Wednesday, November 28, 2012

Chinese Capabilities for computer Network Operations and Cyber Espionage

Chinese Cyber Threat in the Open

When people are discussing nation-state cyber threats against the U.S. in public, they often do so in whispers, assuming that all information is classified. However, it may come as a surprise to many the amount of information that currently exists in the public domain.

One example of this can be found in a compelling report compiled this year for the U.S.-China Economic and Security Review Commission, called “Occupying the Information High Ground: Chinese Capabilities for computer Network Operations and Cyber Espionage,” the paper covers such provocative topics as the Chinese strategic view of cyber warfare, how they’re organized, distinctions between state sponsored and criminal activity, to name just a few.

This paper makes several interesting observations (which will be explored in later posts). Some of them include:

  • Effects of early Chinese Computer Network Attack preparation may not be observable until after conflict erupts.
  • The U.S. lacks comprehensive policy on response to large scale network attack if there is not definitive attribution.
  • Beijing may use cyber policy and legal frameworks to create delays in US command decision making and response in the event of conflict.

While this paper pulls information from a number of sources, it is also possible to gain some insight into potential targets – at least from an industrial espionage standpoint – just by looking at what the Chinese government openly states it will do.

A good place to delve even more deeply into this topic is China’s own “12th 5-Year Plan.” This is the guiding document for the country’s economic plan and they stick pretty close to it. A good analysis of the plan as it pertains to energy can be found here.

Based on the volume of news and other analysis, it can be assumed that industrial espionage is culturally rampant in China. If that’s the case, it also seems inevitable that someone over there will be targeting (the typically more mature) U.S. assets and operations to enhance their own industrial capabilities.

In reading through the KPMG paper above it becomes apparent that Hydro Electric utilities may be targets for cyber espionage:

  • 3 out of 7 strategic investment areas in the 5 year plan relate to energy: clean energy, energy conservation, and clean energy cars
  • Hydroelectric is an area targeted for high growth
  • China’s big 5 power looking at overseas investments…including renewable energy

While there is no actual technical data (logs, reports) supporting the fact that Hydro is being targeted for cyber attacks, and the KPMG paper focuses primarily on business perspectives as opposed to cyber, it is these “open source” business perspectives that guide us toward identifying which cyber assets and information might be potential upcoming targets.

Friday, November 23, 2012

How to Audit Business Continuity

It's Not About the Process; It's About the Plan

Although business continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with security or quality. Auditors need fixed points of reference for comparisons. Standards (in various guises) provide them with a route map to follow. This allows them to check the process, but not really the effectiveness, of the program.

For example, it is easy to check the number of employees who have been through a business continuity management induction, but much more difficult to determine if this has had any impact upon corporate resilience. This factor has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or program.

There might be some justification for this. An auditor, for instance, could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon's technical competence at performing a difficult operation. However, few BC practitioners have the formal audit skills that colleagues in internal audit possess.

Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating. To be successful in auditing a business continuity program, both professional knowledge of BCM and appropriate audit skills are required.

The goal of a BCM program is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company-wide BCM awareness and operational consistency.  

To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare. Similarly, there is little point in an organization gaining BCM certification from compliance authority if it goes out of business as soon as a serious problem occurs.

Resilience, not process consistency, is the ultimate measure of success. So given these warnings and caveats, what must an auditor do to add value to a BCM program?

First, he or she must understand the business fully. There are some good places to start, such as the company's annual report, to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.

It is rarely useful to start with the business continuity plan itself. The second stage is to familiarize oneself with the BCM process that is in place. 

  • Does it follow any recognized standard (internal or external)?
  • How well has it documented? Do people know about it and their role in it?
  • Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.

Remember: A significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded business continuity culture. Having acquired this level of contextual understanding, auditors can start to ask questions and review the applicability of the responses. 

Many of the questions are basic, but often throw up uncomfortable issues. Typical areas to cover include:

  • Do you have plans for all critical systems, processes and functions, and how do you know which are the most critical?
  • Are the plans accurate, complete and up-to-date? Is the documentation easy to follow in an emergency?
  • Have roles and responsibilities been defined?
  • Are the response strategies devised appropriate to the potential level of disruption?
  • Are the plans tested? If so, how, when and by whom?
  • Are the test results evaluated, lessons learned and plans enhanced?
  • Are the initial response structures well-known and fully tested?
  • Are appropriate communications with external parties defined and tested?
  • If pre-defined alternate locations are designated, do staff know how to access them?
  • Are all critical resources backed up and recoverable?
  • Are personnel trained in their post-incident roles?

