ETSI TR 103 305-3 V1.1.1 (2016-08)

ETSI TR 103 305-3 V1.1.1 (2016-08)






TECHNICAL REPORT
CYBER;
Critical Security Controls for Effective Cyber Defence;
Part 3: Service Sector Implementations

---------------------- Page: 1 ----------------------
2 ETSI TR 103 305-3 V1.1.1 (2016-08)



Reference
DTR/CYBER-0012-3
Keywords
Cyber Security, Cyber-defence, information
assurance

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 103 305-3 V1.1.1 (2016-08)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Executive summary . 4
Introduction . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definitions and abbreviations . 5
3.1 Definitions . 5
3.2 Abbreviations . 6
4 Critical Security Controls: Mobile Device Security . 7
4.0 Introduction . 7
4.1 CSC Mobile Device Security Description . 7
5 Critical Security Controls: Internet of Things Security . 16
5.0 Introduction . 16
5.1 CSC IoT Security Description . 16
History . 26


ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 103 305-3 V1.1.1 (2016-08)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
The present document is part 3 of a multi-part deliverable. Full details of the entire series can be found in part 1 [i.3].
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The present document is an evolving repository for guidelines on service sector Critical Security Control
implementations. Because of their rapidly scaling importance and need for defensive measures, the mobile device and
Internet of Things (IoT) sectors are treated.
Introduction
The individual service sector guideline clauses below provide subject matter introductions.
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 103 305-3 V1.1.1 (2016-08)
1 Scope
The present document is an evolving repository for guidelines on service sector Critical Security Control
implementations. Because of their rapidly scaling importance and need for defensive measures, the mobile device and
Internet of Things (IoT) sectors are treated. The CSC are a specific set of technical measures available to detect,
prevent, respond, and mitigate damage from the most common to the most advanced of cyber attacks.
The present document is also technically equivalent and compatible with the 6.0 version of the "CIS Controls Mobile
and IoT Companion Guides" October 2015, which can be found at the website https://www.cisecurity.org/critical-
controls/ [i.1].
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] The Center for Internet Cybersecurity: "CIS Controls Mobile and IoT Companion Guides"
October 15, 2015.
NOTE: Available at https://www.cisecurity.org/critical-controls.cfm.
[i.2] NIST SP 800-101: "Guidelines on Mobile Device Forensics".
[i.3] ETSI TR 103 305-1: "CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The
Critical Security Controls".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
Critical Security Control (CSC): specified capabilities that reflect the combined knowledge of actual attacks and
effective defences of experts that are maintained by the Council on Cybersecurity and found at the website
https://www.cisecurity.org/critical-controls/
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 103 305-3 V1.1.1 (2016-08)
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
6LoWPAN IPv6 over Low power Wireless Personal Area Networks
API Application Programming Interface
ARM Advanced RISC Machine
AV Anti-Virus
BYOD Bring Your Own Device
CIS Center for Internet Security
COOP Continuity of Operations
CSC Critical Security Control or Capability
DDOS Distributed Denial of Service
DiS Data-in-Storage
DoS Denial of Service
EEPROM Electrically Erasable Programmable Read-Only Memory
GSM Global System for Mobile Communications
HART Highway Addressable Remote Transducer
ICS Industrial Control Systems
IDS Intrusion Detection Systems
IoT Internet of Things
IP Internet Protocol
IPS Intrusion prevention system
IPsec Internet Protocol security
IPv6 Internet Protocol version 6
IT Information Technology
LDAP Lightweight Directory Access Protocol
LE Low Energy
MDM Mobile Device Management
MSSP Managed Security Service Provider
NFC Near Field Communication
NIST National Institute of Standards and Technology
OS Operating System
OWASP Open Web Application Security Project
PC Personal Computer
PIN Personal Identification Number
RF Radio Frequency
RSU Road Side Unit
RTOS Real-time Operating System
SCADA Supervisory Control and Data Acquisition
SIEM Security Information Event Management
SP Special Publication
SPAM unsolicited or undesired electronic message(s)
SSH Secure Shell
SSL Secure Sockets Layer
TCP Transmission Control Protocol
TCP/IP Secure Sockets Layer
TLS Transport Layer Security
TV Television
URL Uniform Resource Locator
USB Universal Serial Bus
VLAN Virtual Local Area Network
VPN Virtual Private Network
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TR 103 305-3 V1.1.1 (2016-08)
4 Critical Security Controls: Mobile Device Security
4.0 Introduction
Mobile devices are starting to replace laptops for regular business use. Organizations are building or porting their
applications to mobile platforms, so users are increasingly accessing the same data with mobile as with their laptops.
Also, organizations have increasingly implemented Bring Your Own Device (BYOD) policies to manage this trend.
However, many organizations have been struggling with the increase of personal mobile devices, and do not fully
understand the security risks they may bring. There are concerns that their compact size makes them easy to lose, that
they run newer operating systems that do not have decades of use and examination to uncover their weaknesses, and
that there are millions of potentially malicious mobile applications that access data, spy on users, steal credentials, act as
ransomware, or even become part of a Distributed Denial of Service (DDOS) botnet.
Like with traditional PC platforms, mobile still has to worry about protecting data from unauthorized access at rest and
in transit; traditional network level man-in-the-middle attacks on public Wi-Fi; and similar web application threats
(since mobile apps frequently access the same server endpoints as web applications). Employees today may use their
mobile devices to perform the same business functions and access the same data as their PCs or laptops; but what is
different is they are not physically connected to the corporate network, and likely, not even logged into the corporate
domain. There are times when organizations use mobile VPNs to access the corporate network, but more and more
frequently, mobile users access cloud services. It is not uncommon for corporate mobile users to access numerous
cloud-based applications that reside outside their enterprise. Each of these has its own credentials, again rarely linked to
enterprise. Getting visibility on the configuration, threats and behaviour of these mobile devices is a challenge, since
there are no "eyes" on the device like those attached to the network.
But this environment does not preclude tracking the threats and risks. The Critical Security Controls for Effective Cyber
Defense Version 6.0 (Controls) is that they are universal and high level enough to apply to any technology
implementation. Everyone needs to start with: "What is the mobile device?", "What is the configuration?" and "What
risks needs to be addressed?" Basically 1 - 3 of the Controls. Protection requires knowledge of what is being protected.
The real challenge to mobile security is the multitude of different mobile devices. With desktops, there are largely
commodity hardware running less than half a dozen different operating systems, and through conscientious
configuration management, usually a single or only a few different OS versions. Mobile devices have four different
popular software platforms, with dozens of different hardware vendors, and dozens of different carriers that affect the
platforms. The most prevalent platform presently has 11 OS version families, with sub-versions under them, which on
most devices are non-upgradable or forward compatible, and exist on dozen of hardware platforms and carriers. So the
permutations become enormous, and understanding the risks of each of these is overwhelming. This is why, for
enterprises that have strict security requirements, it is best to issue standard devices.
Within the Controls, application security (CSC 6), wireless device control (CSC 7), and data loss prevention (CSC 17)
all are relevant to mobile. Restricted use of administrative rights (CSC 12) is also something that could be implemented,
some MDM and mobile security platforms, have the ability to restrict administrative privileges to end users, which will
prevent removal of security protections or monitoring. Malware defenses (CSC 5) are very different than traditional PC
platforms. Secure configurations can also be applied (CSC 10), insecure features and functionality can be limited
(CSC 11), and cloud based boundary defense can be provided (CSC 13). All of these areas are described in more detail
in the table below. Using the Controls can be the framework to develop a security method and process to manage an
organization's mobile security risks.
4.1 CSC Mobile Device Security Description
Simple security steps should always be followed to reduce the likelihood from most Mobile threats: not Rooting or
rd
Jailbreaking a device; only obtain apps from the device vendor or the organization's app stores, not 3 party stores;
being wary of any app wanting to install a Profile on a mobile device, as well as if there is an "Untrusted App
Developer" popup for the app; and not leaving a device unlocked for long periods of time. For each Control, table 1
details the control's applicability to mobile and specific challenges, and considerations for implementation of that
control.
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TR 103 305-3 V1.1.1 (2016-08)
Table 1: Critical Security Controls (Version 6): Mobile Device Security
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
1 Inventory of Authorized and One needs to have knowledge of An organization cannot get an inventory of
Unauthorized Devices all devices used to access data mobile devices by running a scan to
and resources in the organization. discover what mobile devices are
Mobile devices are not perpetually connected; companies can use email
attached to the corporate network accounts, or active synchronization
like other IT systems, so new software to determine what mobile devices
methods need to be used to are used to access email (which is most
maintain the inventory. popular application for mobile devices).
Also, Mobile Device Management (MDM)
can support this by installing agents on the
mobile devices to push down configuration
and security profiles, monitor devices for
configuration changes, and provide access
controls based on policy.
2 Inventory of Authorized and There are millions of mobile apps MDM tools can inventory apps, and set
Unauthorized Software across dozens of different policies and whitelisting to promote use of
platforms. Mobile apps can bring secure versions of apps.
risks and threats to data and However there are privacy considerations
credentials. Being able to know in Bring Your Own Device (BYOD)
what is installed, and control scenarios, as the organization may not
access to malicious apps, and need to know what apps an individual has
insecure versions of apps is installed on their personal device for
important to protect the personal use.
organization.
3 Secure Configurations for Like with PCs, secure MDMs can restrict access to cameras,
Hardware and Software on configurations and monitoring of white-list Wi-Fi networks, apply password
Mobile Devices, Laptops, these configurations are critical to policy enforcement, and inventory what
Workstations, and Servers maintain trust with these devices. apps are installed.
Be aware, this last feature can be a privacy
issue in a BYOD scenario. An organization
may not want the liability of knowing or
having access to employee's personal
email, apps that track health information,
financial data, personal contacts and
calendars, apps used in their personal
lifestyle, or their location.
MDM tools can scale to hundreds of
thousands of devices, and provide the
necessary monitoring to be alerted when
devices are out of compliance; for instance,
if someone installs an unauthorized
application, turns off encryption, or
jailbreaks or roots their device.
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
4 Continuous Vulnerability Mobile vulnerabilities are usually One cannot just run vulnerability scans on
Assessment and Remediation linked to versions of the Operating a network to scrutinize the mobile devices.
system, or malicious apps. Therefore, mobile vulnerability
Because mobile devices are not assessments should incorporate threat
always attached to the network, modelling, and understanding the devices,
vulnerabilities cannot be identified data, users, and their behaviours. MDMs
and managed like as done on can play a key role in gathering the
PCs, servers, or other information for the "what" and "who" for
permanently connected mobile management.
networked devices.
Also, there are number of mobile security
Mobile vulnerabilities also can point solutions that address strong
apply to many layers; hardware, authentication, data and application
OS (version), OS (configuration), security, security of data at rest and in
individual application (of which transit, and protection from network based
there are potentially millions), threats when connected to Wi-Fi, such as
network connection (cellular, man-in-the-middle attacks.
Bluetooth, WiFi, NFC), app stores, Organizations can choose to outsource
physical location (i.e., countries management of their MDM platform and
where the government monitors mobile support, similar to using Managed
mobile devices) and finally, Security Service Providers (MSSPs) to
whether the device is corporate- monitor and manage network security
owned or personal (privacy devices.
requirements).
5 Controlled Use of Many intrusions use valid Mobile devices are part of the network
Administrative Privileges credentials obtained either based on their credentials, not based on
through social engineering, or their connection. It might not be possible to
captured by other means. One control admin rights on mobile devices,
important risk in mobile is especially in a BYOD situation; but access
protecting credentials stored on based on least privilege may apply.
the device, because a user's It is dangerous to allow users to Root or
email account could also be a JailBreak mobile devices, because it opens
system or Domain Admin account. up risks to vulnerabilities running at that
lowest level.
Also, Admin control is different in
mobile devices. Malicious apps
are taking advantage of
unfamiliarity with the mobile
admin levels, and there are
malicious apps that obtain admin
rights so they can hide
themselves from the user.
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
6 Maintenance, Monitoring & Monitoring is irrelevant if there is MDM and mobile security tools can provide
Analysis of Audit Logs not a process to identify events visibility by having agents on phones that
and respond to them. And this send events and alerts to a central server.
response should be matched with These can be integrated with traditional
the potential impact of the event. Security Operations platforms.
This is the human aspect: Different types of mobile monitoring
determining what events or alerts sources can provide different data. MDMs
can potentially damage the use the more traditional network operations
organization, and execute type of approach: Is the device live? What
response in a timely fashion
is the make model and version? Is it up to
based on that. date? What applications are installed? Has
the device been rooted or jailbroken? How
much traffic is it sending and receiving?
The security tools have more granular
logging, such as installation of known bad
or suspicious applications, application-level
changes to data, network routing changes,
SSL certificates used, VPN launching, and
in the case of cloud filtering; traditional
perimeter gateway logs for web traffic, or
other application traffic. There is also the
practice of monitoring account connections
to the network domain or a specific
application.
Metrics should be actionable, not just "how
many" of an event happened. More
effective things to track are: Am I getting
data from everything I should (how many
devices are sending events)? Is the right
data being collected (are all data logs the
correct ones)? Another item to track is the
turnover rate of mobile devices, which can
be higher than laptops. Multiple user
accounts may exist for the mobile devices.
7 Email and Web Browser Mobile devices change the Traditional email gateway security controls
Protections traditional enterprise architecture for SPAM and phishing reduction, and
by not only extending it outside a malware and malicious URL links apply to
traditional perimeter, but also mobile.
bypassing the need to route much Mobile security tools use an agent-based
or all traffic through the enterprise approach that gives a view to threats on
network due to use of cloud and to the mobile device, such as
services. However, web and email malicious applications and profiles, and
threats are still a concern with
malicious WiFi networks or Man in the
mobile devices. Middle web proxy attacks.
There are also tools and approaches that
funnel mobile traffic through filtering cloud
infrastructures that perform web gateway
filtering and security functions.
ETSI

---------------------- Page: 10 ----------------------
11 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
8 Malware Defenses Mobile does not have same Traditional techniques of using Anti-Virus
concept of malware as with PCs. (AV) do not apply to mobile. AV is not
Mobile malware is really about feasible on some restricted operating
malicious apps. It takes more systems, due to the platform not allowing
diligence to understand current access at a level where applications can
threats, and the behaviour of have general knowledge about other
known malicious apps, which applications running on the device, and
often are re-packaged legitimate many argue that it is equally not effective
apps. on other operating systems.
Preventing the user from installing
Most restricted OS vulnerabilities only
these apps, intentionally or affect jailbroken devices; but that is
unintentionally is key. From a recently becoming less true.
BYOD perspective, personal Application whitelisting is a common
phones are a greater risk, as approach to mitigate malicious apps. But
users download a larger number user behaviour is also important. Users
of apps for personal use than should not install Profiles for apps that
business use. should not require one.
Also, mobile devices themselves There are mobile security tools that
are also risks to PCs. Email scrutinize apps for validate if they are
attachments forwarded from legitimate, and compare versions to
mobile devices might have PC known-bad repackaged apps.
malware that does not affect the Traditional PC USB port monitoring can
mobile device, but could infect the help with threat of mobile device connected
PC. Mobile devices connected via to PC.
USB to a PC could also have
malicious PC files as they can act
as removable media. PC AV also
cannot always scan mobile
devices like a traditional USB
drive.
9 Limitations and Control of The concept of network ports and Traditional guidance on limiting interfaces
Network Ports, Protocols and protocols do not apply to Mobile to only those required for purpose, and
Services like they do to PCs. restricting viewing or connecting to these
The only correlation is the turning interfaces apply.
on of different wireless interfaces,
such as WiFi, Bluetooth, or Near
Field Communications (NFC).
These should be controlled, as
they my broadcast presence of
the mobile device to the
surrounding area.
10 Data Recovery Capability Data recovery has always been One should verify and review backup (e.g.
inherent to the mobile process; cloud system) settings to make sure it is
unlike with PCs. Mobile devices backing up what is needed, and not what it
are replaced on a more frequent should not. This might include corporate
basis. And with portability comes email, corporate contacts or calendar, or
ease of loss, damage, or theft. So, documents to personal backup. The former
mobile has always had the ability would be stored on the corporate
to backup data (mostly to the Exchange server already. There might be
cloud) for easy transfer of corporate policy against backing up this
contacts and phone numbers, or data to a public cloud. Also, ensure there is
restoration of data to a new a good password or strong credentials
device, which promotes testing protecting that cloud backup.
the restore process.
11 Secure Configurations for This section has less little direct
Network Devices such as affect on mobile security. There is
Firewalls, Routers and Switches guidance on WiFi security, but it
applies to all computing devices.
ETSI

---------------------- Page: 11 ----------------------
12 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
12 Boundary Defense Mobile devices remove the Organizations can choose to VPN Mobile
concept of the infrastructure traffic to their infrastructure, where
boundary by often accessing traditional boundary defense guidance
cloud-based services directly, applies. However, there are also tools and
without routing through corporate approaches that funnel mobile traffic
infrastructure. through filtering cloud infrastructures that
However, Boundary Defense perform web gateway filtering and security
applies to Mobile as traditional functions.
firewall restrictions, security
monitoring sensors, email, web
gateway filters, IDS and IPS
alerts, and proper logging of
events and alerts to feed th
...