A Good Time to Update Mobile Security Guidelines

Key Takeaways:

• NIST issued a revised version of “Guidelines for Managing the Security of Mobile Devices in the Enterprise” to assist federal agencies in securing and managing their issued mobile devices.
• The guidance provides a picture of the expanded threat landscape for devices as well as the technology solutions and mitigation strategies to avoid those threats.
• The current COVID-19 situation has enhanced the use of mobile devices by federal employees working remotely, increasing the risk of threat to agency resources.

Last month, the National Institute of Standards and Technology (NIST) released an updated draft to the Guidelines for Managing the Security of Mobile Devices in the Enterprise. The draft is available for public comment through June 26, 2020. The purpose of these guidelines is to assist the federal government in managing and securing mobile devices by providing suggestions for available technology solutions and strategies. The timing for this release could not have come at a better time. These days, federal employees are increasingly using mobile devices due to the need for telework and remote access during the COVID-19 pandemic.

Mobile devices often require additional protections due to their size, portability, and use outside of an agency’s network. Note: NIST defines mobile devices as devices running a modern mobile operating system. Laptops, wearables and other Internet of Things (IoT) technologies do not fall within the parameters of the guidelines. Enterprise management of the devices can be tricky, the threat landscape of mobile devices has expanded tremendously, and organizations must institute sound policies and infrastructure to ensure the security of the hardware, applications, content and access of these devices.

Keeping all this in mind, the NIST guidelines proceed to address the “security concerns inherent to the usage of mobile devices…alongside mitigations and countermeasures. Recommendations are provided for deployment, use and disposal of devices throughout the mobile-device lifecycle.”

Threat Landscape and Technology Solutions

Regarding the shift in the mobile threat landscape, NIST describes an increase in malware and vulnerabilities that now touch on every part of the device (operating system, firmware, cellular networks, etc.). To combat this, NIST advises organizations to develop threat models for “identifying resources of interest and the feasible threats, vulnerabilities and security controls related to these resources; quantifying the likelihood and impacts of successful attacks; and analyzing this information to determine where security controls should be improved or added.”

Provided below is a list of threats NIST has identified in the use of mobile devices and device management systems. Accompanying each threat is a sampling of the suggested solutions and countermeasure strategies provided by NIST.

Mobile Device Deployment Lifecycle

Additionally, NIST identifies the process federal organizations must take when deploying and managing mobile devices. The updated draft places emphasis on risk assessment before putting the solution into production to counter an ever-changing threat landscape:

The current pandemic certainly places a spotlight on mobile device security. Given the increase in the mobile device threat landscape and a reliance on employees to adhere to enterprise policies, federal agencies have their work cut out for them in mobile device management. Even before the pandemic, use of mobile devices outpaced personal computers as a preferred business resource. The presence of devices has dramatically increased within the federal space in the last several years. Fedtechmagazine reports that DOD mobile users grew from 30,000 in 2015 to 120,000 in 2018. Likewise, NASA had more than 70,000 users in 2018 and at DHS, 90,000 users.