NIST Guidance on Mobile Security

Over the last two decades, the role of IT departments has undergone dramatic change due to the growing percentage of Americans who rely upon their tablets, smartphones, or similar mobile devices to accomplish their daily work activities. As is so often the case, this progress has been a boon in some ways and a mounting problem in others, especially for IT; on one hand, the Internet of Things [IoT] has made it so employees are more efficient, on the other, it has opened up a new Pandora’s box of potential cybersecurity threats.

Security controls rarely keep pace with the security risks posed by new tech. And in the case of mobile, security threats arise from both bring your own device [BYOD] policies as well as corporately owned and personally enabled [COPE] mobile policies. In response to this looming threat, the National Institute of Security Technology [NIST] released its “Guidance on Mobile Security Report,” which we’ll outline below. Armed with these security recommendations, your business can ensure that your mobile security practices are up to date and robust.   

 

NIST Guidance on Mobile Security

Overview

The stated goal of the NIST report is that mobile devices need to achieve three primary security goals:

1. Confidentiality – You want to ensure that any transmitted or stored data is unable to be read by unintended third-parties. This protects both personal information and trade secrets.
2. Integrity – Businesses need to be able to confirm that all of their stored or transmitted data is uncorrupted, whether those changes be intentional or unintentional. 
3. Availability – Although it’s crucial that devices be protected, they also need to be functional and allow the right users to safely access company resources wherever and whenever needed. 

 

Assess your NIST 800-171 / DFARS / CMMC compliance

 

In order to achieve these stated goals, the NIST recommends that your business implements the following mobile device security practices in order to strengthen your mobile cybersecurity. These include:

• Install a mobile device security policy – By clearly defining and outlining a mobile device security policy, your team can better understand the role mobile tech plays in your business and the specific threats it may pose. The more consistent this policy is with your existing security policy for non-mobile systems, the better. To accomplish this, topics you will want to define and clarify include:
  • What organizational resources mobile devices have access to?
  • What types of devices can access said resources?
  • Degrees of access that mobile devices have, particularly when it comes to personally owned devices vs. company-issued devices. 
  • How your organization’s centralized mobile device management servers are managed.
    

 

• Develop System Threat Models for Mobile Devices – Naturally, non-mobile devices are far less vulnerable to breach since they’re static, left at work, and covered by years of overlapping IT safety procedures. Mobile devices are more highly exposed to threats due to the fact that their portable nature allows workers to take them out of the workplace. Suddenly free from your business’ security restrictions, those devices are susceptible to a host of attacks from various means, such as:
  • Public Wi-Fi
  • Unprotected Wi-Fi
  • Third-party applications
  • Malware and adware

By developing a system of threat models, you can highlight the most likely threats vulnerabilities  and then calculate:

• • The likelihood of an attack’s success.
  • The potential impact of a successful attack.
  • What security controls need to be added or improved to patch those holes. 

 

• Add the right security services necessary – There are a host of services available that can ensure overlapping security coverage for mobile devices. This includes:
  • • A general overarching policy of mobile security by adding elements such as:
      • Access restrictions to software and hardware
      • Auto-detection and reporting of policy violations
      • Wireless network interface management
    • Protecting data communication and storage by encrypting and wiping data, particularly if devices are lost, stolen, or compromised by a third party. 
    • Restricting access to the apps and the app store on mobile devices. 
    • Requiring device authentication or dual authentication for logins, password resets, app installs or updates, and auto-locking of device. 

 

• Ensure that company-issued devices are fully secure – It’s become widely known that employees and human error are the primary threat to any business’ security. One CNBC report states:
  Employee negligence is the main cause of data breaches, according to a state of the industry report by Shred-it, an information security company. The report found that 47 percent of business leaders said human errors such as accidental loss of a device or document by an employee had caused a data breach at their organization.

With this in mind, it’s essential that you take all proper precautions to ensure that a device is already as secure as possible before you ever expose it to your employees. 

 

 

High-Level Threats and Vulnerabilities Posed by Mobile Devices

As mentioned, mobile devices are a much more complex security threat than their static counterparts. The report states:

Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices (e.g., desktop and laptop devices only used within the organization’s facilities and on the organization’s networks). Before designing and deploying mobile device solutions, organizations should develop system threat models for mobile devices and the resources that are accessed through mobile devices.

With that in mind, the largest major mobile security threats tend to be:

 

Lack of Physical Security Controls

Mobile devices are taken with the user wherever they go. This includes their homes, stores, restaurants, coffee shops, conferences, businesses, and hotels. This increases the likelihood that they are stolen, lost, or have their data breached and compromised. 

The NIST recommends that as you go about planning your device security policies, you should simply assume that, eventually, one or multiple devices will be either acquired or accessed by malicious parties, whether physically or virtually. Steps your business can take to mitigate this include:

• Authentication – The employee needs to confirm their identity and security clearance before any device can access organizational resources. Typically, this takes place in the form of PIN or password, but you can take stronger actions by requiring any or all of the following:
  • Token-based authentication
  • Domain authentication
  • Network-based authentication

• Encrypting data – In order to protect sensitive company information, encryption ensures that it can’t be intercepted or recovered by unauthorized parties.

• Employee education and training – Seeing as employee device negligence is the largest cause for cybersecurity breaches, the more training and education your employees have about threats and best practices, the safer your business will be. 

 

Bring Your Own Device [BYOD] 

Personally owned mobile devices have far more exposure to potential external breaches, particularly due to the lack of security and organizational oversight. The NIST report states: 

Communications systems may include wireless mechanisms such as Wi-Fi and cellular networks. These communications systems are susceptible to eavesdropping, which places sensitive information transmitted at risk of compromise. Man-in-the-middle attacks may also be performed to intercept and modify communications.

