Leveraging NIST Standards to Streamline Your Mobile-First Security Strategy
There is no doubt that mobile devices continue to play an increasingly important role in our daily lives. They’re the devices we use to connect with friends and family, stay informed, and be entertained. This shift towards mobile has prompted companies to transform into mobile-powered businesses.
Users’ increased reliance on mobile devices has introduced growing exposure to cybercrime for today’s businesses and government agencies. For security teams, it is essential to recognize that mobile devices aren’t just the tool of choice for employees. They’re the target of choice for cyber attackers.
Mobile Devices are Being Targeted
Phishing and ransomware attacks continue to inflict damage on enterprises and government agencies, and mobile devices are becoming one of the main avenues through which these attacks are perpetrated.
90% of breaches are caused by phishing attacks. And in waging these attacks, criminals are increasingly targeting mobile device users. In fact, 80% of phishing sites are either specifically designed for mobile devices or work on both mobile devices and laptops.
Mobile Devices Can Be More Susceptible to Attack
Users are six to 10 times more likely to fall for an SMS-based attack than an email-based attack. Part of the reason for this is that mobile devices tend to have smaller form factors and interfaces, which can make it difficult for users to detect malicious messages or links.
Mobile Devices Are Particularly Difficult to Secure
In many cases, employees work on devices they own and use in their personal lives, ultimately acting as “administrators” on these devices, deciding which apps to install, when to update apps, and so on. This exposes devices to a variety of risks, not merely that of users inadvertently installing malware.
Legitimate apps may be compromised and introduce malware when downloaded from an app store. Many examples in recent months have shown that widely used consumer applications can pose a privacy and security threat, leading some organizations to institute bans to keep their user communities from installing or engaging with these apps.
These are just some of the risks that occur in the application domain. The networks mobile users access can also present specific risks. Users can work while on a public Wi-Fi network in a café or an inadequately secured Wi-Fi network at home, exposing corporate sensitive data and communications.
For these reasons and many more, the technologies and approaches applied to traditional laptops can’t readily be employed on mobile devices.
Resources and Frameworks for Securing Mobile Devices
Now more than ever, it is vital to establish some level of control over employees’ mobile devices and institute safeguards for whether and how these devices can access sensitive corporate services and assets.
Fortunately, organizations like the FBI have established strong defenses and documented processes and best practices to follow.
Peter Alex, Head of Engineering and Development – Enterprise Mobility, Federal Bureau of Investigation, explained, “Working within a government agency like ours, we view it as a responsibility not only to establish rigorous defenses for our own environments but also to support organizations in developing standards that help all organizations, both enterprises and government agencies, achieve high levels of security.”
The FBI has taken a holistic, comprehensive approach to mobile device security since 2016 and has created teams to focus on this arena. They’ve been employing mobile device management and enterprise device management. They examined all the specific aspects that makeup device security from the outside in, including ensuring cloud instances used by mobile devices are secure, vetting applications, and establishing mechanisms for preventing tampering at the hardware, operating system, and firmware levels.
“You have to be very granular in the way you look at this because if you’re not, you may be opening up your environment to a vulnerability,” Alex revealed. “We have to make sure we keep patches and updates current and ensure we have the software and policies needed to prevent attackers from infiltrating our systems.”
As part of their mobile device security approaches, Alex and his team have relied heavily on the guidance and resources put forth by government agencies and their partners.
“We rely extensively on standards from organizations like NIST, DISA, and NIAP,” Alex explained. “My team is only so big; we have to rely on the guidance and standards put out by these industry experts. These organization’s standards have been vital as we’ve developed our mobile security ecosystem.”
MITRE Collaboration
The team at MITRE plays a central role in the development of security standards, including in the area of mobile device security.
“As a nonprofit, MITRE works with government agencies and enterprises to develop guidelines and frameworks for establishing granular, comprehensive approaches to security,” explained Eugene Craft, Privacy & Risk Engineer, MITRE. “We start by really taking a risk management approach, analyzing where threats and vulnerabilities are, and focusing on ways to mitigate those threats.”
One of the resources Eugene and the team at MITRE have assisted with developing is NIST Special Publication 1800-22C, “Mobile Device Security: Bring Your Own Device (BYOD).” In developing this guide, the team established a lab, analyzed the risks, and developed a solution to help mitigate those risks.
“We developed these solutions and then created actual implementation guides that help explain what we were doing and how to manage an implementation,” Craft explained. “In addition, NIST does a great job of listing the various threats that confront organizations and the countermeasures available for addressing those threats.”
This comprehensive solution included defenses for protecting at the network layer, application layer, and OS stack. Additionally, they developed key policies and workflows, such as notifying a user or administrator when a device is out of compliance.
“You need a comprehensive program to stop some of the threats that are out there today,” Craft said.
