national cybersecurity center of excellence · 2019-08-15 · national cybersecurity center of...
Post on 27-Jul-2020
7 Views
Preview:
TRANSCRIPT
National Cybersecurity Center of Excellence
Gema Howell
August 2019
Mobile Device Security Community of Interest
2nccoe.nist.govNational Cybersecurity Center of Excellence
Mission
Accelerate adoption of secure
technologies: collaborate with
innovators to provide real-world,
standards-based cybersecurity
capabilities that address business needs
3nccoe.nist.govNational Cybersecurity Center of Excellence
NCCoE Tenets
Standards-based Apply relevant industry standards to each
security implementation; demonstrate
example solutions for new standards
ModularDevelop components that can be easily
substituted with alternates that offer
equivalent input-output specifications
RepeatableProvide a detailed practice guide including
a reference design, list of components,
configuration files, relevant code, diagrams,
tutorials, and instructions to enable system
admins to recreate the example solution
and achieve the same results
Commercially availableWork with the technology community to
identify commercially available products
that can be brought together in example
solutions to address challenges identified
by industry
UsableDesign blueprints that end users can
easily and cost-effectively adopt and
integrate into their businesses without
disrupting day-to-day operations
Open and transparentUse open and transparent processes to
complete work; seek and incorporate
public comments on NCCoE publications
4nccoe.nist.govNational Cybersecurity Center of Excellence
Engagement & Business Model
OUTCOME:
Define a scope of
work with industry to
solve a pressing
cybersecurity
challenge
OUTCOME:
Assemble teams of
industry organizations,
government agencies, and
academic institutions to
address all aspects of the
cybersecurity challenge
OUTCOME:
Build a practical,
usable, repeatable
implementation
to address the
cybersecurity
challenge
OUTCOME:
Advocate adoption
of the example
implementation
using the practice
guide
ASSEMBLE ADVOCATEBUILDDEFINE
5nccoe.nist.govNational Cybersecurity Center of Excellence
Mobile Device Security Enterprise: Build 1
NIST SP 1800-21 Mobile Device
Security: Corporate-Owned
Personally-Enabled (COPE)
‣ Fully-managed device/COPE -
strong data confidentiality is
implemented using federally
certified and validated
technologies
‣Android and Apple Smartphones
6nccoe.nist.govNational Cybersecurity Center of Excellence
Volume A: Executive Summary
• Summary of the document
• Business decision makers, including chief security and technology officers
Volume B: Approach, Architecture, and Security Characteristics
• What we built and why
• Technology or security program managers
Volume C: How-To Guides
• Instructions for building the example solution
• IT Professionals
Document Structure Overview and Audience
7nccoe.nist.govNational Cybersecurity Center of Excellence
Mobile Device Security Challenges
• Securing the data on devices to prevent compromise via malicious applications
• Securing their always-on-connections to the internet from network-based attacks
• Protecting them from phishing attempts that try to collect user credentials or entice a user to install software
• Selecting from the many mobile device management tools available and implementing their protection capabilities consistently
• Identifying threats to mobile devices and how to mitigate them
8nccoe.nist.govNational Cybersecurity Center of Excellence
Our Approach - Telling the story…
• Orvilia Development is a small (fictional) start-up company providing IT services to many private sector organizations.
• Orvilia won its first government contract. Given the organization’s current security posture, particularly in its use of mobile devices, complying with government regulations and heightened cybersecurity standards presents it with new challenges:
• Minimal mobile device policies and no implementation of security mechanisms such as
enterprise mobility management.
• No mechanisms to prevent or detect misuse or device compromise.
• No technical safeguards have been implemented to prevent employees from accessing
enterprise from personal device
• Need to achieve and maintain compliance with government policies, which require
compliance with cybersecurity best practices and applicable standards
9nccoe.nist.govNational Cybersecurity Center of Excellence
Risk Assessment
• Referenced NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments
• Identified Threats Events (TE) using the NIST Mobile Threat Catalogue (MTC)
• Selected 12 threats events of high
likelihood and high adverse impact
TE-1: Unauthorized access to sensitive information via a malicious or privacy-intrusive
application
TE-2: Theft of credentials through an SMS or email phishing campaign
TE-3: Malicious applications installed via URLs in SMS or email messages
TE-4: Confidentiality and integrity loss due to exploitation of known vulnerability in the OS or
firmware
TE-5: Violation of privacy via misuse of device sensors
TE-6: Compromise of the integrity of the device or its network communications via installation of
malicious EMM/MDM, network, VPN profiles, or certificates
10nccoe.nist.govNational Cybersecurity Center of Excellence
Mobile Device Security Technologies
• Enforce policies and perform compliance actions
Enterprise Mobility Management
• Verify the integrity of the device and ensure the confidentiality of data stored on persistent memory
Trusted Execution Environment
• Secure the connection between the mobile device and the enterprise network
Virtual Private Network
• Determine if an application demonstrates any behaviors that pose a security or privacy risk
Mobile Application Vetting Service
• Analyze and inform the user of device-based threats, application-based threats, and network-based threats
Mobile Threat Defense
• Use actionable information that mobile administrators can use to make changes to their security configuration
Mobile Threat Intelligence
11nccoe.nist.govNational Cybersecurity Center of Excellence
Privacy Risk Assessment Methodology (PRAM)
• Referenced NISTIR 8062: An
Introduction to Privacy Engineering
and Risk Management in Federal
Systems
• Utilized NIST Privacy Risk
Assessment Methodology (PRAM)
• Identified 3 privacy data actions that
could create potential problems for
individuals• blocking access and wiping devices
• employee monitoring
• data sharing across parties
12nccoe.nist.govNational Cybersecurity Center of Excellence
Sample Mobile Device Security Architecture
13nccoe.nist.govNational Cybersecurity Center of Excellence
Benefits of Implementing SP 1800-21
• Reduces security and privacy risk. Organizations can increase the security & privacy across their mobile enterprise systems by using risk mitigation technologies and applying privacy protections to help reduce mobile devices security risks.
• Demonstrates enterprise-wide application. Shows how organizations can deploy a variety of mobile enterprise management technologies to networks, devices, and applications.
• Applies cybersecurity standards and best practices. Provides an illustration of how the NIST Risk Management Framework and the NIST Cybersecurity Framework can be applied to strengthen an enterprise’s mobility.
14nccoe.nist.govNational Cybersecurity Center of Excellence
NIST SP 1800-22 Mobile Device
Security: Bring Your Own Device
(BYOD)
‣Business productivity tools are
deployed alongside a variety of
device policies for employees
with different risk profiles
In Development – NIST SP 1800-22
15nccoe.nist.govNational Cybersecurity Center of Excellence
Upcoming Events
August 20: Present SP 1800-21 to
the Federal Mobility Group
September 23: SP 1800-21 comment
period closes
Fall: Next COI Call
301-975-0200http://nccoe.nist.gov
16nccoe.nist.govNational Cybersecurity Center of Excellence
nccoe@nist.gov
Mobile Device Security Project Team
mobile-nccoe@nist.gov
top related