We use mobile devices everyday in our lives and they have become an integral part of our social being
I am a great fan of technology as well as part of the Information Security community.
I am a heavy user of mobile devices and related services, and I just expect them to work Anytime and Anywhere.
OK, maybe I oversimplified my understanding and expectations.
I think you too use mobile devices, and like me you just want things to work, no matter what hardware, firmware, mobile operating system or applications are involved.
We already talked about the “National Institute of Standards and Technology” or as it is usually known NIST, in our previous posts.
These folks do a tremendously good work, and the Laboratory of theirs that I love and admire most is the “Information Technology Laboratory (ITL)”.
I’m quoting here: ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology.
Their latest publication, although in a draft phase, which I was going through, is about “The Mobile Threat Catalogue”.
What this catalogue is trying to do, in a very structured and concise way, is to bring some common understanding and standardization, in the way threats to mobile devices are categorized. This in turn will further enable technology and security professionals to better deal with such threats and ultimately prevent them.
Based on the layering and integration model presented above, they have come up with the categories below, which I’ll try to explain in simple words:
- Application – This is usually related to software used in all layers which performs specific tasks, but can pose a threat if not treated correctly. The most known and popular threats in this category are vulnerabilities or malwares. You might have read on internet of some vulnerabilities being sold for more than one million dollars.
- Authentication – There are a lot of authentication mechanisms involved in order for people to perform even the most ordinary tasks, but they are so transparent to the user, that most of us just don’t notice them. Basically they get some credentials, like passwords or codes, and confirm those against a repository.
- Cellular -All mobile devices need some sort of connectivity, be it 2G/3G/4G, CDMA , WiMAx or any other technology standard used, to communicate with each other and the world.
- Ecosystem – All application providers, ranging from operating system to all types of stores (Play Store, App Store …) that offer specific services interaction.
- EMM – These are systems used by enterprises to control and manage Mobile Devices that access their physical or digital perimeter. Being maintained on a need to do basis, they usually fall behind in applying Security and Technology best practices.
- GPS – Why is GPS on this list? I think that’s a genius move there to introduce GPS at this stage. Most people don’t know and care, but GPS is at the heart of any high precision Location Based application or service (Maps, Navigation, ordering pizza, getting a taxi) that we use in our Mobile Devices.
- LAN & PAN – These are the Local Area Network and Personal Area Network. Like any network offering connectivity they do pose a threat ad they can be used as attach vectors (WiFi, Bluetooth, NFC).
- Payment – We are moving towards a cashless world and our payment medium are our Mobile Devices.
- Physical Access – Very important and one that should never be forgotten. We can protect our Mobile Devices with all sorts of passwords, fingerprints, iris scans, patterns or whatever, but just give some good hacker a little time with physical access and you will be surprised of what they can achieve.
- Stack – This is the technology stack, where the layering is done and everything should work in unison with other components. As with every chain, it is as strong as the weakest link.
- Supply Chain – Last but not least important, the source of every component, be it hardware or software. It is a chain so again the weakest link dictates its fate.
I find this work very helpful for the whole Information Technology professionals community, and much more for the ones that have to Treat/Prevent such threats.
I would certainly recommend to every Information Security professional to go through this catalogue, and try to learn as much as possible in order to standardize and facilitate their daily work.
Hope you enjoyed this post.
Looking forward to seeing you back soon.
Bregu.al – The BlogTags: Always Connected, Cyber, Cybersecurity, Encryption, Information Security, Internet, NIST – National Institute of Standards and Technology, Security