The solution also includes the following key aspects:
- Trusted execution environment. The lab featured a trusted execution environment, which was key in establishing a separation between personal and business areas. This is critical in the context of bring-your-own-device (BYOD) scenarios, where user privacy must be addressed. There is a lot of personal data on user-owned devices, and any security mechanisms employed need to be aligned with that reality.
- Cryptography. Their solution employed encryption in order to ensure devices were only starting in a secured state.
- Application vetting. The team employed an application vetting service, which enabled administrators to detect specific application behavior that points to malware. (See more on this topic below.)
- User controls. The solution features the implementation of controls like screen locks, privacy settings, and backups. With these controls, teams can make sure features like a device’s camera aren’t being operated without the user’s permission.
“NIST has developed a privacy framework and risk assessment methodology, and I encourage anyone implementing new security features on employee devices to go through a privacy analysis and make sure any actions taken on user data aren’t problematic,” Craft revealed. “For example, with some security tools, you might start gathering details that include a user’s browsing history. First, this data may not be needed, and second, it can present a lot of potential exposure for users, who may, for example, be searching for information on a health condition.”
The Benefit of Mobile Threat Defense Solutions Like Zimperium
The lab-generated solution had backend processes like mobile threat defense (MTD) solutions, including offerings from Zimperium. Zimperium MTD™ was used both in the solution for BYOD as well as corporate-owned devices, standard 1800-21.
Zimperium MTD enables teams to establish granular policies and controls for executing a mobile-first strategy. MTD offers comprehensive safeguards for protecting employee devices, offering defenses around risky applications, mobile malware, and network compromises.
Craft explained, “The reason MTD solutions like Zimperium’s are beneficial is they provide a look at a device’s threat posture based on activity, monitoring for insecure configurations and applications, threats, and risky network activity, such as unencrypted traffic going over an insecure Wi-Fi network. The solution provides alerts to users and administrators so they can take action before harm occurs or to minimize any damage. The reality is that the bulk of breaches ultimately come down to a human element, such as a user being fooled, clicking a link on accident, and so on. This is a big reason NIST has highlighted the need for MTD in their different practice guides.”
Application Vetting
In working with customers, we’re commonly asked how security teams can identify applications that users have installed on their devices and spot those that are out of compliance.
For security teams in enterprises offering corporate-owned devices, it is vital to vet applications before they are run on user devices. Teams need to detect software configuration flaws. As users, how do we know whether an app we’re downloading will ultimately share our data with a foreign government agency? How do organizations vet an app before they enable users to access it?
When it comes to application vetting, it is important to look at a range of factors, including vendor reputation, cryptography that’s used to preserve installation and update integrity, what mechanisms the vendor uses to protect data, and whether they take steps to ensure third-party libraries don’t introduce risk. MTD solutions can help with these efforts, examining apps to assess these factors while operating in the background.
In addition, it is vital for application developers to safeguard their apps, both during the development lifecycle and post-deployment.
Taking a Pragmatic, Balanced Approach
One of the most difficult challenges in securing mobile devices is striking the right balance between establishing strong security while ensuring a seamless end-user experience and addressing user privacy. Fundamentally, any approach needs to be pragmatic.
As Alex outlined, “We can add all kinds of security processing onto a device and create the most secure phone, but if this means the device’s battery dies after 30 minutes, it’s not really a solution. We need to focus on specific risks and address those threats while making sure our agents and staff out in the field can do their jobs.”
One way to facilitate this is to pair MTD with mobile device management (MDM). For example, teams can provide a zero-touch activation experience. With a corporate-owned device, teams can take steps to ensure only vetted applications make it onto devices. In BYOD environments, devices can be running a lot of unvetted applications and operating in untrusted environments. To combat these risks, security teams need to take a very detailed approach to all the layers required and then get into the privacy aspects.
Where to Start
Begin with understanding where you are in your security journey, determine use cases, and let those use cases drive requirements. NIST SP 800-124r2 Guidelines for Managing the Security of Mobile Devices in the Enterprise lists the threats and the countermeasures that can address them. Security teams are encouraged to use these guidelines as a starting point to steer plans and investments.
Look at vulnerability and risk management in a cohesive way. Pair an MTD solution that has app vetting services built-in with an MDM. This can be a great way to reduce risk and improve visibility. Be sure to look for ways to address threats while ensuring user privacy and providing a seamless experience. Finally, it is important to continually track, adapt, and improve. It’s not a one-and-done exercise.
As Craft explained, “Security needs to keep evolving because I can assure you threat actors are changing their methods all the time.”
Conclusion
As mobile devices and applications continue to be integral to our daily work lives, they represent an increasingly vital asset to protect. The good news is that security teams don’t have to go it alone. By leveraging standards and frameworks put together by organizations like NIST and MITRE, teams can leverage proven, robust mobile security approaches.
To learn more on how to leverage NIST Standards to streamline your mobile-first security strategy, watch this on-demand webinar.
Author: Monique Becenti
Mobile Device Security Expert. View the author’s experience and accomplishments on LinkedIn.