Mobile devices allow employees to access information resources wherever they are, whenever they need. The small form factor, constant internet access, and powerful mobile applications are already improving workforce productivity. Yet mobile devices may be lost or stolen. A compromised mobile device may allow remote access to sensitive on premise organizational data, or any other data that the user has entrusted to the device.
Ensuring the confidentiality, integrity, and availability of the information that a mobile device accesses, stores, and processes is a difficult cybersecurity challenge with no easy solution. This is especially true in light of today’s growing mobile environment, with multiple parties developing complex systems and software that must securely coexist on the same device in order to keep data safe. Unfortunately, security controls have not kept pace with the risks posed by mobile devices. Enterprises are under pressure to accept these risks due to several factors, such as anticipated cost savings and employees’ demand for more convenience, sometimes without the ability to employ defensive mitigations.
The NCCoE mobile security efforts are dedicated to solving mobile cybersecurity challenges in the enterprise.
The Mobile Threat Catalogue
Mobile devices pose a unique set of threats to enterprises. Typical enterprise protections, such as isolated enterprise sandboxes and the ability to remote wipe a device, may fail to fully mitigate the security challenges associated with these complex mobile information systems. With this in mind, a set of security controls and countermeasures that address mobile threats in a holistic manner must be identified, necessitating a broader view of the entire mobile security ecosystem. This view must go beyond devices to include, as an example, the cellular networks and cloud infrastructure used to support mobile applications and native mobile services.
The Mobile Threat Catalogue identifies threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security capabilities, best practices, and security solutions to better protect enterprise IT. Threats are divided into broad categories, primarily focused upon mobile applications and software, the network stack and associated infrastructure, mobile device and software supply chain, and the greater mobile ecosystem. Each threat identified is catalogued alongside explanatory and vulnerability information where possible, and alongside applicable mitigation strategies.
The Mobile Threat Catalogue is living document, updated often. For ease of use we have included an Interagency Report providing context and background information.
- NISTIR 8144: Assessing Threats to Mobile Devices & Infrastructure (PDF)
- Mobile Threat Catalogue (web page)
The public comment period closed on November 10, 2016. We are now reviewing comments and will post a revision soon.
Seeking Additional Collaborating Technology Vendors
For each cybersecurity challenge, the NCCoE works with a variety of collaborators to use different sets of commercially available products. For non-industry specific cybersecurity challenges, the center will work with a core set of partners within the National Cybersecurity Excellence Partnership to complete an initial build and guide. The center may produce additional guides with other vendors, depending on the challenge’s complexity and how broadly it affects industry.
The NCCoE has launched a new effort to demonstrate additional technologies and products that can contribute to enterprise mobile security. If you represent a technology vendor that would like to participate in this second build, please see our Federal Register notice to learn more about how you can pariticpate.
This second build will result in another NIST Cybersecurity Practice Guide.
If you are interested in staying in touch, sign up for email alerts from the NCCoE on our projects. If you have questions or would like to work on additional mobile device security projects, email the project team at firstname.lastname@example.org.
NIST Cybersecurity Practice Guide, Special Publication 1800-4: “Mobile Device Security: Cloud & Hybrid Builds”
The NIST Cybersecurity Practice Guide “Mobile Device Security: Cloud & Hybrid Builds” demonstrates how commercially available technologies can meet your organization’s needs to secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices.
In our lab at the NCCoE, part of the National Institute of Standards and Technology (NIST), we built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution. Additionally, we demonstrated how security can be supported throughout the mobile device lifecycle, including:
- configure a device to be trusted by the organization
- maintain adequate separation between the organization’s data and the employee’s personal data stored on or accessed from the mobile device
- handle the de-provisioning of a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company.
The NIST Cybersecurity Practice Guide is available as a draft. For ease of use, the draft guide is available to download or read in volumes:
- SP 1800-4a: Executive Summary (PDF) (web page)
- SP 1800-4b: Approach, Architecture, and Security Characteristics (PDF) (web page)
- SP 1800-4c: How-To Guides (PDF) (web page)
Or you can download all volumes in a zip file, including supplemental files (10.5 MB).
The draft guide was open for public comments; the public comment period closed on January 8, 2016. Read our two-page fact sheet for highlights of this project. For archival purposes, you may download the revised and original Project Descriptions.
If you have questions or would like to work on additional mobile device security projects, email the project team at email@example.com.