top of page


Public·4 members
Mason Campbell
Mason Campbell

Dod Mobile Code Risk Categories [2021]

Categories of risk associated with mobile code technology based on functionality, level of access to workstation, server, and remote system services and resources, and the resulting threat to information systems. Source(s): CNSSI 4009-2015 from DoDI 8500.01

Dod Mobile Code Risk Categories

Discovering vulnerabilities is important, but being able to estimate the associated risk to the business is just as important. Early in the life cycle, one may identify security concerns in the architecture or design by using threat modeling. Later, one may find security issues using code review or penetration testing. Or problems may not be discovered until the application is in production and is actually compromised.

Combine the severity with the probability to determine the risk assessment code (RAC) or level of risk for each hazard, expressed as a single Arabic number. Although not required, the use of a matrix (such as the one below) is helpful in identifying the RAC. In some cases, the worst credible consequence of a hazard may not correspond to the highest RAC for that hazard. For example, one hazard may have two potential consequences. The severity of the worst consequence (I) may be unlikely (D), resulting in a RAC of 3. The severity of the lesser consequence (II) may be probable (B), resulting in a RAC of 2. Therefore, it is important to consider less severe consequences of a hazard if they are more likely than the worst credible consequence, since this combination may actually present a greater overall risk.

The above discussion focuses on threats to the authentication event itself, but hijacking attacks on the session following an authentication event can have similar security impacts. The session management guidelines in Section 7 are essential to maintain session integrity against attacks, such as XSS. In addition, it is important to sanitize all information to be displayed [OWASP-XSS-prevention] to ensure that it does not contain executable content. These guidelines also recommend that session secrets be made inaccessible to mobile code in order to provide extra protection against exfiltration of session secrets.

In recent years, publicity, speculation, and concern over claims of possible health effects due to RF emissions from hand-held wireless telephones prompted various research programs to investigate whether there is any risk to users of these devices There is no scientific evidence to date that proves that wireless phone usage can lead to cancer or a variety of other health effects, including headaches, dizziness or memory loss. However, studies are ongoing and key government agencies, such as the Food and Drug Administration (FDA) continue to monitor the results of the latest scientific research on these topics. Also, as noted above, the World Health Organization has established an ongoing program to monitor research in this area and make recommendations related to the safety of mobile phones.

The FDA, which has primary jurisdiction for investigating mobile phone safety, has stated that it cannot rule out the possibility of risk, but if such a risk exists, "it is probably small." Further, it has stated that, while there is no proof that cellular telephones can be harmful, concerned individuals can take various precautionary actions, including limiting conversations on hand-held cellular telephones and making greater use of telephones with hands-free kits where there is a greater separation distance between the user and the radiating antenna. The Web site for the FDA's Center for Devices and Radiological Health provides further information on mobile phone safety: FDA Radiation-Emitting Products - Cell Phones.

This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide addresses the challenge of securely deploying and managing mobiledevices in an enterprise. In many organizations, mobile devices are adopted on an ad hoc basis, possibly without the appropriate policies and infrastructure tomanage and secure the enterprise data they process and store. Introducing devices in this fashion increases the attack surface of an enterprise, requiring thatadditional controls be implemented to reduce the risk of intrusion.

The nature of mobile devices creates a set of unique risks in the modern enterprise. Future phases of this guide will include a NIST SP 800-30 based riskassessment, but it is currently out of scope for this effort. However, it is useful to highlight broad categories of threats and vulnerabilities.

We have used NIST SP 800-124 [2]; NIST SP 800-163 [11]; and the United States Computer Emergency Readiness Team (US-CERT) Technical InformationPaper-TIP-10-105-01, Cyber Threats to Mobile Devices [12], as sources for this section, which is not an exhaustive list of threats to mobile devices. Althoughthis practice guide focuses only on the threats and vulnerabilities related to the mobile device, readers should also consider broader threats to services thatprovide mobile device management (MDM) capabilities while assessing risk. Additional consideration should be given to threats posed from cloud services and themobile ecosystem supporting the device. Cloud MDM services that leverage the Federal Risk and Authorization Management Program (FedRAMP), for example, canincrease confidence in the security of these solutions with consistent security authorizations using a baseline set of agreed-upon standards [13].

To further address comments received in the public comment period of 1800-4, Mobile Device Security: Cloud and Hybrid Builds draft publication, the NCCoEMobile Device Security Project team has produced National Institute of Standards and Technology Interagency Report 8144, Assessing Threats to Mobile Devices &Infrastructure. This publication accompanies the Mobile Threat Catalogue, which describes, identifies, and structures the threats posed to mobile informationsystems. We received many comments with a common theme that the example architectures in 1800-4 did not address the entire mobile security ecosystem. Weencourage readers to review National Institute of Standards and Technology Interagency Report 8144 and the Mobile Threat Catalogue to assist in developing riskassessments, building threat models, enumerating the attack surface of their mobile infrastructure, and identifying mitigations for their mobile deployments.

Using the common threats identified previously as a guide, we identified risks that an organization might face when deploying mobile devices. In general, theserisks focus on data leakage and compromise. Because modern mobile devices process many types of information (e.g., personal, enterprise, financial, medical),there are many types of data leakages, each with its own level of severity in a given context. The following are potential reasons for data leakage and/orcompromise:

Using this risk information, NCCoE engineers identified the security characteristics of the solution. Table 3-1 through Table 3-6 map these characteristics tothe Subcategories from the NIST Cybersecurity Framework [19], NIST SP 800-53 Revision 4 [20], International Organization for Standardization (ISO) andInternational Electrotechnical Commission (IEC) 27002 [21], and the Council on CyberSecurityʼs Critical Security Controls for Effective Cyber Defense [22].Note: Before transfer to the Council on Cybersecurity, [22] was informally known as the Sysadmin, Audit, Networking, and Security Consensus Audit Guidelines(CAG) 20.

This section documents the functional and network architectures of both the cloud and hybrid builds. Before continuing, it is useful to describe a notional EMMdeployment. An EMM can consist of multiple services, including MDM, mobile application management (MAM), and other mobile computing services. Enterprises useEMMs to define a set of policies, push those policies to a mobile device, and then enforce these policies on a mobile device via an enforcement mechanism on thedevice (e.g., OS, mobile application). Before policies can be pushed to a given device, an enterprise must enroll that device into the management services. Onceenrolled, policies, such as the requirement to use an eight-digit passcode, are defined and then pushed to the device via a secure communications channel. Theseprocesses and technologies enable users to work inside and outside the enterprise network with a securely configured mobile device with the following functionaland security capabilities:

Multiple standards espouse management policies that should be applied to user devices. Specifically, NIST SP 800-124 Revision 1 and the NIAP protection profilefor MDMs suggest desirable features and functionality for an enterprise MDM policy. Table 4-2 shows the default policy used in this project and pushed todevices within this building block, fulfilling our goals of a reasonable balance between security and user functionality. Suggested policies such as turning offBluetooth and Wi-Fi, while reducing the threat surface to which a mobile device is exposed, remove important functionality desired by users. Some of thesepolicies may be accomplished by the underlying mobile OS (e.g., Android, iOS, Windows Phone) while others require application-level features, and still othersare accomplished via the MDM. Although the following policies were used for the building block, organizations need to perform their own assessments tounderstand the risks associated with their systems. Guidance for performing this assessment and selecting appropriate policies can be found within NIST 800-124r1 [2]. 041b061a72


Accountability, finances, and representation.


bottom of page