Mobile devices are everywhere, and their pervasive use presents a unique challenge in corporate environments.  Recognizing the need to come together to discuss security, best practices, and solutions to mobile our ND-ISAC members came together earlier this year to form a Mobile Security Working Group. These members were all too aware of the concerns of potential data loss from the use of smart phones and formed the group to discuss common mobile security issues. All working group participants are their company’s subject matter expert for mobile and are passionate about sharing and learning more about mobile security. While discussing mobile services infrastructure and security services they learned that each company deploys, manages, and secures devices in different ways. The major factors were cost, level of effort, and data sensitivity.

One of the working groups first activities was to compare methods for analyzing mobile risks within ND-ISAC member companies.  They found that member companies vary in their implementation of mobile security and shared complete infrastructure diagrams, associated threats, and risks.  They also found that member companies don’t track and rate risk in a standard manner.

This led the working group to the idea of creating a list of mobile security mitigations that addressed the NIST Mobile Threat Catalogue or the MITRE ATT&CK for Mobile. Although mitigations are already listed for most of the tactics and techniques from adversaries, they concluded based on their combined experience with industry services, tools, and platforms, that some recommendations were not practical.  After much discussion, they set out to develop a list of practical mitigations to assist other ND-ISAC members to implement mobile security and avoid some of the painful lessons learned.

The working group worked through many of the documented security threats and analyzed mitigations against their own experience using available tools and a baseline level of effort.  They found that a recommended list of security controls was emerging. Their initial expectation was to create a top 10 list of security controls. This ultimately ended up being the top 13 security controls ranked, from their experience, in order of priority.

The working group believes their approach addresses a majority of the threats in the NIST Mobile Threat Catalogue and MITRE ATT&CK for Mobile framework using prevalent industry services and tools available to ND-ISAC member companies. In order to make it as practical as possible they provided subjective rating for the control effectiveness, the level of effort, potential cost, and user impact. They also added which user groups (such as BYOD, Company Owned Personally Enabled, etc.) specific controls should be applied to.

The Mobile Security Working Group paper is available to all ND-ISAC member companies.  If you are interested in joining ND-ISAC and getting access to this paper, as well as other working group deliverables, please fill out our membership inquiry form here: https://ndisac.org/ndisac-membership/ndisac-membership-inquiry/

ND-ISAC Members: as you read through the paper, we are interested in your thoughts, questions, and participation. You can locate the paper in our secure portal within the Mobility Working Group space. For assistance; e-mail info@ndisac.org.