The National Institute of Standards and Technology (NIST) has released a draft report and guide on the security vulnerabilities associated with endpoint devices. Along with this guide, NIST has opened its draft mobile threats catalogue for public comment until October 7, 2016. The Cybersecurity Framework created by NIST is already considered the standard in the federal government, so this new report will likely prove to be a highly valuable document.
Assessing Threats to Mobile Devices & Infrastructure examines the failures of “typical enterprise protections” in meeting the complex mobile security challenges of today. These challenges now go beyond the devices to include cloud infrastructure and networks to support mobile apps and services. The guide provides an overview of mobile security threats and also discusses the current attack surface for mobile devices, which includes: mobile technology itself, communication mechanisms, supply chain and the mobile ecosystem. This guide helps add context to the Mobile Threat Catalogue, which examines specific mobile security threats and possible ways to mitigate those threats. Right now, this catalogue is very detailed, and has not yet been transformed into an actionable framework.
Although these documents are only available right not in draft format, they are well worth reading. As a package, they demonstrate NIST's commitment to create a comprehensive guide to understand and mitigate the growing risks associated with the endpoint and the cloud, now intertwined. The existing NIST Cybersecurity Framework has offered organizations and agencies an understanding for how to identify and manage cybersecurity risks. Many organization have already implement practices outlined in the Framework based on their individual needs. A similar Framework for endpoint security would be incredibly useful.
The preface to the Mobile Threat Catalogue notes:
"Mobile devices pose a unique set of threats to enterprises. Typical enterprise protections, such as isolated enterprise sandboxes and the ability to remote wipe a device, may fail to fully mitigate the security challenges associated with these complex mobile information systems. With this in mind, a set of security controls and countermeasures that address mobile threats in a holistic manner must be identified, necessitating a broader view of the entire mobile security ecosystem."
At Absolute, we also believe in a holistic approach to data security. With Absolute Data & Device Security (DDS), you gain visibility into the endpoint and a holistic picture of the health of those devices. This is made possible through automated alerts on everything from encryption and anti-malware status to geographic fences. In turns, these alerts allow IT teams to remotely safeguard data at all times.
With Absolute DDS, you have unprecedented insight into the endpoint and the data they contain, including data stored in the cloud. Organizations can proactively enforce security policies or react to risks by locking down or remotely deleting data. With our simple cloud-based interface, it’s easy to understand and assess risk. Learn more at Absolute.com