How a New Model for Mobile Security Could Benefit High-Risk Firms

There’s more computing power in a single smartphone today than was available to mission control during the Apollo 11 moon landing. That’s the kind of firepower that enables tremendous on-the-go productivity. But it’s also a magnet for threat actors looking to eavesdrop on conversations and pivot to corporate networks and cloud data stores. Such sophisticated attacks may not be a threat to all organisations, but that’s of little comfort to those that are in the crosshairs.

Fortunately, the UK’s National Cyber Security Centre (NCSC) has devised a new model which could help network defenders push back against their cyber-adversaries. Many years in the making, Advanced Mobile Solutions (AMS) could help high-risk organisations mitigate the threat of serious data and system compromise.

Why Threats Have Gone Mobile

Mobile threats have been around for a long time. But in recent years, commercial spyware-makers have changed the risk landscape through their research and exploitation of zero-day vulnerabilities – particularly in iOS devices. They sell to the highest bidder, often enabling zero-touch cyber-attacks capable of compromising target devices through no user interaction. Their client base consists of autocratic governments, with targets often including dissidents, journalists and other ‘troublemakers’. But such tools could just as easily be used to compromise C-suite executives and other high-profile targets.

The challenge, as explained by NCSC security architect “Chris P” is that most organisations don’t invest in bespoke, highly secure devices. Instead, staff use off-the-shelf consumer-grade handsets – which are complex and powerful but also likely to contain vulnerabilities.

These could be attacked not only to monitor messages passing through the device, or the location of the individual, but also core enterprise infrastructure like email servers, the NCSC warns. It’s a problem highlighted in the new ISMS.online State of Information Security Report 2024, which finds BYOD a top challenge for UK respondents. Some 30% cited it this year, versus 25% in 2023.

Introducing AMS

This is where the agency’s new model comes in. AMS states that:

⦁ Individual devices may occasionally be compromised and some data will be lost – that’s the price of productivity
⦁ Entire fleets of devices should be protected from compromise
⦁ Any compromise shouldn’t threaten data in bulk, or the security of sensitive systems
⦁ Systemic risk (of staff using less secure systems and workarounds) should be reduced

Assuming that nation state and well-resourced cybercrime groups will have access to zero-day exploits and sophisticated social engineering techniques, AMS sets out to follow three principles:

1) Mobile devices can’t be trusted, and networks should be designed so that devices and data are protected if one or two of those devices are compromised.

2) Core networks and services must be protected with a “robust border” between mobile infrastructure and core network.

3) Plain text, sensitive data should never be aggregated in the mobile infrastructure. This includes data transiting across servers and being stored on servers

A Six-Point Architecture

The risk model is underpinned by six key architectural elements designed to quickly detect compromise and rapidly re-deploy to recover:

Use mobile device management (MDM) to securely manage devices and allowlist any apps. Always use remote browser isolation gateways to access internet-connected apps. MDM deployment configurations may be designed with cross-domain tech to protect fleet-wide compromise.

Use best-of-breed commercial technology to protect data on global networks.

Use high-grade or ephemeral VPN terminators to reduce risk of direct attack from the internet. And monitoring rules to reduce DDoS risk and identify malicious activity.

Protect the remote access zone – the infrastructure between the internet and cross domain gateways protecting core enterprise systems. Ensure just a few services, or pieces of user data, persist across sessions – making it harder for attackers to maintain persistence, and reducing bulk data theft risks. Layers of cryptography at this level also help reduce data disclosure risk.

Protect core networks and systems via cross-domain solutions built on hardware (FPGA)-based cross-domain gateways to inspect all data entering core networks. Public key cryptography-based user identity helps guard against data exfiltration at this layer.

A work in progress

The NCSC understands no two organisations are the same. That’s why it is currently writing risk guidance, so that individual security teams understand the trade-offs they may have to make by deviating from the architecture. According to Chris P, a manged service based on AMS is already available across government, and the agency is looking to expand the model’s “patterns and technology” to other sectors of critical national infrastructure.

Mayur Upadhyaya, CEO at APIContext, welcomes the AMS as a “well-structured roadmap” to help high-risk organisations to enhance mobile access to sensitive data.

“Its core strengths lie in its realistic threat model, layered security architecture, and emphasis on continuous monitoring and rapid response,” he tells ISMS.online. “Security experts will likely appreciate these aspects, particularly the focus on assuming compromise and network segmentation.”

However, some organisations may struggle to implement AMS as-is, he adds.

“The model heavily relies on advanced technologies like high-grade cryptography on consumer devices, which may not be readily available. Additionally, the complex, layered architecture with hardware-based security and sophisticated mobile device management could be resource-intensive for some organisations,” Upadhyaya argues.

“Furthermore, achieving a balance between security and usability is crucial. Stringent controls could hinder user experience and mobile workflow agility. And preventing data aggregation on mobile networks might limit the functionalities of data-driven mobile applications.”

Cybereason global field CISO, Greg Day, adds that Apple’s introduction of sideloading in iOS following EU pressure will likely lead to a surge in mobile threats. That will make risk management even more important for businesses relying on portable devices for productivity, he says.

“While the AMS guidance highlights the importance of MDM, it’s surprising that Mobile Threat Defense (MTD) isn’t also emphasised as a crucial requirement. MDM is effective in establishing basic controls, but it falls short in detecting advanced threats like jailbroken or rooted devices,” Day tells ISMS.online.

“Unlike MDM, which mainly focuses on controlling access to app stores and blacklisting apps, MTD evaluates each app’s risk based on its functionalities. Moreover, MTD can detect network and phishing attacks, offering more advanced URL filtering capabilities.”

Ultimately, there are no quick fixes to the challenge of mobile device security. However, user education and segmentation strategies are a good place to start, he argues.

“Organisations must prioritise visibility and establish risk swim lanes, distinguishing between low, medium, and high-risk data,” Day concludes. “It’s crucial to prevent high-risk data from slipping into lower-risk categories.”