02:51 PM
Don't Miss The All Analytics Academy: Analytics for All - A Right Start
Jun 07, 2016
Whether your organization is considering the use of big data and analytics, or has taken its first ...Read More>>

Uncle Sam Wants To Secure Your Smartphone

Draft NIST guidelines update cell phone and PDA security rules for the Android and iOS era.

How can businesses and government agencies better secure their employees' mobile devices when they're used in the workplace?

Look to new proposed guidelines from the National Institute of Standards and Technology (NIST) to help. Released last week, "Guidelines for Managing and Securing Mobile Devices in the Enterprise" (a.k.a. Special Publication 800-124, revision 1) is an updated version of previously issued NIST guidelines. This revision, issued in draft form, is open for public comments until August 17, 2012.

The revised guidelines, written by NIST senior computer scientist Murugiah Souppaya and Karen Scarfone, principal consultant at Scarfone Cybersecurity in Washington, offer specific recommendations for securing such mobile devices as smartphones and tablets, but not laptops, which are covered by other NIST guidance.

[ Are mobile device management strategies fundamentally misguided? Read more: Can IT Be Trusted With Personal Devices? ]

Among the various NIST recommendations are that organizations take the time to create a mobile device security policy, and enforce that policy. "To the extent feasible and appropriate, the mobile device security policy should be consistent with, and complement, security policy for non-mobile systems," read the guidance. Related questions that organizations should be asking are how devices are secured, whether they're allowed to use untrusted apps, and whether untrusted mobile devices--for example, those that have been jailbroken or rooted--should even be allowed to connect to corporate networks.

To create the best possible mobile security policy, the guidance recommends that organizations practice threat modeling. "Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added," said NIST.

Finally, NIST offers guidance on mobile device management, as well as handling the full mobile device lifecycle, including the proper disposal of any devices owned and issued by the organization.

When it comes to best practices, for anyone who knows mobile security, the NIST guidelines won't tell them anything they don't already know. Still, they serve as a useful baseline, since all government agencies--with the exception of national security programs and systems--will have to demonstrate their compliance with the revised guidelines. Likewise, the guidelines might assist security program managers who need help selling their mobile security program to senior executives.

Current guidance aside, it's interesting to review the previous guidance to see just how quickly the state of mobile device security has changed, as immediately demonstrated by the title of the previous guidance: "Guidelines on Cell Phone and PDA Security," as well as its summation of how such devices could be used "not only for voice calls, simple text messages, and personal information management (PIM) (e.g., phonebook, calendar, and notepad), but also for many functions done at a desktop computer."

Then again, those NIST recommendations debuted in 2008, before the rise of Apple iOS or Google Android--although the old guidance did call out open development platforms such as Android as a "mid-term" security worry, since their use of common APIs and software development kits would make it easy for malware-writers to learn to attack related devices. And that's precisely what's happened.

One thing that hasn't changed is the lost-device threat. Previous guidance noted that "because of their small size and use outside the office, handheld devices can be easier to misplace or to have stolen than a laptop or notebook computer" and that an attacker with physical access to a device could likely extract any secrets it held. Unfortunately, that's largely still the case.

Other aspects of the 2008 NIST guidance recall a simpler era in mobile device security. "Many security issues can be avoided if the devices are configured appropriately," said the previous NIST guide. Of course, such advice--aside from some government agencies, defense contractors, and overly cautious businesses--was optimistic even when issued, given the prevalence with which employees were already using their own PDAs to connect to corporate networks.

Today, of course, many businesses have bowed to the bring-your-own-device (BYOD) movement, in which employees pay for their own devices and use them at work, in return for businesses opening their networks to such devices. But where older Apple iOS devices and many types of Android devices are concerned, forget about applying critical patches. Indeed, research into consumer Android phones has found that many carriers rarely, if ever, update their phones post-sale, meaning that many have known vulnerabilities. Of course, it will be up to government agencies and businesses to decide how to best deal with that problem.

One 2008 security prediction that hasn't come to pass is the use of the Mobile Trusted Module (MTM) specification developed by the Trusted Computing Group. "Similar to the Trusted Platform Module (TPM) defined for desktop and networked computers, the MTM functions as a tamper-resistant trusted engine, able to store information securely," read the previous NIST guidance. "The operation of the engine ensures the operating system, applications, and data have not been corrupted and remain trustworthy."

The proposed 2012 revision notes: "Current mobile devices lack the root of trust features (e.g., TPMs) that are increasingly built into laptops and other types of hosts." As a result, it said, "organizations should assume that all phones are untrusted unless the organization has properly secured them before user access and monitors them continuously while in use with enterprise applications or data."

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
7/19/2012 | 8:06:55 PM
re: Uncle Sam Wants To Secure Your Smartphone
"To the extent feasible and appropriate, the mobile device security policy should be consistent with, and complement, security policy for non-mobile systems,"

Mobile is inherently different that non-moble. Hopefully what was meant was to compare it with previously existing mobile system (such as laptops) which have been around for some time (device encryption, password protected unlock, communication encryption, etc...)
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
7/20/2012 | 2:47:49 AM
re: Uncle Sam Wants To Secure Your Smartphone
I think what the NIST paper is trying to get at is that in order to make appication and enforcement processes as homoegenous as possible across various platforms, that the directives in a security policy for mobile and non-mobile platforms should be as homogenous as possible as well.

Andrew Hornback
InformationWeek Contributor
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
7/20/2012 | 2:54:49 AM
re: Uncle Sam Wants To Secure Your Smartphone
As a set of baselines for organizations to follow, this is a great starting point.

Being in a position where I'm responsible for setting and implementing mobile device security policies, there's absolutely no way that I would allow a rooted or jailbroken device on my premises, much less on my network. There's too much risk associated with these devices and I'm not comfortable with the idea of my organization assuming that risk. I'm not aware of any reasonable business case out there that would change that stance.

The only reason that I can see to do something like that would be if I was involved with an organization that rolled its own mobile OS patches or even operating systems and implemented them on COTS hardware. Don't see that happening anytime soon, however.

Andrew Hornback
InformationWeek Contributor
Tom Mariner
Tom Mariner,
User Rank: Strategist
7/23/2012 | 1:11:17 PM
re: Uncle Sam Wants To Secure Your Smartphone
This discussion is like the one now going on about healthcare -- Trillions of dollars of protection and the benefits largely missing from the conversation. (In the case of medicine, its called "the patient". $50,000 per patient record possibly, maybe exposed, and not much penalty for killing a guy because of bad or missing data.)

Yes, it is possible to squeeze total financials, business plans, damaging emails, etc. through a mobile computing device. Yes, it is much easier to misplace a phone than a desktop or mainframe. But BYOD also brings amazing new ways of empowering workers of all types and levels. My new S3 forces me to accept remote wipe, complex passwords, and some encryption as the price to connect to my Exchange. Don't ignore the security issues, but at least include the dramatic new ways of sharing data and a command structure whose benefits to the corporation may mitigate something less than a hard-wired Ethernet cable.

And the price savings that hundreds of millions of workers just handed IT instead of company-owned stupid E-mail-only Blackberries at $500 apiece.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.