NCCoE Buzz: Mobile Security Edition

Our mobile devices today are powerful handheld computers in our pockets. Many of us store valuable personal information on our phones, turning these devices into attractive targets for hackers. With this in mind, how can we effectively protect ourselves from data leaks?

Data leaks happen when an organization or an individual loses control of their information. Control of the data may be lost due to unauthorized or unwarranted transmission of data to an external source. Mobile data leaks can also occur when mobile device privacy settings or applications are misconfigured.

To learn more about the different types of data leaks and how you can best protect your device, check out our recent guidance here.

It’s that time of the year again when we get on the road or head to the airport for a holiday vacation. It may be convenient to use public wireless networks while traveling. However, an ineffectively secured mobile device that establishes a connection to an open public Wi-Fi hotspot may expose an individual, employee, or entire organization to data loss or a privacy compromise.

The NCCoE wishes you a happy Thanksgiving and safe travels. To learn more about how you can protect your mobile device while using public Wi-Fi, access our article here.

With Halloween around the corner, the National Cybersecurity Center of Excellence (NCCoE) wants to share a few “tricks” and tips for mobile passwords that result in the “treat” of protecting your mobile device from compromise. 

Potential Threats:

Below is a list of several potential mobile password threats that can impact you or your organization:

• Lost/Stolen Phone – If an unauthorized user obtains a lost or stolen mobile phone that has no password, they may have easy access to sensitive information on the device (e.g., messages, photos, or email)
• Brute-Force Attack – If a mobile phone has a weak password, a malicious attacker may be able to easily obtain the password and gain access to information on the mobile phone
• Phishing – If a password is captured by texting or emailing to convince a user or subscriber into thinking the attacker is a verifier or reliable party, the attacker can gain access to a user’s account(s) and access sensitive information

Password Protections:

To protect against mobile password threats, here are a few tips:

1. Apply multi-factor authentication.

If a password is compromised, requiring a second factor for authentication can help protect against threats such as phishing attacks. 

Multi-factor authentication can be any combination of the following:

• Something you know – Password, pin, etc.
• Something you have – Authenticator app, hardware token, etc.
• Something you are – Biometrics (e.g., fingerprint or face recognition)

For example, if an attacker has acquired your password (something you know) through a phishing attack, but your account requires a password + your fingerprint (something you are) to grant access, then the attacker will not be able to access your account because they do not have access to the second factor.

2. Choose a password with a minimum length of 8 characters.

A common misconception is that complexity is the key to having a strong password. NIST SP 800-63B highlights that complexity can actually make it difficult for the user to remember their password and can deter them from developing a strong memorable password.

Instead, 800-63B recommends creating a memorable password that is at least 8 characters in length to help prevent against brute-force attacks, while also ensuring the user can remember their password/pin/passphrase.

We hope these mobile password tricks and treats were helpful.

Additional Resources:

• More information about how to use and apply specific authenticators can be found in NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management.
• More information on how to protect against other potential mobile threats can be found in NIST SP 1800-22 Mobile Device Security: Bring Your Own Device.

Many professionals in the cybersecurity community are talking about zero trust architecture (ZTA), and although it is not a new concept, there is renewed interest in implementing zero-trust principles. This introduces challenges for an organization’s mobile administrators. But what does zero trust really mean for mobile?

Due to the pandemic, many employees have transitioned to remote/telework options to accomplish their daily work activities. The portability of mobile devices makes it easier to respond promptly to emails, attend virtual meetings, and use special work apps from anywhere, even in your own home. They also serve as backup devices when the primary computing devices are not functioning properly at remote sites.

In this new environment, mobile devices are now another endpoint connected to enterprise resources and can put the entire enterprise at risk if compromised or stolen. ZTAs can minimize this impact by applying cybersecurity practices that assume no implicit trust, constant monitoring, and restricted access to the enterprise resources based on the criticality of resources and user and device identity and posture.

So, how do you get started?

When considering implementing a ZTA, it helps to first clarify the fundamental tenets. Recently, NIST Computer Scientist Gema Howell published an article on the RSAC Blog clarifying the role of ZTA for the mobile device security community and how to implement a ZTA based on standard practices.

Want to learn more? Check out our resources below:

View full article on RSAC Blog

Read NIST Special Publication 800-207 Zero Trust Architecture

When organizations allow employees to use mobile devices for work (e.g., Bring Your Own Device/BYOD), there are potential privacy implications that can impact employees. Privacy and cybersecurity are commonly thought of as two distinct areas, but when considering the risks of each, they often intersect.

