Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/27/2009
02:22 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

CIS Releases Secure Benchmark For Apple iPhone

Benchmark introduces consumers and enterprise security specialists to the security configuration features of the iPhone and how they can be used to reduce the probability of data stored on the device from becoming compromised

HERSHEY, Penn. " May 27, 2009 " The Center for Internet Security (CIS) today announced the public release of its consensus security benchmarks for the Apple iPhone and Multi-Function Devices (MFD). The new Apple iPhone benchmark introduces consumers and enterprise security specialists alike to the security configuration features of the iPhone and how they can be used to reduce the probability of data stored on the device from becoming compromised. The new Multi-Function Devices (MFD) benchmark provides configuration and deployment guidance for securing enterprise class print, copy, scan and fax machines. The guidance is device agnostic and focuses on the security-related features common to these platforms. Both benchmarks are available as free downloads at https://community.cisecurity.org/download/. CIS benchmarks are user originated de facto standards for security configuration. The benchmarks are widely accepted and adopted in government, business, industry and academia as the basis for enterprise system and network configuration policies. By using the benchmarks, security professionals save tens of thousands of dollars in developing custom policies and avoid reinventing the wheel. Further, they enable compliance with the configuration requirements of standards such as PCI and ISO, and regulations such as FISMA, GLBA, HIPAA and Sarbanes-Oxley. Securely Configuring Apple iPhone and Multi-Function Devices for the Enterprise With the Apple iPhone now one of the most popular cellular devices, it is becoming increasingly utilized in enterprise environments - and therefore increasingly likely to contain an organization's confidential information. The CIS Security Configuration Benchmark for Apple iPhone provides prescriptive guidance for establishing a secure configuration posture for the iPhone OS version 2.2.1 and leveraging the iPhone Configuration Utility (ICU) version 1.1.043. "The adoption of the iPhone within the enterprise presents security challenges that we believe the CIS benchmark assists in addressing. The benchmark walks you through more than 20 step-by-step recommendations for system settings, Safari settings and iPhone Configuration Utility settings that address critical issues such as reducing the remote attack surface of the phone, securely erasing data and requiring strong passwords," said Blake Frantz, Chief Technology Officer, the Center for Internet Security. Similarly, greater intelligence is being built-in to enterprise and consumer Multi-Function Devices. The CIS Security Benchmark for Multi-Function Devices helps identify and mitigate the security risks that these complex devices introduce to today's network environment. Where previously a printer, copier, scanner or a fax machine may have been simple to configure via several toggle switches, it may now contain a fully functional operating system with significant processing power. As a result, these devices have become a target for security intrusions. This risk is amplified by the fact that many devices are never configured beyond an IP address, rarely updated beyond basic asset management practices, and rarely scanned for vulnerabilities or monitored by an Intrusion Detection System. "Multi-Function Devices are an underestimated exposure within the enterprise. It is easy to forget that Multi-Function Devices have a great deal of capability - from WiFi interfaces and HTTP management services to Java-based extensibility frameworks. As the capabilities of these devices increases, so does the probability of a remotely exploitable flaw being present in them. It is important for security specialists to ensure security processes and policies extend to these devices; to create a security and risk profile for the devices; and to apply patches, establish configuration baselines, and limit and log access to device facilities. Finally, when it's time to upgrade " it is critical to dispose of the device securely," added Frantz. The CIS Benchmark Roadmap for 2009 CIS now maintains 43 benchmarks for operating systems, middleware, devices and software applications and distributes them free of charge from its web site. Ten new benchmarks are on the roadmap for 2009: in addition to the iPhone and MFD benchmarks, some of the most anticipated releases and updates will include Sybase ASE, IBM AIX, DB2, Windows 7, Internet Explorer 8, and VMWare ESX Server. "CIS recognizes the importance of maintaining and updating the existing benchmarks while continuously developing new ones for technologies and platforms in widespread use," Bert Miuccio, CEO, the Center for Internet Security. Moving forward, CIS will expand the benchmark program to:

  • Collaborate with industry, government, and software vendors to develop unified, consensus-based security configuration guidance
  • Reduce the time frame between a vendor's software release and the availability of consensus guidance for its security configuration
  • Expand the development of consensus benchmarks for devices and applications with emphasis on technology used in industrial control systems and mission-critical systems in key market sectors such as healthcare, finance and education Acknowledgements Key contributors to the iPhone Guide were David Kane-Parry of Leviathan Security Group, Shawn Geddis of Apple, Richard Haas of NASA, David Skrdla of the University of Oklahoma, Joe Wulf of ProSync Technologies, Mike de Libero, Eric Hall, and Rebecca Heffel of the University of Washington with participation from corporations, government agencies and technology vendors. Key contributors to the Multi-Function Device Guide were Philip Bassil, Ron Colvin, Glenn Conant, Justin Opatrny, and Stephen John with participation from corporations, government agencies and technology vendors About CIS The Center for Internet Security (CIS) is a non-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. CIS develops and distributes consensus-based benchmarks for secure configuration of operating systems, software applications and network devices. The consensus security configuration benchmarks are downloaded more than one million times a year, and are globally accepted as user-originated, de facto standards. CIS is also driving the industry's first consensus metrics for information security. More than 150 leading corporations, government entities, universities and security organizations are CIS members. For more information, visit www.cisecurity.org.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    The Cold Truth about Cyber Insurance
    Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
    Black Hat Q&A: Hacking a '90s Sports Car
    Black Hat Staff, ,  11/7/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-5230
    PUBLISHED: 2019-11-13
    P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
    CVE-2019-5231
    PUBLISHED: 2019-11-13
    P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
    CVE-2019-5233
    PUBLISHED: 2019-11-13
    Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
    CVE-2019-5246
    PUBLISHED: 2019-11-13
    Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
    CVE-2010-4177
    PUBLISHED: 2019-11-12
    mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.