NIST’s National Cybersecurity Center of Excellence (NCCoE) released a draft guide in July 2019 (SP 1800-21) to help organizations address unique mobile security threats and risks to personal and business data. The guide provides practical steps to reduce risks from malicious apps, compromised devices, and data loss through a standards-based approach using commercially available technologies. It outlines how to integrate mobile security technologies into an enterprise network and includes a reference architecture and step-by-step instructions for implementing recommended protections.
Key Aspects of the NIST Guide
Types of Threats Addressed
The draft guide aims to help organizations mitigate various unique threats presented by mobile devices, including:
-
Risky Apps:Attacks and compromises from malicious or risky applications.
-
Network-Based Attacks:Different types of attacks targeting mobile devices with their generally always-on internet connections.
-
Phishing Attempts:Efforts to trick users into revealing credentials or installing unauthorized software.
-
Data Loss:Risks to personal and business data when devices are lost, stolen, or compromised.
Goals of the Guidance
The primary goals of the guidance are to:
- Reduce Risk: Lower the privacy and security risks associated with mobile devices.
- Improve Security Posture: Help organizations improve their overall security by addressing mobile-specific vulnerabilities.
- Protect Data: Safeguard both personal and business data accessed through mobile devices.