Below is a list of 7 privacy challenges for enterprise mobile deployments, some of which arise from cybersecurity-related risks:

View the full-sized infographic here.

From data leaks to phishing attacks, mobile security threats are on the rise. In a previous edition of the Buzz from the National Cybersecurity Center of Excellence (NCCoE), we provided insights into how to prioritize mobile threats using the NIST Mobile Threat Catalogue (MTC).

Did you also know…?

NIST’s MTC provides links to mobile threats highlighted in the Department of Homeland Security’s sponsored Common Vulnerabilities and Exposures (CVE®) database, which identifies, defines, and catalogs publicly disclosed cybersecurity vulnerabilities. This additional detail is likely to prove very useful in prioritizing mobile threats.

Joining forces: NIST Mobile Threat Catalogue and MITRE ATT&CK®

NIST collaborates with The MITRE Corporation on finding solutions to pressing cybersecurity issues. Thanks to this synergy, a crosswalk back to NIST’s Mobile Threat Catalogue can be found in MITRE’s ATT&CK® for Mobile. MITRE’s ATT&CK® for Mobile highlights adversarial tactics, techniques, and procedures to help secure mobile devices and detect adversarial behavior as part of the larger MITRE ATT&CK® knowledgebase. For administrators running two common phone types in their organization, they will be happy to know that MITRE ATT&CK® for Mobile documents both Android and iOS adversarial techniques. 

How do you use these resources together?

NIST’s MTC identifies over 200 current threats, including carrier and application threats. The catalog also identifies physical device, supply chain, and additional threats that are cross-referenced in MITRE ATT&CK® for Mobile. The MTC’s links to the Common Vulnerabilities and Exposures (CVE®) database provide additional depth of information when needed.

We hope this information provides a great place to start as you develop your mobile device security strategy for a safer working environment.

Are you looking to protect your enterprise data from phishing? According to the Cybersecurity & Infrastructure Security Agency (CISA), most phishing attempts come by email, while other attacks—including text messages (SMS)—are also on the rise. Awareness of the different types of phishing attacks are key for implementing comprehensive mobile device security.

It is important to keep in mind that cybercriminals target a range of vulnerable actors: individuals, small and medium enterprises, and large organizations. Ultimately, any of us could be affected. Phishing attacks are not just limited to laptops or desktops; mobile phones can be the target of phishing attacks as well.

The National Cybersecurity Center of Excellence (NCCoE) has developed guidance to help protect mobile devices from phishing threats. We provide example solution architectures that organizations can use to help improve their information security and privacy. To learn more about how to protect your mobile device from phishing attacks, view our latest short form paper on phishing protection.

How do you prioritize your security approach when faced with hundreds of mobile threats? There are many types of mobile threats and they come from a variety of sources. From application-based threats to an adversary-in-the-middle, the possibilities can be overwhelming.

In response, the NCCoE compiled a list of the most common mobile device threats to help organizations prioritize their solutions according to the likelihood of an attack.

To learn more, check out our infographic here.

Are you looking to deploy mobile devices within your organization? We know that it can be challenging to comb the internet trying to figure out which threats you should be paying attention to when considering your deployment strategy.

To address this challenge, the NIST Mobile Threat Catalogue (MTC) describes, identifies, and structures the threats posed to mobile devices and their associated infrastructure. The MTC offers several uses and opportunities, including:

• the ability to review threats when performing a risk analysis or  threat modeling
• correlation with ATT&CK for mobile
• the ability to contribute to the catalogue (e.g., suggest new threats or remove old threats)

The MTC was created to be a living catalogue that is regularly updated according to the latest threat landscape. We encourage the community to review the current contents and provide feedback or contributions to the catalogue. 

Access the mobile threat catalogue here.

Let's face it, our mobile phones keep everything we hold dear...our photos, our financials, our contacts. We use them for everyday life, which can include our daily work activities. Privacy challenges can arise when personal and work data are stored on the same device. 

Knowing where to start when considering privacy can result in increasing your employees’ trust in using their mobile devices for work purposes.

NIST offers several privacy tools that can be used to analyze, assess, manage, and mitigate your employee’s privacy concerns. With regards to mobile device solutions, NIST demonstrates how to use these privacy tools in two common mobile device use cases: Corporate-Owned Personally-Enabled (COPE) and Bring Your Own Device (BYOD).

To learn more about this topic, access our short-form article here.