Apple iOS devices are typically more secure than Google Android devices, but that doesn't mean they are without...
Mobile devices can present significant security risks, especially as users store sensitive company data and perform work-related tasks on their personal devices.
Fortunately, resources such as the Center for Internet Security (CIS) benchmarks -- best practices that prevent unauthorized access to IT systems and malicious attacks -- can help mitigate security risks for both corporate-owned and personal devices. IT can use these benchmarks as a checklist to secure and roll out basic security configurations for iOS devices.
All about CIS
The CIS community, which is comprised of IT security professionals, continually updates and remediates its standards to ensure that its security measures are relevant. CIS scores its benchmarks from 0-100% to indicate how well an organization complies with each restriction. Failure to comply will decrease the overall score; compliance will increase the overall score. CIS doesn't score certain recommendations, which means that compliance or noncompliance with them will not affect the organization's score.
CIS categorizes its benchmarks into two levels. IT admins can quickly implement a Level 1 profile recommendation with little to no effect on the performance of their organizations. CIS designs Level 2 profile recommendations, on the other hand, for environments in which security is a high priority. These recommendations are more difficult to implement and can affect an organization negatively if done incorrectly.
CIS benchmarks include particular settings for functionalities, applications, passcodes, notifications, domains, virtual private networks and email. Each recommendation typically includes profile applicability, which states whether the benchmark applies to COPE or BYOD devices; a description of the benchmark; a rationale that delves into the security consequences; an audit that describes which steps admins should take; and a remediation that includes any OS updates and patches.
CIS benchmarks for iOS security
CIS recommends that end users disable Siri when their devices are locked. The rationale is that an unauthorized user can use Siri to access information beyond the lock screen, such as contacts and messaging. The audit includes a set of directions to change this setting via the device settings or a configuration profile.
CIS also recommends that IT use encrypted backups and enable automatic updates and the Find My iPhone functionality. IT should disable the ability to display the control center and notification center on a locked screen, as well as the ability to screenshot and use screen recording.
CIS also recommends enforcing the following iOS settings:
- Set the cookies from Websites I visit to From current website only.
- Set the auto-lock feature to two minutes or less.
- Set the grace period for devices to lock to immediately.
- Set the maximum number of failed attempts to enter the passcode to six.
Dig Deeper on Enterprise mobile security
Related Q&A from Alexander S. Gillis
Can containers work in read-only mode, and how does this setup make a difference in security hardening? Continue Reading
Avoid virtual database performance hiccups by incorporating monitoring and alerting tools. Stay abreast of any issues and head them off before users ... Continue Reading
Virtualizing database servers has consolidation and efficiency benefits, but you must carefully choose which databases to virtualize and which tools ... Continue Reading