a site
Once your mobile connection has been created it can then be used in the creation of a site. When the site is setup you'll then need to perform a scan. During the scanning process Nexpose will query the Exchange server and import any new devices as well as reassess the devices based on the current content release. Once the scan is complete, mobile assets with their associated risk score will be displayed. These assets behave like any other asset discovered by Nexpose and can be tagged, placed in dynamic asset groups, and all other standard Nexpose asset features.
We're excited to be providing this new capability to Nexpose and hope that you'll take advantage of it. By expanding your vulnerability assessment capabilities to mobile you'll be ahead of the curve and well prepared in protecting your organization from this new threat vector.