The most important thing for the auditor to reflect on is not the documentation, but the resilience capability that can be demonstrated. A poor audit is one in which the auditor treats it as a document review. It is not enough to have a well written plan unless that plan is part of a tried-and-tested process.

Monday, November 19, 2012

10 Supply Chain Risk Management Best Practices

NIST Interagency Report Aims to Mitigate Vulnerabilities

The National Institute of Standards and Technology has issued a new report to help organizations mitigate supply chain risks. NIST says the 10 supply chain risk management practices can be applied simultaneously to an information system or the elements of an information system.

The practices are:

1) Uniquely identify supply chain elements, processes and actors. Knowing who and what is in an enterprise's supply chain is critical to gain visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into the supply chain, it is impossible to understand and therefore manage risk and to reduce the likelihood of an adverse event.

2) Limit access and exposure within the supply chain. Elements that traverse the supply chain are subject to access by a variety of actors. It is critical to limit such access to only as much as necessary for those actors to perform their roles and to monitor that access for supply chain impact.

3) Establish and maintain the provenance of elements, processes, tools and data. All system elements originate somewhere and may be changed throughout their existence. The record of element origin along with the history of, the changes to and the record of who made those changes is called "provenance."

Acquirers, integrators and suppliers should maintain the provenance of elements under their control to understand where the elements have been, the change history and who might have had an opportunity to change them.

4) Share information within strict limits. Acquirers, integrators and suppliers need to share data and information. Content to be shared among acquirers, integrators and suppliers may include information about the use of elements, users, acquirer, integrator or supplier organizations as well as information regarding issues that have been identified or raised regarding specific elements. Information should be protected according to mutually agreed-upon practices. 

5) Perform supply chain risk management awareness and training. A strong supply chain risk mitigation strategy cannot be put in place without significant attention given to training personnel on supply chain policy, procedures and applicable management, operational and technical controls and practices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, provides guidelines for establishing and maintaining a comprehensive awareness and training program.

6) Use defensive design for systems, elements and processes. The use of design concepts is a common approach to delivering robustness in security, quality, safety, diversity and many other disciplines that can aid in achieving supply chain risk management. Design techniques apply to supply chain elements, element processes, information, systems and organizational processes throughout the system.

Element processes include creation, testing, manufacturing, delivery and sustainment of the element throughout its life. Organizational and business processes include issuing requirements for acquiring, supplying and using supply chain elements.

7) Perform continuous integrator review. Continuous integrator review is an essential practice used to determine that defensive measures have been deployed. Its purpose is to validate compliance with requirements, establish that the system behaves in a predictable manner under stress and detect and classify weaknesses and vulnerabilities of elements, processes, systems and any associated metadata.

8) Strengthen delivery mechanisms. Delivery, including inventory management, is an essential function within the supply chain, which has a great potential for being compromised. In today's environment, delivery can be physical such as hardware or logical such as software modules and patches. 

9) Assure sustainment activities and processes. The sustainment process begins when a system becomes operational and ends when it enters the disposal process. This includes system maintenance, upgrade, patching, parts replacement and other activities that keep the system operational. Any change to the system or process can introduce opportunities for subversion throughout the supply chain.

10) Manage disposal and final disposition activities throughout the system or element life cycle. Elements, information and data can be disposed of at any time across the system and element life cycle. For example, disposal can occur during research and development, design, prototyping or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys and partial reuse of components.

NIST says the recommendations in the interagency report are for information systems categorized at the FIPS 199 high-impact level. But NIST says agencies and other agencies can choose to apply the recommended practices to specific systems with a lower impact level, based on the tailoring guidance provided in the draft of NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.

Refer here to download the report.

Sunday, November 18, 2012

Beware of 12 SCAMS during Christmas

Study investigated behaviours of Americans but it's still relevant to Australians

A Harris Interactive study, conducted online among over 2,300 U.S. adults, investigates the online habits and behaviors of Americans, including those who indicate that they will engage with the Internet and mobile devices while shopping this holiday season.

While Americans have become accustomed to shopping online, and will do so in droves, they are also using their mobile phones for more of their everyday activities.

As 70% of those surveyed plan to shop online this holiday season, a surprising 1 in 4 (24%) of them plan to use their mobile devices, and while aware of the risks, they are willing to give away their personal information if they can get something they value in return.

In fact, despite the fact that 87% of smartphone or tablet owners surveyed are at least somewhat concerned that their personal information could be stolen while using an app on a smartphone or tablet, nearly nine in ten of them are willing to provide some level of personal information in order to receive an offer that is of value to them.

Among those Americans planning on using smartphones and/or tablets to purchase gifts this holiday season, over half (54%) are specifically planning to use apps for shopping and/or banking during the holiday season; as such, mobile devices have proven irresistible to cybercriminals, and now they are targeting mobile users through malicious applications.

With roughly three in ten (28%) American smartphone and/or tablet owners admitting they do not pay attention at all to app permissions and 36% paying attention but specifying they do not always do so, Cyber-Scrooge criminals are ready to pounce.

‘Tis the season for consumers to spend more time online - shopping for gifts. 88% of those Americans who plan on shopping online during the 2012 holiday season plan on using a personal computer to do so, and 34% will use a tablet (21%) and/or smartphone (19%).

But with nearly half (48%) of Americans planning to shop online on Cyber Monday for sales (45% using a computer, 10% using a mobile device), here are the “12 Scams of Christmas,” the dozen most dangerous online scams to watch out for this holiday season, revealed by McAfee.

1. Social media scams - Cybercriminals know social media networks are a good place to catch you off guard because we’re all “friends,” right? Scammers use channels, like Facebook and Twitter, just like email and websites to scam consumers during the holidays.

Be careful when clicking or liking posts, while taking advantage of raffle contests, and fan page deals that you get from your “friends” that advertise the hottest Holiday gifts, installing apps to receive discounts, and your friends’ accounts being hacked and sending out fake alerts. Twitter ads and special discounts utilize blind, shortened links, many of which could easily be malicious.

2. Malicious mobile apps - As smartphone users we are app crazy, downloading over 25 billion apps1 for Android devices alone! But as the popularity of applications has grown, so have the chances that you could download a malicious application designed to steal your information or even send out premium-rate text messages without your knowledge.

3. Travel scams - Before you book your flight or hotel to head home to see your loved ones for the holidays, keep in mind that the scammers are looking to hook you with too-good-to-be-true deals. Phony travel webpages, sometimes using your preferred company, with beautiful pictures and rock-bottom prices are used to get you to hand over your financial details.

4. Holiday spam/phishing - Soon many of these spam emails will take on holiday themes. Cheap Rolex watches and pharmaceuticals may be advertised as the “perfect gift” for that special someone.

5. iPhone 5, iPad Mini and other hot holiday gift scams - The kind of excitement and buzz surrounding Apple’s new iPhone 5 or iPad Mini is just what cybercrooks dream of when they plot their scams. They will mention must-have holiday gifts in dangerous links, phony contests (example: “Free iPad”) and phishing emails as a way to grab computer users’ attention to get you to reveal personal information or click on a dangerous link that could download malware onto your machine.

6. Skype message scare - People around the world will use Skype to connect with loved ones this holiday season, but they should be aware of a new Skype message scam that attempts to infect their machine, and even hold their files for ransom.

7. Bogus gift cards - Cybercriminals can't help but want to get in on the action by offering bogus gift cards online. Be wary of buying gift cards from third parties; just imagine how embarrassing it would be to find out that the gift card you gave your mother-in-law was fraudulent!

8. Holiday SMiShing - “SMiSishing” is phishing via text message. Just like with email phishing, the scammer tries to lure you into revealing information or performing an action you normally wouldn’t do by pretending to be a legitimate organization.

9. Phony e-tailers - Phony e-commerce sites, that appear real, try to lure you into typing in your credit card number and other personal details, often by promoting great deals. But, after obtaining your money and information, you never receive the merchandise, and your personal information is put at risk.

10. Fake charities - This is one of the biggest scams of every holiday season. As we open up our hearts and wallets, the bad guys hope to get in on the giving by sending spam emails advertising fake charities. 

11. Dangerous e-cards - E-Cards are a popular way to send a quick “thank you” or holiday greeting, but some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting.

12. Phony classifieds - Online classified sites may be a great place to look for holiday gifts and part-time jobs, but beware of phony offers that ask for too much personal information or ask you to wire funds via Western Union, since these are most likely scams.

Using multiple devices provides the bad guys with more ways to access your valuable “Digital Assets,” such as personal information and files, especially if the devices are under-protected. One of the best ways for consumers to protect themselves is to learn about the criminals’ tricks, so they can avoid them.

Beyond that they should have the latest updates of the applications on their devices in order to enjoy a safe online buying or other experience. We don’t want consumers to be haunted by the scams of holidays past, present and future – they can’t afford to leave the door open to cyber-grinches during the busy holiday season.”

Friday, November 16, 2012

Securing Mobile Devices Using COBIT 5 for Information Security

ISACA published (Members Only) guidelines for Securing Mobile Devices 

Securing Mobile Devices Using COBIT 5 for Information Security should be read in the context of the existing publications COBIT 5 for Information Security, Business Model for Information Security (BMIS) and COBIT 5 itself. This publication is intended for several audiences who use mobile devices directly or indirectly.

These include end users, IT administrators, information security managers, service providers for mobile devices and IT auditors. The main purpose of applying COBIT 5 to mobile device security is to establish a uniform management framework and to give guidance on planning, implementing and maintaining comprehensive security for mobile devices in the context of enterprises.

The secondary purpose is to provide guidance on how to embed security for mobile devices in a corporate governance, risk management and compliance (GRC) strategy, using COBIT 5 as the overarching framework for GRC.

Refer here to download. (Members Only)

Wednesday, November 14, 2012

SCADA Safety In Numbers: Report highlighting SCADA insecurities

40% of SCADA systems connected to the Internet are vulnerable and can be hacked by less savvy cyber-criminals

A new report that attempts to quantify the risks to Industrial Control Systems (ICS) contends that more software flaws are being detected in the sensitive systems since the 2010 discovery of Stuxnet, but the report may be based on some faulty assumptions, according to one ICS expert.

The report, SCADA Safety In Numbers, (.pdf) was produced by Russian vulnerability management vendor Positive Technologies Security. The analysis is based on data collected from an array of vulnerability databases and exploit packs. It found that more than 40% of SCADA systems connected to the Internet are vulnerable and can be hacked by less savvy cyber-criminals.

The study also found that 64 vulnerabilities were discovered and reported in industrial-control system products by the end of 2011. And nearly 100 coding errors were reported already this year. The authors contend that for each of the bugs disclosed over the last two years, they “searched for generally available methods of exploiting the [vulnerabilities] and provided an expert evaluation of the related risks.”

“The fact that this paper attempts to identify and classify vulnerabilities based on risk level is inappropriate,” said Langill, who is also known throughout the industry by his handle SCADAhacker.

Just because a device in an ICS system is potentially vulnerable and accessible via the Internet does not necessarily mean it poses any risk to the end-user, Langill said. An end-user may have followed recommended practices and placed a device in special “zones” that offer “hidden” security controls to protect against compromise, he said.

A claim in the report that 39% of the ICS systems in North America are vulnerable to compromise is suspect and based on faulty analysis, Langill said. In order for an attacker to capitalize on a specific vulnerability, they would also have to be able to overcome all of the existing layers of security that are in place, Langill said, turning a seemingly simple exploit of a vulnerability with a high CVSS score into a very sophisticated attack that would be difficult to execute and realistically classified with a very low "effective" CVSS score.

“It is important not to confuse a ‘component’ vulnerability with a ‘system’ vulnerability," Langill said. "It is possible, and not uncommon, for vulnerable components to be installed within an ICS network that is equipped to provide a barrier against various threats. Therefore, the system compensates for these known and unknown vulnerabilities by creating isolation within the ICS architecture."

Langill said many of the vulnerable components listed in the report are from companies that do not represent any significant market share, potentially skewing the results against the actual number of vulnerable systems. He also noted that most ICS architectures contain far more embedded devices than they do Windows-based hosts, yet nearly all disclosed vulnerabilities in the report are designed to specifically target a Windows environment.

In my humble opinion, despite the weaknesses identified in the Positive Technologies report, there is still value in the research in regards to drawing more attention to the problem of sensitive ICS systems that are exposed by way of the Internet

Pls refer here to download the report.

Monday, November 12, 2012

Incident Response: Gathering the Facts

Not Knowing Numbers Behind Event Makes Risk Assessment Hard

To know how best to respond to IT and communications failures, organizations first must collect information on such incidents. 

The European Network and Information Security Agency, as reflected in its report that focused on mobile- and land-based networks, is collecting information about incidents so European member nations can improve their response to such events.

Without the data and an analysis of the information, officials in government and industry can't determine the best way to respond. Report author states:
"We could go to any country and ask a politician if they know how many incidents there were in the banking sector and what their social impact was. They don't know the answer. And that is difficult to make policy and even to assess the risks of cybersecurity incidents without knowing the numbers behind it."
Among the major findings of the report:

  • Hardware/software failure and third-party failure were the root causes for most outages;
  • Incidents primarily caused by natural phenomena such as storms and floods lasted, on average, for 45 hours;
  • A strong dependency exists on power supply of mobile and fixed communication services, noting that battery capacity of 3G base stations is limited to a few hours, and this means that lasting power cuts cause communication outages.
Please refer here to download the report.

Friday, November 9, 2012

What to Do About DDoS Attacks

Security Tips for the Banks

The distributed-denial-of-service attacks that have hit 10 U.S. banks in recent weeks highlight the need for new approaches to preventing and responding to online outages.

Attackers have broadened their toolkits, and DDoS is a not just a blunt instrument anymore. Banking institutions should: 
  • Use appropriate technology, including cloud-based Web servers, which can handle overflow, when high volumes of Web traffic strike;
  • Assess ongoing DDoS risks, such as through tests that mimic real-world attacks; Implement online outage mitigation and response strategies before attacks hit; 
  • Train staff to recognize the signs of a DDoS attack.
In layman's term, during a DDoS attack, a website is flooded with "junk" traffic - a saturation of requests that overwhelm the site's servers, preventing them from being able to respond to legitimate traffic. In essence, DDoS attacks take websites down because the servers can't handle the traffic.

Most banks have failed to address this vulnerability to high volumes of traffic. Starting in mid-September, DDoS attacks have resulted in online outages at 10 major U.S. banks.

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters has taken credit for the hits, saying the attacks are motivated by outrage related to a YouTube movie trailer deemed offensive to Muslims. But security experts say DDoS attacks are often used as tools of distraction to mask fraud in the background.


To reduce their risk of DDoS takedown, banks need to address three key areas: 
  1. Layered user authentication at login, which consumes bandwidth;
  2. Reliance on Internet service providers not equipped to handle extreme bandwidth demands; and
  3. The internal management of Web servers, which limits banks' ability to hand off traffic overflow when volumes are excessive.
Fraud should always be an institution's top concern, meaning addressing DDoS threats should be a priority. "DDoS protections have quickly become a new industry best practice. But DDoS attacks pose unique challenges for banks and credit unions.

The additional layers of security institutions already implement, such as enhanced user authentication, transaction verification and device identification, demand more bandwidth. So when a bank is hit by a DDoS attack, bandwidth is strained more than it would be at a non-banking e-commerce site.

Thursday, November 8, 2012

How to crack/reset your Windows account?

Have you lost or forgotten your Windows password?

It's one of the security best practice to enable password on your Windows user account to ensure you have adequate protection from malicious access to your personal files. 

It is a common practice to forget your computer password if you're not using it for a while or perhaps just returned from holidays. Unfortunately, currently Windows operating systems doesn't have an option to reset your password like we commonly see in web applications such as Facebook, Hotmail etc.

In the majority of the cases, I have seen users have to format and reinstall the Windows to access their computer again but unfortunately they have to sacrifice  loss of their personal data if they haven't backed-up.

So what to do? How to crack/reset the password of the Windows operating system?

I recently come across this nice password resetter tool "Password Resetter", which cracks windows password in minutes without affecting your personal data.

As stated on their website that it can recover 99,9% of passwords from nearly any Windows installation in a matter of seconds! You do not need to remember old passwords in order to crack your Windows password.

Password Resetter recovers the lost Windows administrator or user password from any Windows Operation System. It supports Windows Vista, XP, NT, 2000 and the newest Windows 7.

How to use Password Resetter?

1) Download a copy of Password Resetter.

2) Burn the image on CD/DVD. The package comes with the detailed tutorial.

