- The National Institute of Standards and Technology (NIST) recently released two draft resources that highlight current mobile security threats and then provide guidance on how public and private organizations can best approach those threats.
Mobile Threat Catalogue (MTC) and the accompanying draft Assessing Threats to Mobile Devices & Infrastructure (NIST Interagency Report 8144) were written to answer questions about how best to “defend the vulnerable connections between mobile devices and enterprise computer systems from malware, viruses and other types of attacks,” according to a NIST statement.
“Often IT shops or security managers will address or secure the apps on a phone and protect the operating system from potential threats,” NIST cybersecurity engineer Joshua Franklin said. “But there is a much wider range of threats that need to be addressed. For example, enterprise security teams often don’t focus on the cellular radios in smartphones, which, if not secured, can allow someone to eavesdrop on your CEO’s calls.”
MTC divides the mobile security threats into broad categories, largely focusing on mobile applications and software, the network stack and associated infrastructure, mobile device and software supply chain, and the greater mobile ecosystem.
NIST Interagency Report 8144 “provides background information on mobile information systems and their attack surface is provided to assist readers in understanding threats contained within the Mobile Threat Catalogue,” NIST explained.
The report also suggests that organizations take a new perspective when it comes to mobile security, and ensure that they are viewing the entire mobile ecosystem. This includes cellular network threats, cloud infrastructure threats and even threats in app stores.
Smart phones and tablets running modern mobile operating systems were the primary target of the NIST Interagency Report 8144 analysis, according to the report.
“Each threat identified is catalogued alongside explanatory and vulnerability information where possible, and alongside applicable mitigation strategies,” the report’s authors explained. “Background information on mobile systems and their attack surface is provided to assist readers in understanding threats contained within the Mobile Threat Catalogue (MTC).”
For the MTC, mobile security engineers at the National Cybersecurity Center of Excellence (NCCoE) identified potential threats using a modified NIST SP 800-30 risk assessment process.
“A single mobile deployment was not under review – instead the threats posed to foundational mobile technologies were analyzed,” reads the report. “Therefore, key risk information necessitated by NIST SP 800-30 such as likelihood, impact, and overall risk was unavailable and not included.
After identifying the threats into communication mechanisms, the mobile supply chain, and at each level of the mobile device technology stack, they were then categorized alongside information pertaining to specific instantiations of these threats, NIST added.
“Mobile security engineers and architects can leverage these documents to inform risk assessments, build threat models, enumerate the attack surface of their mobile infrastructure, and identify mitigations for their mobile deployments,” stated a report summary.
Comments on both drafts must be sent to NIST by October 12, 2016.
NIST has previously released guidance on mobile application security, to help organizations vet mobile applications and ensure that they are able to properly assess the security and privacy risks associated with mobile apps. Called “Vetting the Security of Mobile Applications,” the guide explained that it was necessary to have a strong app vetting process, but also to properly test any new mobile applications.
“To help mitigate the risks associated with app vulnerabilities, organizations should develop security requirements that specify, for example, how data used by an app should be secured, the environment in which an app will be deployed, and the acceptable level of risk for an app,” the report’s authors explained. “To help ensure that an app conforms to such requirements, a process for evaluating the security of apps should be performed.”