Latest NIST Publications Reinforce the Importance of Application Hardening in Securing Data

Now is the time to seriously look at how you are protecting and securing your applications

The U.S. National Institute of Standards and Technology (NIST) has published two data-security focused documents in as many months. 

In June 2018, NIST published guidance on assessing requirements for securing unclassified information (NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information). 

In July 2018, SPECIAL PUBLICATION 1800-1 Securing Electronic Health Records on Mobile Devices was published offering a practical guide to meeting the specialized security and privacy obligations that come with the management of health records on mobile devices. 

Not surprisingly – in fact, reassuringly – both include increasingly prescriptive obligations for application developers. In particular, the recommendations and guidelines continue to stress the importance of including anti-tamper and rooted device detection and response controls – core features of application hardening solutions (like PreEmptive’s Dotfuscator and DashO). A few trends are worth noting.

  • Preventing unauthorized execution of code gets special attention in both documents. Identity management, network security, and personnel training all get their proper due – but it is clear that operations alone cannot meet these challenges alone. Scalable security must be built into our systems – by default and by design.
  • Layered security requires a multidisciplinary practice to ensure consistent, effective, and integrated controls. Development participation is essential.
  • Prevention is not enough. Incident detection and response behaviors (like tamper) cannot be ignored by development and left for operations to improvise. Application controls must be fully integrated into the SDLC and DevOps toolchain.

The referenced NIST documents are long – and even longer if you also review all if the supporting documents. For illustration, here are a few excerpts that highlight these trends (italics are my added comments). 

800-171A Assessing Security Requirement

3 .13.13 SECURITY REQUIREMENT Control and monitor the use of mobile code. (downloading unauthorized code or running tampered code)

ASSESSMENT OBJECTIVE Determine if:

      3.13.13[a] use of mobile code is controlled.

      3.13.13[b] use of mobile code is monitored.

3.14.4 SECURITY REQUIREMENT Update malicious code protection mechanisms when new releases are available. (bad actors invest in evading root detection and other detective controls – continuous improvement is required here in much the same fashion as anti-virus software)

ASSESSMENT OBJECTIVE Determine if malicious code protection mechanisms are updated when new releases are available. (included later is the obligation to respond – both in real-time and in logging when detected)

1800 1a Executive Summary: Securing Electronic Health Records on Mobile Devices

Our risk assessments focused on identifying threats that might lead to: (they focus on exploits that lead to operational, financial and legal jeopardy)

  • Loss of confidentiality – unauthorized disclosure of sensitive information
  • Loss of integrity – unintended or unauthorized modification of data or system functionality
  • Loss of availability – impact to system functionality and operational effectiveness

Based on our risk assessment, the major threats to confidentiality, integrity, and availability with respect to EHRs using mobility are:

  • A lost or stolen mobile device
  • Deliberate misuse: a user who:
    • Roots/jailbreaks device (development responsibility that includes detect and respond behaviors that only development can engineer)
    • Walks away from logged-on mobile device
    • Downloads viruses or other malware (first act of malware is often rooting/jailbreaking the device – see above)
    • Uses an insecure Wi-Fi network
  • Inadequate 
    • Privilege management (which permits unauthorized rooting and tampering)
    • Access control and/or enforcement
    • Change management (NIST includes application code changes in this category)
    • Configuration management
    • Data retention, backup, and recovery

Do not be lulled into complacency. Protect and secure your Applications. Even if you don’t do business with the US federal government or don’t need to meet HIPAA requirements or aren’t focused on mobile apps – these obligations are crystallizing across financial, supply chain, and general risk frameworks with each passing day. Every development organization must have a well-documented set of controls and processes to prevent, detect, and respond to runtime attacks and environmental compromises. Are you prepared to demonstrate your viability to business owners, regulators, investors or your customers?

Our implementation of anti-tamper, anti-debug, rooted device, and other real-time checks have been focused on these exact demands. Want to know more? Contact sales (or if you’re a client – support) – or review these blogs/articles

Resources

Other NIST Publications