CIS Releases Secure Benchmark For Apple iPhone

Benchmark introduces consumers and enterprise security specialists to the security configuration features of the iPhone and how they can be used to reduce the probability of data stored on the device from becoming compromised

May 28, 2009

5 Min Read


HERSHEY, Penn. " May 27, 2009 " The Center for Internet Security (CIS) today announced the public release of its consensus security benchmarks for the Apple iPhone and Multi-Function Devices (MFD). The new Apple iPhone benchmark introduces consumers and enterprise security specialists alike to the security configuration features of the iPhone and how they can be used to reduce the probability of data stored on the device from becoming compromised. The new Multi-Function Devices (MFD) benchmark provides configuration and deployment guidance for securing enterprise class print, copy, scan and fax machines. The guidance is device agnostic and focuses on the security-related features common to these platforms. Both benchmarks are available as free downloads at CIS benchmarks are user originated de facto standards for security configuration. The benchmarks are widely accepted and adopted in government, business, industry and academia as the basis for enterprise system and network configuration policies. By using the benchmarks, security professionals save tens of thousands of dollars in developing custom policies and avoid reinventing the wheel. Further, they enable compliance with the configuration requirements of standards such as PCI and ISO, and regulations such as FISMA, GLBA, HIPAA and Sarbanes-Oxley. Securely Configuring Apple iPhone and Multi-Function Devices for the Enterprise With the Apple iPhone now one of the most popular cellular devices, it is becoming increasingly utilized in enterprise environments - and therefore increasingly likely to contain an organization's confidential information. The CIS Security Configuration Benchmark for Apple iPhone provides prescriptive guidance for establishing a secure configuration posture for the iPhone OS version 2.2.1 and leveraging the iPhone Configuration Utility (ICU) version 1.1.043. "The adoption of the iPhone within the enterprise presents security challenges that we believe the CIS benchmark assists in addressing. The benchmark walks you through more than 20 step-by-step recommendations for system settings, Safari settings and iPhone Configuration Utility settings that address critical issues such as reducing the remote attack surface of the phone, securely erasing data and requiring strong passwords," said Blake Frantz, Chief Technology Officer, the Center for Internet Security. Similarly, greater intelligence is being built-in to enterprise and consumer Multi-Function Devices. The CIS Security Benchmark for Multi-Function Devices helps identify and mitigate the security risks that these complex devices introduce to today's network environment. Where previously a printer, copier, scanner or a fax machine may have been simple to configure via several toggle switches, it may now contain a fully functional operating system with significant processing power. As a result, these devices have become a target for security intrusions. This risk is amplified by the fact that many devices are never configured beyond an IP address, rarely updated beyond basic asset management practices, and rarely scanned for vulnerabilities or monitored by an Intrusion Detection System. "Multi-Function Devices are an underestimated exposure within the enterprise. It is easy to forget that Multi-Function Devices have a great deal of capability - from WiFi interfaces and HTTP management services to Java-based extensibility frameworks. As the capabilities of these devices increases, so does the probability of a remotely exploitable flaw being present in them. It is important for security specialists to ensure security processes and policies extend to these devices; to create a security and risk profile for the devices; and to apply patches, establish configuration baselines, and limit and log access to device facilities. Finally, when it's time to upgrade " it is critical to dispose of the device securely," added Frantz. The CIS Benchmark Roadmap for 2009 CIS now maintains 43 benchmarks for operating systems, middleware, devices and software applications and distributes them free of charge from its web site. Ten new benchmarks are on the roadmap for 2009: in addition to the iPhone and MFD benchmarks, some of the most anticipated releases and updates will include Sybase ASE, IBM AIX, DB2, Windows 7, Internet Explorer 8, and VMWare ESX Server. "CIS recognizes the importance of maintaining and updating the existing benchmarks while continuously developing new ones for technologies and platforms in widespread use," Bert Miuccio, CEO, the Center for Internet Security. Moving forward, CIS will expand the benchmark program to:

  • Collaborate with industry, government, and software vendors to develop unified, consensus-based security configuration guidance

    • Reduce the time frame between a vendor's software release and the availability of consensus guidance for its security configuration

    • Expand the development of consensus benchmarks for devices and applications with emphasis on technology used in industrial control systems and mission-critical systems in key market sectors such as healthcare, finance and education Acknowledgements Key contributors to the iPhone Guide were David Kane-Parry of Leviathan Security Group, Shawn Geddis of Apple, Richard Haas of NASA, David Skrdla of the University of Oklahoma, Joe Wulf of ProSync Technologies, Mike de Libero, Eric Hall, and Rebecca Heffel of the University of Washington with participation from corporations, government agencies and technology vendors. Key contributors to the Multi-Function Device Guide were Philip Bassil, Ron Colvin, Glenn Conant, Justin Opatrny, and Stephen John with participation from corporations, government agencies and technology vendors About CIS The Center for Internet Security (CIS) is a non-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. CIS develops and distributes consensus-based benchmarks for secure configuration of operating systems, software applications and network devices. The consensus security configuration benchmarks are downloaded more than one million times a year, and are globally accepted as user-originated, de facto standards. CIS is also driving the industry's first consensus metrics for information security. More than 150 leading corporations, government entities, universities and security organizations are CIS members. For more information, visit

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights