PRESS RELEASE

HERSHEY, Penn. " May 27, 2009 " The Center for Internet Security (CIS) today announced the public release of its consensus security benchmarks for the Apple iPhone and Multi-Function Devices (MFD). The new Apple iPhone benchmark introduces consumers and enterprise security specialists alike to the security configuration features of the iPhone and how they can be used to reduce the probability of data stored on the device from becoming compromised. The new Multi-Function Devices (MFD) benchmark provides configuration and deployment guidance for securing enterprise class print, copy, scan and fax machines. The guidance is device agnostic and focuses on the security-related features common to these platforms. Both benchmarks are available as free downloads at https://community.cisecurity.org/download/. CIS benchmarks are user originated de facto standards for security configuration. The benchmarks are widely accepted and adopted in government, business, industry and academia as the basis for enterprise system and network configuration policies. By using the benchmarks, security professionals save tens of thousands of dollars in developing custom policies and avoid reinventing the wheel. Further, they enable compliance with the configuration requirements of standards such as PCI and ISO, and regulations such as FISMA, GLBA, HIPAA and Sarbanes-Oxley. Securely Configuring Apple iPhone and Multi-Function Devices for the Enterprise With the Apple iPhone now one of the most popular cellular devices, it is becoming increasingly utilized in enterprise environments - and therefore increasingly likely to contain an organization's confidential information. The CIS Security Configuration Benchmark for Apple iPhone provides prescriptive guidance for establishing a secure configuration posture for the iPhone OS version 2.2.1 and leveraging the iPhone Configuration Utility (ICU) version 1.1.043. "The adoption of the iPhone within the enterprise presents security challenges that we believe the CIS benchmark assists in addressing. The benchmark walks you through more than 20 step-by-step recommendations for system settings, Safari settings and iPhone Configuration Utility settings that address critical issues such as reducing the remote attack surface of the phone, securely erasing data and requiring strong passwords," said Blake Frantz, Chief Technology Officer, the Center for Internet Security. Similarly, greater intelligence is being built-in to enterprise and consumer Multi-Function Devices. The CIS Security Benchmark for Multi-Function Devices helps identify and mitigate the security risks that these complex devices introduce to today's network environment. Where previously a printer, copier, scanner or a fax machine may have been simple to configure via several toggle switches, it may now contain a fully functional operating system with significant processing power. As a result, these devices have become a target for security intrusions. This risk is amplified by the fact that many devices are never configured beyond an IP address, rarely updated beyond basic asset management practices, and rarely scanned for vulnerabilities or monitored by an Intrusion Detection System. "Multi-Function Devices are an underestimated exposure within the enterprise. It is easy to forget that Multi-Function Devices have a great deal of capability - from WiFi interfaces and HTTP management services to Java-based extensibility frameworks. As the capabilities of these devices increases, so does the probability of a remotely exploitable flaw being present in them. It is important for security specialists to ensure security processes and policies extend to these devices; to create a security and risk profile for the devices; and to apply patches, establish configuration baselines, and limit and log access to device facilities. Finally, when it's time to upgrade " it is critical to dispose of the device securely," added Frantz. The CIS Benchmark Roadmap for 2009 CIS now maintains 43 benchmarks for operating systems, middleware, devices and software applications and distributes them free of charge from its web site. Ten new benchmarks are on the roadmap for 2009: in addition to the iPhone and MFD benchmarks, some of the most anticipated releases and updates will include Sybase ASE, IBM AIX, DB2, Windows 7, Internet Explorer 8, and VMWare ESX Server. "CIS recognizes the importance of maintaining and updating the existing benchmarks while continuously developing new ones for technologies and platforms in widespread use," Bert Miuccio, CEO, the Center for Internet Security. Moving forward, CIS will expand the benchmark program to: