National Cybersecurity Center of Excellence

Gema Howell

August 2019

Mobile Device Security Community of Interest

2nccoe.nist.govNational Cybersecurity Center of Excellence

Mission

Accelerate adoption of secure

technologies: collaborate with

innovators to provide real-world,

standards-based cybersecurity

capabilities that address business needs

3nccoe.nist.govNational Cybersecurity Center of Excellence

NCCoE Tenets

Standards-based Apply relevant industry standards to each

security implementation; demonstrate

example solutions for new standards

ModularDevelop components that can be easily

substituted with alternates that offer

equivalent input-output specifications

RepeatableProvide a detailed practice guide including

a reference design, list of components,

configuration files, relevant code, diagrams,

tutorials, and instructions to enable system

admins to recreate the example solution

and achieve the same results

Commercially availableWork with the technology community to

identify commercially available products

that can be brought together in example

solutions to address challenges identified

by industry

UsableDesign blueprints that end users can

easily and cost-effectively adopt and

integrate into their businesses without

disrupting day-to-day operations

Open and transparentUse open and transparent processes to

complete work; seek and incorporate

public comments on NCCoE publications

4nccoe.nist.govNational Cybersecurity Center of Excellence

Engagement & Business Model

OUTCOME:

Define a scope of

work with industry to

solve a pressing

cybersecurity

challenge

OUTCOME:

Assemble teams of

industry organizations,

government agencies, and

academic institutions to

address all aspects of the

cybersecurity challenge

OUTCOME:

Build a practical,

usable, repeatable

implementation

to address the

cybersecurity

challenge

OUTCOME:

Advocate adoption

of the example

implementation

using the practice

guide

ASSEMBLE ADVOCATEBUILDDEFINE

5nccoe.nist.govNational Cybersecurity Center of Excellence

Mobile Device Security Enterprise: Build 1

NIST SP 1800-21 Mobile Device

Security: Corporate-Owned

Personally-Enabled (COPE)

‣ Fully-managed device/COPE -

strong data confidentiality is

implemented using federally

certified and validated

technologies

‣Android and Apple Smartphones

6nccoe.nist.govNational Cybersecurity Center of Excellence

Volume A: Executive Summary

• Summary of the document

• Business decision makers, including chief security and technology officers

Volume B: Approach, Architecture, and Security Characteristics

• What we built and why

• Technology or security program managers

Volume C: How-To Guides

• Instructions for building the example solution

• IT Professionals

Document Structure Overview and Audience

7nccoe.nist.govNational Cybersecurity Center of Excellence

Mobile Device Security Challenges

• Securing the data on devices to prevent compromise via malicious applications

• Securing their always-on-connections to the internet from network-based attacks

• Protecting them from phishing attempts that try to collect user credentials or entice a user to install software

• Selecting from the many mobile device management tools available and implementing their protection capabilities consistently

• Identifying threats to mobile devices and how to mitigate them

8nccoe.nist.govNational Cybersecurity Center of Excellence

Our Approach - Telling the story…

• Orvilia Development is a small (fictional) start-up company providing IT services to many private sector organizations.

• Orvilia won its first government contract. Given the organization’s current security posture, particularly in its use of mobile devices, complying with government regulations and heightened cybersecurity standards presents it with new challenges:

• Minimal mobile device policies and no implementation of security mechanisms such as

enterprise mobility management.

• No mechanisms to prevent or detect misuse or device compromise.

• No technical safeguards have been implemented to prevent employees from accessing

enterprise from personal device

• Need to achieve and maintain compliance with government policies, which require

compliance with cybersecurity best practices and applicable standards

9nccoe.nist.govNational Cybersecurity Center of Excellence

Risk Assessment

• Referenced NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments

• Identified Threats Events (TE) using the NIST Mobile Threat Catalogue (MTC)

• Selected 12 threats events of high

likelihood and high adverse impact

TE-1: Unauthorized access to sensitive information via a malicious or privacy-intrusive

application

TE-2: Theft of credentials through an SMS or email phishing campaign

TE-3: Malicious applications installed via URLs in SMS or email messages

TE-4: Confidentiality and integrity loss due to exploitation of known vulnerability in the OS or

firmware

TE-5: Violation of privacy via misuse of device sensors

TE-6: Compromise of the integrity of the device or its network communications via installation of

malicious EMM/MDM, network, VPN profiles, or certificates

10nccoe.nist.govNational Cybersecurity Center of Excellence

Mobile Device Security Technologies

• Enforce policies and perform compliance actions

Enterprise Mobility Management

• Verify the integrity of the device and ensure the confidentiality of data stored on persistent memory

Trusted Execution Environment

• Secure the connection between the mobile device and the enterprise network

Virtual Private Network

• Determine if an application demonstrates any behaviors that pose a security or privacy risk

Mobile Application Vetting Service

• Analyze and inform the user of device-based threats, application-based threats, and network-based threats

Mobile Threat Defense

• Use actionable information that mobile administrators can use to make changes to their security configuration

Mobile Threat Intelligence

11nccoe.nist.govNational Cybersecurity Center of Excellence

Privacy Risk Assessment Methodology (PRAM)

• Referenced NISTIR 8062: An

Introduction to Privacy Engineering

and Risk Management in Federal

Systems

• Utilized NIST Privacy Risk

Assessment Methodology (PRAM)

• Identified 3 privacy data actions that

could create potential problems for

individuals• blocking access and wiping devices

• employee monitoring

• data sharing across parties

12nccoe.nist.govNational Cybersecurity Center of Excellence

Sample Mobile Device Security Architecture

13nccoe.nist.govNational Cybersecurity Center of Excellence

Benefits of Implementing SP 1800-21

• Reduces security and privacy risk. Organizations can increase the security & privacy across their mobile enterprise systems by using risk mitigation technologies and applying privacy protections to help reduce mobile devices security risks.

• Demonstrates enterprise-wide application. Shows how organizations can deploy a variety of mobile enterprise management technologies to networks, devices, and applications.

• Applies cybersecurity standards and best practices. Provides an illustration of how the NIST Risk Management Framework and the NIST Cybersecurity Framework can be applied to strengthen an enterprise’s mobility.

14nccoe.nist.govNational Cybersecurity Center of Excellence

NIST SP 1800-22 Mobile Device

Security: Bring Your Own Device

(BYOD)

‣Business productivity tools are

deployed alongside a variety of

device policies for employees

with different risk profiles

In Development – NIST SP 1800-22

15nccoe.nist.govNational Cybersecurity Center of Excellence

Upcoming Events

August 20: Present SP 1800-21 to

the Federal Mobility Group

September 23: SP 1800-21 comment

period closes

Fall: Next COI Call

301-975-0200http://nccoe.nist.gov

16nccoe.nist.govNational Cybersecurity Center of Excellence

nccoe@nist.gov

Mobile Device Security Project Team

mobile-nccoe@nist.gov