The US National Institute of Standards and Technology’s (NIST) draft update to its mobile security guidance drops any reference to basic cell phones and PDAs in exchange for today’s intrinsically riskier tablets and smartphones.
The older devices were out of scope “because of the limited security options available and the limited threats they face.”
Many of the risks outlined in the draft recommendations for government agencies are not new, however it provides a comprehensive overview of risks and preparations that should be made before deploying either supplied or BYOD tablets and smartphones to the workforce.
The mobility of smartphones and tablets, combined with their storage capacity and access to the corporate network, made them more exposed to threats than laptops and desktops, because the latter often stay within an organisation’s facilities.
Mobile devices however will often move between homes, coffee shops, hotels and conferences, and therefore carry a heightened risk of theft or loss.
NIST advises to “assume that mobile devices will be acquired by malicious parties who will attempt to recover sensitive data either directly from the devices themselves or indirectly by using the devices to access the organization’s remote resources.”
Organisations should also assume BYOD are untrustworthy until they have been properly secured and enabled for monitoring while in use with corporate applications or data.
Broadband, cellular and Wi-Fi networks that are outside of the enterprise’s domain should also be assumed to untrustworthy for communications with the organisation.
The updated guidance comes as security researchers continue to identify a steady flow of malware in non-official and official Android markets. The document does not mention Android but says third party apps pose an “obvious risk, especially for mobile device platforms that do not place security restrictions or other limitations on third-party application publishing.”
Nor does it mention iOS devices, however it notes “frequent jailbreaking and rooting of mobile devices”, which bypass inbuilt security controls.
The draft points to whitelisting or a secure sandbox to isolate the organisation’s data and apps as a risk reduction strategy, but since users can still access untrusted web-based applications through browsers, NIST also recommends either blocking or restricting browser access or introducing a separate sandboxed browser for web activities related to the organisation.
Additional risks that should be managed include connecting the device to laptops or desktops for charging, cloud synchronisation, use of QR codes, GPS and location services, and finally thorough sanitisation before disposal.