3) Once the bootable CD/DVD is ready, boot the system with this CD/DVD. Select the user account and then click on reset button.



Another cool feature?

It supports USB, which means you can crack/reset your Windows password with USB drives in case you do not have CD/DVD.  

This is not a freeware, you will need to purchase this software for around $35 for personal use.

Wednesday, November 7, 2012

BeAware of Facebook Scams

Scammers are targeting Facebook users

There is a new phishing scheme targeting Facebook users. Falsely notifying the user of a blocked account via email, the scam attempts to get victims clicking - leading them straight to a malicious website that will steal their information. 

See below for example this current social engineering attempt.



If you get an email like this, simple delete and never click anything! Optionally, before deleting you can forward the email to the Facebook security team so they can fight against such scams.

Tuesday, November 6, 2012

How To Protect From ATM Traps

Avoid Getting Ripped Off at the ATM

Crooks around the globe are using new (and improving) technology to steal your information right at the ATM - and right under your nose. With a variety of devices - from tiny surveillance cameras to look-alike keypads to card readers - these criminals are able to get at your account number, your PIN and really any other kind of details they'd like (even what you look like or the kind of car you drive).

Because these criminals are no dummies, they often target ATMs off the beaten path, in places rarely checked by the network operator or without much traffic or people around. If you must use an ATM in a desolate location, be aware of anything that looks hinky. That scratched up card reader or loose keypad may just be evidence of a planted skimming device. Abandon the machine and try to find another.


ATM Traps


Quite a few financial institutions have built mobile apps designed to help you locate ATMs. Consider downloading one (from the financial institution itself!) if you need to find ATMs in out-of-the-way locations.

Monday, November 5, 2012

No Minimum Age Limit for Identity Theft

Never Too Young to be Scammed

Young children have become increasingly at risk for identity theft. In fact, ID theft among victims age five and younger has doubled - just since 2011. According to the 2012 Child Identity Theft report from AllClear ID, children are 35 times more likely to be victims of identity theft than adults.

The impact of identity theft on a child's life can be devastating, affecting the ability to get a loan, scholarship, apartment, credit card or job. For specific ways to protect your child's identity, read the Federal Trade Commission (FTC) fact sheet, "Safeguard Your Child's Future."

It contains instructions for checking your child's credit report, placing an initial fraud alert, requesting a credit freeze, and filing a report with the FTC.

Friday, November 2, 2012

NIST Drafts Guidance on Securing Smart Phones & Tablets

3 Key Facets of Mobile Device Security

Securing mobile devices - whether employee or enterprise owned - has become vital for many organizations and government agencies as the devices increasingly take the place of PCs and laptops.

The National Institute of Standards and Technology has issued a draft of guidance that defines the fundamental security components and capabilities needed to help mitigate risks involved in using the latest generation of mobile devices.

Andrew Regenschied, one of the co-authors of Special Publication 800-164 (Draft): Guidelines on Hardware-Rooted Security in Mobile Devices, says many mobile devices lack a firm foundation from which to build security and trust. 
These guidelines are intended to help designers of next-generation mobile phones and tablets improve security through the use of highly trustworthy components, called roots of trust, that perform vital security functions.
On laptop and desktop systems, Regenschied explains, roots of trust are implemented in a tamper-proof separate security computer chip. But the power and space constraints in mobile devices have led manufacturers to pursue other approaches, such as leveraging security features built into the processors these products use. NIST says the guidelines focus on three security capabilities to address known mobile device security challenges: device integrity, isolation and protected storage.

According to NIST, a tablet or phone supporting device integrity can provide information about its configuration and operating status that can be verified by the organization whose information is being accessed. Isolation capabilities can keep personal and organization data components and processes separate. That way, NIST says, personal applications should not be able to interfere with the organization's secure operations on the device. Protected storage keeps data safe using cryptography and restricting access to information.

To achieve the security capabilities, the guidelines recommend that each mobile device implement three security components that can be employed by the device's operating system and applications:

  • Roots of trust, which combine hardware, firmware and software components to provide critical security functions with a very high degree of assurance that they will behave correctly;
  • An application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and
  • A policy enforcement engine to enable the processing, maintenance and policy management of the mobile device. NIST is seeking comments on the draft guidance.

Those with suggestions should submit them to 800-164comments@nist.gov by Dec. 14.