Knowing the threat that BYOD policies pose to a business, if you do allow them, it’s essential that you operate on the assumption that networks connecting personal mobile devices and your business are likely compromised. Steps you can take to mitigate this problem include:

• Don’t allow BYOD policy. 
• Require that employees use a VPN if they use personal devices. 
• Disable network interfaces that don’t need to be accessed by personal devices. 
• Prohibit personal devices from accessing insecure Wi-Fi networks. 

 

Untrusted Applications 

Mobile devices were created to work effortlessly with the third-party applications store. Naturally, this is a clear and present security risk, seeing as the app stores do not put additional restrictions or security protocols on third-party apps. Simply put, it’s safer to assume that every foreign app is untrustworthy. With that in mind, steps you can take to avoid issues with malicious apps include:

• Forbidding the installation of apps.
• Whitelisting so that only organization approved apps can be downloaded.
• Using a sandbox that separates apps from all of the organization’s data.
• Confirm that apps only receive the barest minimum permissions. 

Such mitigation efforts do not address web-based applications that can be accessed via browsers in mobile devices. These too can pose serious security threats, so it may be worthwhile to restrict browser access and taking actions such as:

• Using HTTP proxy servers.
• Sending device traffic through secure gateways.
• Use a browser within a secure sandbox. 

 

Location Services

Practically every mobile device will run location services. They utilize the GPS location of the device to better optimize web browsers, apps, navigation, and social media so that the device knows what services are nearest to the user. Unfortunately, this exposes devices to increased risk of attack. Hackers have more information to determine where the user and the device is at in any one time and what types of activities they engage in at various locations. 

To mitigate this issue, consider the following actions:   

• Prohibit the use of location services on photo and social networking applications.
• Have employees turn off location services manually when they’re in sensitive locations.

 

 

Incorporating NIST Guidance

In order to properly apply the concepts and NIST guidance discussed above, NIST recommends implementing an action plan similar to its five-phase life cycle model. The phases are:

• Phase 1: Initiation – Before ever creating a mobile device solution, your business needs to get a comprehensive overview of the following:
  • Your business’ current and future mobile security needs.
  • Your mobile requirements in regard to security, performance, and functionality. 
  • Elements of mobile device security that you desire the policy to contain. 
  • Which resources can or cannot be accessed via mobile devices?
  • Degrees of access that mobile devices can have. This will likely depend on a host of factors including:
    • Sensitivity of work
    • Cost
    • Work location
    • Technical limitations
    • Compliance with other policies
    • Level of confidence in policy compliance.  

 

• Phase 2: Development – At this stage, your IT department helps narrow down the technicalities of your mobile device security policy. This includes identifying the following:
  • Types of mobile devices that can be authorized for use.
  • Authentication methods used to protect stored data.
  • Cryptographic mechanisms added to create further layers of security.
  • Solution components for specific vulnerabilities.  

 

• Phase 3: Implementation – Once you’ve reached this point in the process, all of the equipment and additional security is configured, installed, tested, and then activated once given the green light. Part of this involves integrating new security protocols with previous protocols and technologies. Aspects that require evaluation include:
  • Applications
  • Authentication
  • Connectivity
  • Default settings  
  • Logging
  • Management
  • Protection
  • Security of the implementation

 

• Phase 4: Operations and Maintenance – In order to maintain mobile device security, you need to have operational processes in place that can be performed as checks on a frequent basis. Operations that require such regular oversight include:
  • Scrubbing sensitive data from mobile devices.
  • Revoking access to or deleting risky applications.
  • Training employees about mobile devices threats and best practices.
  • Red flagging anomalies that might indicate malicious activity or lax security protocols. 
  • Maintaining an active inventory of mobile devices, users, and apps. 

 

• Phase 5: Disposal – Per the NIST Guidelines, “Before a mobile device component permanently leaves an organization (such as when a server’s lease expires or when an obsolete mobile device is being recycled) or is reassigned to another user, the organization should remove any sensitive data from the mobile device.” Because there are so many places data can hide or be stored, this can be a time-consuming task, especially if you wish your security staff to be thorough. 

 

 

Abiding by NIST Guidance 

Far too many companies neglect to address the gaping breaches in their mobile security protocols. This is why the NIST issued its guidelines on best practices and procedures. By applying these, you can shore up your defenses, ensuring your cybersecurity is impenetrable. 

At RSI Security, we have helped hundreds of companies implement such NIST security measures. Whether you are a privately-owned business or a federal government contractor, our goal is to help you understand the mobile risks and then install preventative measures to keep your business safe and secure. So, reach out and we can immediately begin our comprehensive security review of your business. 

 

 

---

Sources

NIST. Guidelines for Managing the Security of Mobile Devices in the Enterprise. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf

Reinicke, C. CNBC. The biggest cybersecurity risk to US businesses is employee negligence, study says. (2018). https://www.cnbc.com/2018/06/21/the-biggest-cybersecurity-risk-to-us-businesses-is-employee-negligence-study-says.html

NIST. Mobile Device Security Cloud and Hybrid Builds. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-4.pdf

MeriTalk. NIST Release Guidance for Enterprise Mobile Security. (2019). https://www.meritalk.com/articles/nist-release-guidance-for-enterprise-mobile-security/

Kobialka, D. MSSP Alert. NIST Updates Mobile Device Security Guide. (2019). https://www.msspalert.com/cybersecurity-news/nist-mobile-device-security-guide/

Absolute Blog. NIST Releases Draft Guide on Mobile Security Threats. (2016). https://blogs.absolute.com/nist-releases-draft-guide-on-mobile-threats/