Setting the Standard for Mobile Security

The Center for Internet Security (CIS) recently released an updated set of cybersecurity guidance for smartphones and tablets and how they should be used in the enterprise. This isn’t the first time CIS ventured into the mobile arena, but this new version harmonizes their mobile security guidance with the latest version of the CIS Controls. If you don’t know, the CIS Controls (previously known as the Top 20 Critical Security Controls) is one of the biggest cybersecurity frameworks out there, and organizations across the world use the Controls as their primary method of cybersecurity governance. So if you’re sick of reading random blogs on “ 3 Things You Must Do to Secure BYOD “, this is the place to start. It’s a logical approach to mobile security that leverages a commonly accepted cybersecurity framework. And that’s good, because the mobile ecosystem is way more complicated than most people think.

The overarching goal of the document is to examine each of the 20 CIS Controls through the eyes of mobile security. Examples are CIS Control 1 ( find the things in your network) or CIS Control 5 (correctly configure your things). For each of the 20 Controls the following question is asked: What does this mean for smartphones and tablets? It’s basically a cybeЯRemix of the CIS Controls for mobile. Sometimes there are broad implications, for instance with finding all the smartphones on a network and keeping an up-to-date list. This is really difficult since smartphones and tablets don’t always properly respond to traditional network-based scanning tools (e.g., nmap) and it’s not uncommon to find MAC address randomization in use. In the case of mobile asset management tracking, a different approach is needed. For instance, putting an application onto a phone and having the phones announce their presence. Of course, this only works with people not trying to sneak a device on your network.

We’ve all heard about BYOD way too much. It’s a trend that’s no longer really trending. But how a company decides to purchase and oversee smartphones in their organization has large impacts on security. One of the first important decisions an organization makes for mobile security is which mobile deployment model to use (sometimes called mobile deployment scenario). These help decide the security model smartphones use to access corporate email. Here are the models considered by the document:

But there’s more — enterprise mobility management (EMM), sometimes referred to as mobile device management (MDM), is one of the primary tools used to help secure and configure mobile devices. These systems are the almighty IT servers in the sky benevolently sending enterprise policies, configurations, and settings to a phone. EMMs essentially offer an alternative to Windows Group Policy. The user gets the option of accepting these settings and offering admin access to your phone to your work. End-user privacy is most definitely a concern — especially when talking BYOD — and the Mobile Controls Companion Guide notes these places accordingly. Admins are encouraged to avoid obtaining more privileges than needed on personal devices. (This is one of the most common things I see in the real world!)

Fun fact: You can’t have a malicious MDM profile installed on your device if you already installed one onto your own phone. Thank you for coming to my TED Talk.

Related posts:

As the use of data warehouses and business intelligence tools proliferate, managers are discovering that they cannot ignore the quality of inbound data to these systems. The 80/20 rule for data…

Building your first iOS app can be a daunting task, but with the right tools and a little bit of guidance, you can have your first app up and running in no time. The first thing you’ll need to do is…

Do you remember me? I’m the lady with the big puppy from the park. We met yesterday and you and my puppy, Rudy, became fast friends. I saw you and your mommy walking in the park, heading toward the…