NCSC’s New Mobile Risk Model Aimed at “High-Threat” Firms

Written by

The UK’s leading cybersecurity agency has announced a new initiative designed to enhance cyber-resilience for organization’s whose mobile infrastructure is targeted by nation states.

The National Cyber Security Centre (NCSC) claimed its Advanced Mobile Solutions (AMS) risk model will help “high-threat organizations to stay connected on the go.”  

It’s designed to mitigate the threat of consumer-grade devices being targeted by commercial spyware, potentially enabling sophisticated threat actors to use these as a stepping stone into back-end corporate systems and data. The risk model is also designed to protect against sophisticated actors working over several months or years with long-running and highly targeted social engineering campaigns.

“Across government we use ‘high grade’ (ie carefully designed and evaluated) crypt appliances to protect our most sensitive communications,” explained NCSC security architect, Chris P. “However, with current technology, it’s not practical to use such an approach with consumer grade mobile devices.”

Read more on mobile threats: Predator Spyware Targeted Mobile Phones in New Countries

This is where AMS comes in. It’s underpinned by an assumption that individual devices and the data they access may be compromised from time to time. However, entire fleets of devices should not be, and any compromises should not threaten data in bulk or the security of sensitive systems.  

AMS is based on the following principles:

  • Mobile devices can’t be trusted and networks should therefore be designed in such a way that devices and data will be protected if one or two of those devices is compromised
  • Core networks and services must be protected via a “robust border” between mobile infrastructure and core network
  • Sensitive data must not be “aggregated” inside the mobile infrastructure in plain text – including data that’s moving across servers or being stored on servers

The NCSC also revealed the main architectural elements of AMS, including mobile device management (MDM) tools, best-of-breed commercial data protection, “high grade or ephemeral VPN terminators,” continuous monitoring and robust cross-domain data inspection.

AMS is a project years in the making and more information will be posted on the NCSC’s website over the coming months.

“We have developed the architecture and risk models for AMS. Much of the required technology has been (or is being) licenced for sale to government, and we are finalising the documentation of the risk and design guidance,” concluded Chris P.

“A managed service for enterprise workers (based on AMS) is now available across government. We are looking to expand the available of AMS patterns and technology to other sectors, such as critical national infrastructure.”

What’s hot on Infosecurity Magazine?