The National Institute of Standards and Technology (NIST) has introduced new resources created to help organizations protect their mobile devices and computer systems from malware threats.
The draft Mobile Threat Catalogue (MTC) and the accompanying draft Assessing Threats to Mobile Devices & Infrastructure (NIST Interagency Report 8144) provide the answers to questions regarding more specific information on threats and ways to mitigate them.
The catalogue lists mobile threats in numerous areas, including authentication, supply chains, physical access, payment, ecosystem and network protocols, technologies and infrastructure. It also covers mobile security concerns involving the Global Positioning System, WiFi, Bluetooth and mobile payments, as well as commonly known, broadly understood mobile device-related security threats such as mobile malware.
IT security departments have used guidance from NIST and other sources to help them defend the vulnerable connections between mobile devices and enterprise computer systems from malware, viruses and other types of attacks.
“Often IT shops or security managers will address or secure the apps on a phone and protect the operating system from potential threats,” NIST cybersecurity engineer Joshua Franklin said. “But there is a much wider range of threats that need to be addressed. For example, enterprise security teams often don’t focus on the cellular radios in smartphones, which, if not secured, can allow someone to eavesdrop on your CEO’s calls.”
The catalogue was created in part in response from earlier work at NIST’s National Cybersecurity Center of Excellence (NCCoE), draft NIST SP 1800-4 Mobile Device Security: Cloud and Hybrid Builds. Authors also used data from responses to a 2015 Request for Information on Mobile Threats and Defenses and interviews with security experts from major corporations.
NIST worked with the Department of Homeland Security Science & Technology Directorate on the Mobile Threat Catalogue and NISTIR 8144, which will be used to inform the Study on Mobile Device Security, due to Congress in December 2016, as a part of Title IV, Section 401 of the Cybersecurity Act of 2015 (Division N of the Consolidated Appropriations Act, 2016 ). The MTC also will help guide future research projects by the NCCoE, said NIST.