Vetting the Mobile Threat Catalogue with Industry
On September 13, 2016, the National Cybersecurity Center of Excellence (NCCoE) hosted a workshop to review the recently released Mobile Threat Catalogue (MTC) with industry partners and identify missing areas of interest, new countermeasures, and potential mitigations. More than 50 mobile security industry members participated, including hardware manufacturers, operating system developers, malware detection companies, and mobile network operators. There was definitely expertise to go around!
NIST Security Engineer Joshua Franklin kicked-off the event with a presentation on the Mobile Threat Catalogue, followed by Vincent Sritapan, program manager for mobile device security at the Department of Homeland Security Science and Technology Directorate (DHS S&T) discussing the status of the Mobile Security Study mandated by the Cybersecurity Act of 2015.
In response to comments received on the NCCoE’s draft practice guide “Mobile Device Security: Cloud & Hybrid Builds” (NIST SP 1800-4) and in partnership with the Department of Homeland Security Science and Technology Directorate the Mobile Threat Catalogue was released to provide broader view of the entire mobile security ecosystem. At a high level, we began with a few goals in mind:
- identifying threats to devices, applications, networks, and infrastructure;
- collecting countermeasures that IT security engineers can deploy to mitigate threats;
- informing risk assessments and threat models; and
- enumerating attack surface for enterprise mobile systems.
The accompanying report, NISTIR 8144: Assessing Threats to Mobile Devices & Infrastructure, provides background information on mobile systems and their attack surface. It also assists readers in understanding the threats and countermeasures contained within the MTC. If you’re interested in the MTC, and frankly just mobile security in general, it might be worth your while to give it a read.
So, with such deep expertise in mobile security available to us at the workshop—how did it go? Better than a foiled SMS phishing attempt! After the initial presentations, participants self-selected themselves into the following four groups to tackle the catalogue:
- Mobile Applications
- Mobile Device
- Mobile Networks
- Mobile Ecosystem
Each group reviewed a portion of the MTC, ensuring that the threat information was sound and submitting new threat suggestions where applicable. Another important goal was to verify that the listed mitigations for each threat were appropriate. Questions arose around the viability of certain countermeasures, and what party (e.g., app developer, carrier) would be the ones implementing the defensive action, which ended up being a major feedback area from participants.
The MTC is living document, available on Github to easily view and submit feedback. For those that prefer old school edits, check out the Excel version. We have already begun receiving actionable feedback, so please stop by and make suggestions! If you have questions about the MTC when writing your feedback, feel free to contact us via email@example.com. This isn’t like the voicemails your parents leave you – we’ll actually get back with you. Please note that the public comment period closes on Thursday, November 10, 2016.
Once we’ve incorporated the feedback from this workshop and the public comment period into the MTC, we’ll post an updated copy of both NISTIR 8144 and the MTC to the project page. We will then work with DHS to submit it as part of the Mobile Security Study to Congress.
We eagerly look forward to feedback from our colleagues in academia, industry, and government – and any other interested parties of course!
To learn more about this collaboration and other mobile security projects at the NCCoE, visit our Mobile Device Security project page, and consider joining our Community of Interest if you have expertise in this area. Companies developing interesting mobile security technology they're looking to flex, please consider becoming a collaborator. Thanks for stopping by.