Uncle Sam Wants To Secure Your Smartphone

Draft NIST guidelines update cell phone and PDA security rules for the Android and iOS era.
How can businesses and government agencies better secure their employees' mobile devices when they're used in the workplace?

Look to new proposed guidelines from the National Institute of Standards and Technology (NIST) to help. Released last week, "Guidelines for Managing and Securing Mobile Devices in the Enterprise" (a.k.a. Special Publication 800-124, revision 1) is an updated version of previously issued NIST guidelines. This revision, issued in draft form, is open for public comments until August 17, 2012.

The revised guidelines, written by NIST senior computer scientist Murugiah Souppaya and Karen Scarfone, principal consultant at Scarfone Cybersecurity in Washington, offer specific recommendations for securing such mobile devices as smartphones and tablets, but not laptops, which are covered by other NIST guidance.

[ Are mobile device management strategies fundamentally misguided? Read more: Can IT Be Trusted With Personal Devices? ]

Among the various NIST recommendations are that organizations take the time to create a mobile device security policy, and enforce that policy. "To the extent feasible and appropriate, the mobile device security policy should be consistent with, and complement, security policy for non-mobile systems," read the guidance. Related questions that organizations should be asking are how devices are secured, whether they're allowed to use untrusted apps, and whether untrusted mobile devices--for example, those that have been jailbroken or rooted--should even be allowed to connect to corporate networks.

To create the best possible mobile security policy, the guidance recommends that organizations practice threat modeling. "Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added," said NIST.

Finally, NIST offers guidance on mobile device management, as well as handling the full mobile device lifecycle, including the proper disposal of any devices owned and issued by the organization.

When it comes to best practices, for anyone who knows mobile security, the NIST guidelines won't tell them anything they don't already know. Still, they serve as a useful baseline, since all government agencies--with the exception of national security programs and systems--will have to demonstrate their compliance with the revised guidelines. Likewise, the guidelines might assist security program managers who need help selling their mobile security program to senior executives.

Current guidance aside, it's interesting to review the previous guidance to see just how quickly the state of mobile device security has changed, as immediately demonstrated by the title of the previous guidance: "Guidelines on Cell Phone and PDA Security," as well as its summation of how such devices could be used "not only for voice calls, simple text messages, and personal information management (PIM) (e.g., phonebook, calendar, and notepad), but also for many functions done at a desktop computer."

Then again, those NIST recommendations debuted in 2008, before the rise of Apple iOS or Google Android--although the old guidance did call out open development platforms such as Android as a "mid-term" security worry, since their use of common APIs and software development kits would make it easy for malware-writers to learn to attack related devices. And that's precisely what's happened.

One thing that hasn't changed is the lost-device threat. Previous guidance noted that "because of their small size and use outside the office, handheld devices can be easier to misplace or to have stolen than a laptop or notebook computer" and that an attacker with physical access to a device could likely extract any secrets it held. Unfortunately, that's largely still the case.

Other aspects of the 2008 NIST guidance recall a simpler era in mobile device security. "Many security issues can be avoided if the devices are configured appropriately," said the previous NIST guide. Of course, such advice--aside from some government agencies, defense contractors, and overly cautious businesses--was optimistic even when issued, given the prevalence with which employees were already using their own PDAs to connect to corporate networks.

Today, of course, many businesses have bowed to the bring-your-own-device (BYOD) movement, in which employees pay for their own devices and use them at work, in return for businesses opening their networks to such devices. But where older Apple iOS devices and many types of Android devices are concerned, forget about applying critical patches. Indeed, research into consumer Android phones has found that many carriers rarely, if ever, update their phones post-sale, meaning that many have known vulnerabilities. Of course, it will be up to government agencies and businesses to decide how to best deal with that problem.

One 2008 security prediction that hasn't come to pass is the use of the Mobile Trusted Module (MTM) specification developed by the Trusted Computing Group. "Similar to the Trusted Platform Module (TPM) defined for desktop and networked computers, the MTM functions as a tamper-resistant trusted engine, able to store information securely," read the previous NIST guidance. "The operation of the engine ensures the operating system, applications, and data have not been corrupted and remain trustworthy."

The proposed 2012 revision notes: "Current mobile devices lack the root of trust features (e.g., TPMs) that are increasingly built into laptops and other types of hosts." As a result, it said, "organizations should assume that all phones are untrusted unless the organization has properly secured them before user access and monitors them continuously while in use with enterprise applications or data."

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)