Faced with escalating mobile malware, NIST publishes mobile security guidelines

Smartphones, tablets and other mobile devices, whether personal, company-designated or used in bring-your-own-device (BYOD) strategies, are requiring users to implement advanced technologies to ensure against data loss and other cyber-risks. Unfortunately, users have been lax in their practices, with big consequences: In fact, between Q1 2011 and Q2 2012, ABI Research found that unique malware variants grew by a staggering 2,180%, reaching 17,439 total strains.

“Securing these [mobile] tools, especially employee-owned products, is becoming increasingly important for companies and government agencies with the growing popularity – and capability – of the devices, NIST spokesperson Evelyn Brown noted. “Many organizations allow employees to use their own smartphones and tablets, even though their use increases cybersecurity risks to the organization's networks, data and resources.”

NIST’s publication on mobile malware, “Guidelines on Hardware-Rooted Security in Mobile Devices,” defines the fundamental security components and capabilities needed to enable more secure use of products. Above all, the guidelines recommend that every mobile device implement three core security components, foundational security elements that can be used by the device's operating system and its applications. They are: roots of trust, which are combinations of hardware, firmware and software components that are designed to provide critical security functions with a very high degree of assurance that they will behave correctly; an application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and a policy enforcement engine to enable the processing, maintenance and policy management of the mobile device.

"Many current mobile devices lack a firm foundation from which to build security and trust," explained NIST lead for hardware-rooted security, Andrew Regenscheid, in an announcement. "These guidelines are intended to help designers of next-generation mobile phones and tablets improve security through the use of highly trustworthy components, called roots of trust, that perform vital security functions."

On laptop and desktop systems, these roots of trust are often implemented in a separate security computer chip that cannot be tampered with, but the power and space constraints in mobile devices could lead manufacturers to pursue other approaches, such as leveraging security features built into the processors these products use, he said.

The NIST guidelines are also centered on three security capabilities to address known mobile device security challenges: integrity, isolation and protected storage.

A tablet or phone supporting device integrity can provide information about its configuration, health and operating status that can be verified by the organization whose information is being accessed. Isolation capabilities are intended to keep personal and organization data components and processes separate. That way, personal applications should not be able to interfere with the organization's secure operations on the device. And, protected storage keeps data safe using cryptography and restricting access to information.

What’s hot on Infosecurity Magazine?