NCCoE unveils a new NIST Publication to help strengthen company security for mobile devices
by: Terri Rue-Woods, Information Assurance/Executive Strategy Officer, e-End
Recently, at a NIST sponsored informational event, the NCCoE proudly announced the publication of their latest guide. The ‘Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)’ is a draft version of their new NIST 1800-21 - Special Publication. In it features research information focusing on the uniqueness of potential threats that can come from mobile device network connections. Additionally, the document presents several test scenarios and their solutions to help develop more secure corporate-level mobile protection plans.
The NCCoE presented their publication during Identiverse 2019. Formerly known as the Cloud Identity Summit, the Identiverse is a composition of small identity industry professionals that seek to offer the public content, keynotes, workshops, and classes in the industry of identity. In the panel titled, ‘Mobile Enterprises: Strategically Addressing Threats While Managing Risk”, speaker Gema Howell, IT Security Engineer for NIST, included the information of the publication along with her discussion. Her topic: the vulnerabilities of current mobile device management systems and the need for a better look at the necessary means to address those problems. The Mobile Device Security guide stood as a welcomed cohort of solutions to her panel.
Current Mobile Situation
A lot of us use smartphones and tablets to access the important stuff from our digital lives. They are multi-functional gadgets with the power of a personal computer, yet they can now come in the size of books and credit cards. So, we enjoy using them to maintain records of our personal information for our mobile convenience. As technology advances, we find that more individuals are using their devices for no just recreational needs. With the increase of workplace productivity applications for mobile systems, working people are more likely to have their company information accessible on their mobile devices. And smartphones and tablets have become common-place items at the job site.
Unfortunately, these mobile innovations can and will attract cyber criminals attention. Despite companies choosing to spend millions on network and interoffice systems security, they fail to realize how their mobile devices can equally compromise the safety of their data.
When most consumers and business owners think of mobile device security, they think of simply adding access passwords and making sure they don’t leave their devices sitting around to be stolen.
According to an article by Senior Writer, Lucian Constantin on the CSO online publication website, enterprises need to increase their attention to the growing crisis of mobile security threats. Within his researched data from a recent Verizon survey report, one in three organizations have reported suffering a data breach due to a mobile device. Furthermore, Verizon’s results also show a 5% increase of admitted device breaches since their previous year’s survey.
“The number of security incidents involving mobile devices has increased over the past year, but companies are not protecting their mobile assets as well as they do other systems.” states Constantin.
In a subsequent article from the same web publisher, Contributing Editor, JR Rachael collaborates this theory by expressing that—while companies are focused on big named topics like malware, “the more realistic mobile security hazards lie in some easily overlooked areas.”
Furthermore, Rachael provided a listing of a few of these threats in his article. He insists that companies need to watch for:
data leakage from potential malware resulting from user errors;
accidental disclosure of sensitive information;
phishing attacks and social engineering ploys that trick users into visiting and clicking on nefarious site links;
unsecured WIFI connections that can open devices to network spoofing; and
problematic older devices that lack the proper security to handle modern-day attack attempts.
RELATED ARTICLE: Make the Security of Your Important Data, Priority #1. Featuring 10 Data-Security Measures You Can’t Do Without
But whether or not, business owners are taking the threat of mobile device breaches seriously isn’t the only issue. There is also a concern over the lack of awareness of the steps needed to protect these devices. What are the best practices? What management tools work the best? And what is the right way to construct an effective Enterprise Mobile Device Security Policy?
More About the Publication
According to its executive summary, the NIST Cybersecurity Practice Guide will demonstrate how organizations can use standards-based, commercially available products to help meet their mobile device security and privacy needs. The Guide’s overall function is to assist its readers by featuring an example solution architecture which incorporates data from multi-field experts’ assessments. Through several security characteristic analyses, the NIST Mobile Device Security Guide contains scenario data from collected test threat events. It offers companies a series of best-practice solutions, management tool recommendations, and security policy suggestions for companies to begin building a stronger mobile security system.
NCCoE and NIST
The developing body for the NCCoE, the National Cybersecurity Center of Excellence serves as a hub for the collective of government agencies and academic institutions working together on business-related cyber-security issues. The center uses their on-going partnerships to create practical solutions for industries faced with technology security challenges. In addition, the NCCoE uses its associates with other technology partners, small businesses, and market leaders of specialized IT Fortune 500 companies to build solution models adapted from mainstreamed commercially available systems. It’s these solution models that provide the framework for NIST’s publication development. NCCoE is a part of the larger organization, the National Institute of Standards and Technology (NIST). As a part of the US Department of Commerce, NIST’s provides a wide-range of measurement support and research information for just about every industry from healthcare to product engineering and manufacturing.
NCCoE collaborated with NIST and several key businesses from many notable industries. to form an association for the production of the publication. These such as technology, mobile systems manufacturing, and IT systems security included names like: Appthority, Kryptowire, Qualcomm, PaloAlto, Mobile Iron, and Lookout. Each organization presumably offered either fitting capabilities or device components for the development an example solution.
However, even though these companies came together to help with building the platform for the documents production, NIST and the NCCoE wanted to make sure it is understood that there are no special relationships, endorsements, recommendations or implications of such from the two organizations.
The threat to mobile device security affects all users, however it is more dangerous for employees and staff that regularly access their company information on their phones and tablets. Because most companies are not only handling their own information, but in some instances, the sensitive data of their clients and customers as well. Without workable security policies and tools for workplace devices, businesses might as well advertise their free data to the general public. Ultimately, its the hope of the NCCoE that the publication will aide in the of management tools best suited for enterprises to asset and minimize potential risks.
In the meantime, industry organizations and other public corporation interested in the guide are encouraged to review and submit comments via NIST’s online comment form. The final deadline for accepting comments will be September 23, 2019. As the NCCoE work to build a final draft of the Mobile Device Security guide, they are also working on the second build. This publication will be titled, ‘Mobile Device Security: Bring Your Own Device (BYOD)’ with a focus on security plans for offices that allow employees to use their own personal devices. Eventually, it is the NCCoE’s future plan to have the two builds be a focused and complete set of publications wholly centered on security for enterprise-level mobile devices.
If your business is looking for someplace to offload your old electronic assets, consider a company that specializes in IT Asset Recovery solutions as well as IT Asset Disposal. Make sure your devices are handled properly by certified experts in the field of electronics recycling and data destruction.