NIST SPECIAL PUBLICATION 1800-21B Mobile Device Security

NIST SPECIAL PUBLICATION 1800-21B

Mobile Device Security

Corporate-Owned Personally-Enabled (COPE)

Volume B: Approach, Architecture, and Security Characteristics

Joshua M. Franklin* Gema Howell Kaitlin Boeckl Naomi Lefkovitz Ellen Nadeau Applied Cybersecurity Division Information Technology Laboratory

Dr. Behnam Shariati University of Maryland, Baltimore County Department of Computer Science and Electrical Engineering Baltimore, Maryland

Jason G. Ajmo Christopher J. Brown Spike E. Dog Frank Javar Michael Peck Kenneth F. Sandlin The MITRE Corporation McLean, Virginia

*Former employee; all work for this publication was done while at employer.

July 2019

DRAFT

This publication is available free of charge from

DRAFT

DISCLAIMER

Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other insignia in order to acknowledge their participation in this collaboration or to describe an experimental procedure or concept adequately. Such identification is not intended to imply special status or relationship with NIST or recommendation or endorsement by NIST or NCCoE; neither is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 1800-21B Natl. Inst. Stand. Technol. Spec. Publ. 1800-21B, 148 pages, (July 2019), CODEN: NSPUE2

FEEDBACK

You can improve this guide by contributing feedback. As you review and adopt this solution for your own organization, we ask you and your colleagues to share your experience and advice with us. Comments on this publication may be submitted to: mobile-nccoe@. Public comment period: July 22, 2019 through September 23, 2019 All comments are subject to release under the Freedom of Information Act.

National Cybersecurity Center of Excellence National Institute of Standards and Technology

100 Bureau Drive Mailstop 2002

Gaithersburg, MD 20899 Email: nccoe@

NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled

i

DRAFT

1 NATIONAL CYBERSECURITY CENTER OF EXCELLENCE

2 The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards 3 and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and 4 academic institutions work together to address businesses' most pressing cybersecurity issues. This 5 public-private partnership enables the creation of practical cybersecurity solutions for specific 6 industries, as well as for broad, cross-sector technology challenges. Through consortia under 7 Cooperative Research and Development Agreements (CRADAs), including technology partners--from 8 Fortune 50 market leaders to smaller companies specializing in information technology security--the 9 NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity 10 solutions using commercially available technology. The NCCoE documents these example solutions in 11 the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework 12 and details the steps needed for another entity to re-create the example solution. The NCCoE was 13 established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, 14 Maryland.

15 To learn more about the NCCoE, visit . To learn more about NIST, visit 16 .

17 NIST CYBERSECURITY PRACTICE GUIDES

18 NIST Cybersecurity Practice Guides (Special Publication 1800 series) target specific cybersecurity 19 challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the 20 adoption of standards-based approaches to cybersecurity. They show members of the information 21 security community how to implement example solutions that help them align more easily with relevant 22 standards and best practices, and provide users with the materials lists, configuration files, and other 23 information they need to implement a similar approach.

24 The documents in this series describe example implementations of cybersecurity practices that 25 businesses and other organizations may voluntarily adopt. These documents do not describe regulations 26 or mandatory practices, nor do they carry statutory authority.

27 ABSTRACT

28 Mobile devices provide access to workplace data and resources that are vital for organizations to 29 accomplish their mission while providing employees the flexibility to perform their daily activities. 30 Securing these devices is essential to the continuity of business operations.

31 While mobile devices can increase organizations' efficiency and employee productivity, they can also 32 leave sensitive data vulnerable. Addressing such vulnerabilities requires mobile device management 33 tools to help secure access to the network and resources. These tools are different from those required 34 to secure the typical computer workstation.

NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled

ii

DRAFT

35 To address the challenge of securing mobile devices while managing risks, the NCCoE at NIST built a 36 reference architecture to show how various mobile security technologies can be integrated within an 37 enterprise's network.

38 This NIST Cybersecurity Practice Guide demonstrates how organizations can use standards-based, 39 commercially available products to help meet their mobile device security and privacy needs.

40 KEYWORDS

41 Bring your own device; BYOD; corporate-owned personally-enabled; COPE; mobile device management; 42 mobile device security, on-premise.

43 ACKNOWLEDGMENTS

44 We are grateful to the following individuals for their generous contributions of expertise and time.

Name

Organization

Donna Dodson

NIST

Vincent Sritapan

Department of Homeland Security, Science and Technology Directorate

Jason Frazell

Appthority (acquired by Symantec)

Joe Midtlyng

Appthority (acquired by Symantec)

Chris Gogoel

Kryptowire

Tom Karygiannis

Kryptowire

Tim LeMaster

Lookout

Victoria Mosby

Lookout

Michael Carr

MobileIron

Walter Holda

MobileIron

Farhan Saifudin

MobileIron

NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled

iii

DRAFT

Name Jeff Lamoureaux Sean Morgan Kabir Kasargod Viji Raveendran Lura Danley Eileen Durkin Sallie Edwards Marisa Harriston Nick Merlino Doug Northrip Titilayo Ogunyale Oksana Slivina Tracy Teter Paul Ward

Organization Palo Alto Networks Palo Alto Networks Qualcomm Qualcomm The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation

NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled

iv

DRAFT

45 The Technology Partners/Collaborators who participated in this build submitted their capabilities in 46 response to a notice in the Federal Register. Respondents with relevant capabilities or product 47 components were invited to sign a Cooperative Research and Development Agreement (CRADA) with 48 NIST, allowing them to participate in a consortium to build this example solution. We worked with:

Technology Partner/Collaborator Appthority

Build Involvement Appthority Cloud Service, Mobile Threat Intelligence

Kryptowire

Kryptowire Cloud Service, Application Vetting

Lookout MobileIron Palo Alto Networks

Lookout Cloud Service/Lookout Agent Version 5.10.0.142 (iOS), 5.9.0.420 (Android), Mobile Threat Defense

MobileIron Core Version 9.7.0.1, MobileIron Agent Version 11.0.1A (iOS), 10.2.1.1.3R (Android), Enterprise Mobility Management

Palo Alto Networks PA-220

Qualcomm

Qualcomm Trusted Execution Environment (version is device dependent)

NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled

v

DRAFT

49 Contents

50

51

52

53

1.2.1 Standards and Guidance ...............................................................................................3

54

55

56

57

58

59

60

3.2.1 Orvilia Development .....................................................................................................9

61

62

3.3.1 Systems Engineering ...................................................................................................11

63

64

3.4.1 Risk Assessment of the Fictional Organization Orvilia Development .........................13

65

3.4.2 Development of Threat Event Descriptions................................................................14

66

3.4.3 Identification of Vulnerabilities and Predisposing Conditions....................................22

67

3.4.4 Summary of Risk Assessment Findings .......................................................................22

68

3.4.5 Privacy Risk Assessment .............................................................................................24

69

70

3.5.1 Current Architecture ...................................................................................................26

71

3.5.2 Preliminary Security Goals ..........................................................................................28

72

73

3.6.1 Architecture Components...........................................................................................29

74

75

76

4.1.1 Enterprise Integration.................................................................................................36

NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled

vi

DRAFT

77

4.1.2 Mobile Component Integration ..................................................................................37

78

79

80

81

82

83

5.2.1 Threat Event 1 --Unauthorized Access to Sensitive Information via a Malicious or

84

Privacy-Intrusive Application ......................................................................................44

85

5.2.2 Threat Event 2 --Theft of Credentials Through an SMS or Email Phishing Campaign44

86

5.2.3 Threat Event 3--Malicious Applications Installed via URLs in SMS or Email Messages

87

45

88

5.2.4 Threat Event 4 --Confidentiality and Integrity Loss due to Exploitation of Known

89

Vulnerability in the OS or Firmware ...........................................................................46

90

5.2.5 Threat Event 5 --Violation of Privacy via Misuse of Device Sensors..........................46

91

5.2.6 Threat Event 6--Compromise of the Integrity of the Device or Its Network

92

Communications via Installation of Malicious EMM/MDM, Network, VPN Profiles, or

93

Certificates ..................................................................................................................47

94

5.2.7 Threat Event 7--Loss of Confidentiality of Sensitive Information via Eavesdropping on

95

Unencrypted Device Communications .......................................................................48

96

5.2.8 Threat Event 8--Compromise of Device Integrity via Observed, Inferred, or Brute-

97

Forced device Unlock Code.........................................................................................49

98

5.2.9 Threat Event 9--Unauthorized Access to Backend Services via authentication or

99

credential Storage Vulnerabilities in Internally Developed Applications ...................50

100

5.2.10 Threat Event 10 --Unauthorized Access of Enterprise Resources from an Unmanaged

101

and Potentially Compromised Device.........................................................................50

102

5.2.11 Threat Event 11--Loss of Organizational Data due to a Lost or Stolen Device ..........50

103

5.2.12 Threat Event 12--Loss of Confidentiality of Organizational Data due to Its

104

Unauthorized Storage in Non-Organizationally Managed Services............................51

105

106

5.3.1 Cybersecurity Framework and NICE Framework Work Roles Mappings....................53

107

5.3.2 Threat Event Scenarios and Findings ..........................................................................53

108

5.3.3 Data Action Scenarios and Findings ............................................................................55

109

NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled

vii

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download