Mobile security guide: Assume a device will fall into malicious hands
- By William Jackson
- Jun 27, 2013
Newly revised guidance for securely managing mobile devices sharpens the focus of the original NIST publication, released in 2008, excluding laptops and low-end cell phones and addressing both enterprise-issued and privately owned devices.
The National Institute of Technology’s Special Publication 800-124, Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, explains the security concerns inherent in mobile device use and provides recommendations for selecting, implementing and using centralized management technologies to address these risks throughout the device life cycles.
The original version of the publication was titled “Guidelines on Cell Phone and PDA Security,” and the change in titles reflects shifts in the technology environment over the past five years. Most cell phones now are mobile computers with Internet connections, capable of accessing, storing and processing data. Meanwhile, the personal digital assistant has disappeared as a device category. Tablets have emerged as a new category, and the use of personal devices within the enterprise has become a fact of life, to the point where the abbreviation BYOD seldom needs an explanation. (Just in case it does require explanation, it stands for Bring Your Own Device.)
Assuring the confidentiality, integrity and availability of data on a mobile device, as well as the security of the enterprise it connects to, requires the same level of security required for desktops and laptops, as well as additional protection for threats specific to mobile and wireless devices that often are not operating within the enterprise. “Mobile devices often need additional protection because their nature generally places them at higher exposure to threats,” the authors write.
The revised SP 800-24 contains specific recommendations for securing mobile devices, intended to supplement more general IT security controls specified in the latest revision of NIST’s SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.
Risks specific to, or greater for, mobile devices include loss or theft, and agencies are advised that “when planning mobile device security policies and controls, organizations should assume that mobile devices will be acquired by malicious parties.” Mitigations for this risk can include strong authentication on the device and encryption.
Other specific risks include the use of personal devices and untrusted networks and applications; interaction with other systems, either wirelessly or tethered; and the use of location services, which can facilitate targeted attacks.
As device features and functionality change, so do the threats they face and the applicable security controls, and this publication establishes a baseline of technology and controls that will be updated as needed. Basic guidelines for securely managing devices include:
Create a documented mobile device security policy, defining what resources can be accessed from different types of devices and how devices are to be managed. This should be regularly updated.
Develop system threat models for mobile devices and the resources that are accessed by them. Threat modeling helps organizations identify security requirements and design the solutions incorporating the controls needed to meet the security requirements.
Implement and test a pilot of the mobile device solution before putting it into production. At a minimum, all components should be updated with the latest patches and configured following sound security practices. Use of jailbroken or rooted mobile devices should be automatically detected when feasible.
Fully secure each organization-issued mobile device before allowing a user to access it. Unmanaged devices already issued should be secured to a known good state, with supplemental security controls used as needed.
Regularly maintain mobile device security. This includes keeping patches up to date, ensuring all components are synched to a common time source so that log data can be correlated, reconfiguring access controls as needed and detecting anomalies including unauthorized configuration changes.
A variety of security services and systems are available, and most organization will not need all of the available features. Agencies should determine what is needed in their environment and deploy or acquire what is appropriate, selecting from among features including policy enforcement, encryption, user and device authentication and application white and blacklisting.