August 6, 2018

min read

Improve Mobile Security Now — Or It Could Be Mandated Later

Capitol Building

Last year, Lookout was honored to assist the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) in a major report on the mobile security of federal agencies. The Study on Mobile Device Security highlighted major mobile security gaps that weaken the cybersecurity of our federal government.

The trend toward mobility is an essential part of fulfilling the government's mission of service to the American public. However, it's also undeniable that as mobile devices become more powerful and more widespread, they offer a more nuanced attack vector for cyber attacks. Mobile devices are a target, along with networks and infrastructure.

A Dangerous Attack Vector

""The stakes for government users are high. Government mobile devices - despite being a minor share of the overall market - represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions." "

DHS "Study on Mobile Device Security"

The Study on Mobile Device Security contains detailed best practices, plus extensive guidance and additional reference materials for mobility and mobile security from NIST, NCCoE, NSA, Gartner, and other industry groups. Despite this blueprint, progress has been slow over the past year. Reports of White House Chief of Staff John Kelly's phone being hacked give a great example that there is much more work to be done.

Lookout recently published a report in which 60.5 percent of federal agencies reported security incidents involving mobile devices. Every federal agency should be using the DHS study to strengthen their mobile security policies and processes.

Opportunity Window

The time to do so voluntarily, however, may be running out. A quick review of federal security mandates shows how federal recommendations often turn into mandates. NIST creates and promotes information security standards for the federal government.

NIST Special Publication (SP) 800-53 series provides a catalog of security controls for all U.S. federal information systems, except those related to national security. These security requirements form the basis of FISMA regulations, as well as FedRAMP certification for cloud security. Additionally, subsequent revisions to NIST baseline controls correlate to requirements for various security levels of FedRAMP certification - low-risk, moderate, and high.

Recent DHS Moves

Looking at moves taken by DHS late last year is also instructive. Email is the entry point for 90 percent of successful cyber attacks, and was the start of the massive OMB breach in 2015. Late last year the DHS mandated that agencies implement Domain-based Message Authentication Reporting and Conformance (DMARC), to improve email security. DMARC is an email authentication tool designed to prevent email spoofing and provide data on where a forgery may have originated.

Just this month, DHS took steps to better protect against mobile phishing attacks. First, mobile devices introduce a variety of new points-of-entry for attackers. Traditionally, attackers have used email as the avenue for attack on desktop, but on mobile you must also take into account social media apps, messaging apps, personal email accounts, and SMS.

Second, the mobile device user-interface and form fact both obscure potential indicators of attack. For example, it's highly difficult to preview a link on a mobile device. Where a person would typically hover over a link on a desktop interface, mobile devices don't offer such previews.

DHS' Science & Technology Directorate announced early this month that it will make use of Lookout Mobile Endpoint Security to counter such threats.

"These advancements in mobile threat defense will protect sensitive data, such as personally identifiable information, on mobile devices and enterprise networks and greatly increase the security of the federal government's mobile systems for mission-critical activities," said S&T Mobile Security Research and Development Program Manager Vincent Sritapan, in a statement.

Take Steps Now

DHS and NIST have outlined what needs to be done to improve mobile security. Lookout stands ready to assist federal agencies, offering our unique insight from the biggest data set of threat intelligence for mobile gleaned from over 150 million sensors and a growing number of federal agencies.

Mobile threats and vulnerabilities are growing in number and sophistication. There is no reason to wait for a regulatory mandate to act in defense of our nation's cybersecurity.