Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:22 PM
Dark Reading
Dark Reading
Products and Releases

CIS Releases Secure Benchmark For Apple iPhone

Benchmark introduces consumers and enterprise security specialists to the security configuration features of the iPhone and how they can be used to reduce the probability of data stored on the device from becoming compromised

HERSHEY, Penn. " May 27, 2009 " The Center for Internet Security (CIS) today announced the public release of its consensus security benchmarks for the Apple iPhone and Multi-Function Devices (MFD). The new Apple iPhone benchmark introduces consumers and enterprise security specialists alike to the security configuration features of the iPhone and how they can be used to reduce the probability of data stored on the device from becoming compromised. The new Multi-Function Devices (MFD) benchmark provides configuration and deployment guidance for securing enterprise class print, copy, scan and fax machines. The guidance is device agnostic and focuses on the security-related features common to these platforms. Both benchmarks are available as free downloads at https://community.cisecurity.org/download/. CIS benchmarks are user originated de facto standards for security configuration. The benchmarks are widely accepted and adopted in government, business, industry and academia as the basis for enterprise system and network configuration policies. By using the benchmarks, security professionals save tens of thousands of dollars in developing custom policies and avoid reinventing the wheel. Further, they enable compliance with the configuration requirements of standards such as PCI and ISO, and regulations such as FISMA, GLBA, HIPAA and Sarbanes-Oxley. Securely Configuring Apple iPhone and Multi-Function Devices for the Enterprise With the Apple iPhone now one of the most popular cellular devices, it is becoming increasingly utilized in enterprise environments - and therefore increasingly likely to contain an organization's confidential information. The CIS Security Configuration Benchmark for Apple iPhone provides prescriptive guidance for establishing a secure configuration posture for the iPhone OS version 2.2.1 and leveraging the iPhone Configuration Utility (ICU) version 1.1.043. "The adoption of the iPhone within the enterprise presents security challenges that we believe the CIS benchmark assists in addressing. The benchmark walks you through more than 20 step-by-step recommendations for system settings, Safari settings and iPhone Configuration Utility settings that address critical issues such as reducing the remote attack surface of the phone, securely erasing data and requiring strong passwords," said Blake Frantz, Chief Technology Officer, the Center for Internet Security. Similarly, greater intelligence is being built-in to enterprise and consumer Multi-Function Devices. The CIS Security Benchmark for Multi-Function Devices helps identify and mitigate the security risks that these complex devices introduce to today's network environment. Where previously a printer, copier, scanner or a fax machine may have been simple to configure via several toggle switches, it may now contain a fully functional operating system with significant processing power. As a result, these devices have become a target for security intrusions. This risk is amplified by the fact that many devices are never configured beyond an IP address, rarely updated beyond basic asset management practices, and rarely scanned for vulnerabilities or monitored by an Intrusion Detection System. "Multi-Function Devices are an underestimated exposure within the enterprise. It is easy to forget that Multi-Function Devices have a great deal of capability - from WiFi interfaces and HTTP management services to Java-based extensibility frameworks. As the capabilities of these devices increases, so does the probability of a remotely exploitable flaw being present in them. It is important for security specialists to ensure security processes and policies extend to these devices; to create a security and risk profile for the devices; and to apply patches, establish configuration baselines, and limit and log access to device facilities. Finally, when it's time to upgrade " it is critical to dispose of the device securely," added Frantz. The CIS Benchmark Roadmap for 2009 CIS now maintains 43 benchmarks for operating systems, middleware, devices and software applications and distributes them free of charge from its web site. Ten new benchmarks are on the roadmap for 2009: in addition to the iPhone and MFD benchmarks, some of the most anticipated releases and updates will include Sybase ASE, IBM AIX, DB2, Windows 7, Internet Explorer 8, and VMWare ESX Server. "CIS recognizes the importance of maintaining and updating the existing benchmarks while continuously developing new ones for technologies and platforms in widespread use," Bert Miuccio, CEO, the Center for Internet Security. Moving forward, CIS will expand the benchmark program to:

  • Collaborate with industry, government, and software vendors to develop unified, consensus-based security configuration guidance
  • Reduce the time frame between a vendor's software release and the availability of consensus guidance for its security configuration
  • Expand the development of consensus benchmarks for devices and applications with emphasis on technology used in industrial control systems and mission-critical systems in key market sectors such as healthcare, finance and education Acknowledgements Key contributors to the iPhone Guide were David Kane-Parry of Leviathan Security Group, Shawn Geddis of Apple, Richard Haas of NASA, David Skrdla of the University of Oklahoma, Joe Wulf of ProSync Technologies, Mike de Libero, Eric Hall, and Rebecca Heffel of the University of Washington with participation from corporations, government agencies and technology vendors. Key contributors to the Multi-Function Device Guide were Philip Bassil, Ron Colvin, Glenn Conant, Justin Opatrny, and Stephen John with participation from corporations, government agencies and technology vendors About CIS The Center for Internet Security (CIS) is a non-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. CIS develops and distributes consensus-based benchmarks for secure configuration of operating systems, software applications and network devices. The consensus security configuration benchmarks are downloaded more than one million times a year, and are globally accepted as user-originated, de facto standards. CIS is also driving the industry's first consensus metrics for information security. More than 150 leading corporations, government entities, universities and security organizations are CIS members. For more information, visit www.cisecurity.org.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-05
    The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
    PUBLISHED: 2020-06-05
    The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
    PUBLISHED: 2020-06-05
    In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
    PUBLISHED: 2020-06-05
    In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
    PUBLISHED: 2020-06-05
    In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.