ETSI TR 103 305-3 V1.1.1 (2016-08)

TECHNICAL REPORT
CYBER;
Critical Security Controls for Effective Cyber Defence;
Part 3: Service Sector Implementations

2 ETSI TR 103 305-3 V1.1.1 (2016-08)

Reference
DTR/CYBER-0012-3
Keywords
Cyber Security, Cyber-defence, information
assurance
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI TR 103 305-3 V1.1.1 (2016-08)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Executive summary . 4
Introduction . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definitions and abbreviations . 5
3.1 Definitions . 5
3.2 Abbreviations . 6
4 Critical Security Controls: Mobile Device Security . 7
4.0 Introduction . 7
4.1 CSC Mobile Device Security Description . 7
5 Critical Security Controls: Internet of Things Security . 16
5.0 Introduction . 16
5.1 CSC IoT Security Description . 16
History . 26

ETSI
4 ETSI TR 103 305-3 V1.1.1 (2016-08)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
The present document is part 3 of a multi-part deliverable. Full details of the entire series can be found in part 1 [i.3].
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The present document is an evolving repository for guidelines on service sector Critical Security Control
implementations. Because of their rapidly scaling importance and need for defensive measures, the mobile device and
Internet of Things (IoT) sectors are treated.
Introduction
The individual service sector guideline clauses below provide subject matter introductions.
ETSI
5 ETSI TR 103 305-3 V1.1.1 (2016-08)
1 Scope
The present document is an evolving repository for guidelines on service sector Critical Security Control
implementations. Because of their rapidly scaling importance and need for defensive measures, the mobile device and
Internet of Things (IoT) sectors are treated. The CSC are a specific set of technical measures available to detect,
prevent, respond, and mitigate damage from the most common to the most advanced of cyber attacks.
The present document is also technically equivalent and compatible with the 6.0 version of the "CIS Controls Mobile
and IoT Companion Guides" October 2015, which can be found at the website https://www.cisecurity.org/critical-
controls/ [i.1].
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] The Center for Internet Cybersecurity: "CIS Controls Mobile and IoT Companion Guides"
October 15, 2015.
NOTE: Available at https://www.cisecurity.org/critical-controls.cfm.
[i.2] NIST SP 800-101: "Guidelines on Mobile Device Forensics".
[i.3] ETSI TR 103 305-1: "CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The
Critical Security Controls".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
Critical Security Control (CSC): specified capabilities that reflect the combined knowledge of actual attacks and
effective defences of experts that are maintained by the Council on Cybersecurity and found at the website
https://www.cisecurity.org/critical-controls/
ETSI
6 ETSI TR 103 305-3 V1.1.1 (2016-08)
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
6LoWPAN IPv6 over Low power Wireless Personal Area Networks
API Application Programming Interface
ARM Advanced RISC Machine
AV Anti-Virus
BYOD Bring Your Own Device
CIS Center for Internet Security
COOP Continuity of Operations
CSC Critical Security Control or Capability
DDOS Distributed Denial of Service
DiS Data-in-Storage
DoS Denial of Service
EEPROM Electrically Erasable Programmable Read-Only Memory
GSM Global System for Mobile Communications
HART Highway Addressable Remote Transducer
ICS Industrial Control Systems
IDS Intrusion Detection Systems
IoT Internet of Things
IP Internet Protocol
IPS Intrusion prevention system
IPsec Internet Protocol security
IPv6 Internet Protocol version 6
IT Information Technology
LDAP Lightweight Directory Access Protocol
LE Low Energy
MDM Mobile Device Management
MSSP Managed Security Service Provider
NFC Near Field Communication
NIST National Institute of Standards and Technology
OS Operating System
OWASP Open Web Application Security Project
PC Personal Computer
PIN Personal Identification Number
RF Radio Frequency
RSU Road Side Unit
RTOS Real-time Operating System
SCADA Supervisory Control and Data Acquisition
SIEM Security Information Event Management
SP Special Publication
SPAM unsolicited or undesired electronic message(s)
SSH Secure Shell
SSL Secure Sockets Layer
TCP Transmission Control Protocol
TCP/IP Secure Sockets Layer
TLS Transport Layer Security
TV Television
URL Uniform Resource Locator
USB Universal Serial Bus
VLAN Virtual Local Area Network
VPN Virtual Private Network
ETSI
7 ETSI TR 103 305-3 V1.1.1 (2016-08)
4 Critical Security Controls: Mobile Device Security
4.0 Introduction
Mobile devices are starting to replace laptops for regular business use. Organizations are building or porting their
applications to mobile platforms, so users are increasingly accessing the same data with mobile as with their laptops.
Also, organizations have increasingly implemented Bring Your Own Device (BYOD) policies to manage this trend.
However, many organizations have been struggling with the increase of personal mobile devices, and do not fully
understand the security risks they may bring. There are concerns that their compact size makes them easy to lose, that
they run newer operating systems that do not have decades of use and examination to uncover their weaknesses, and
that there are millions of potentially malicious mobile applications that access data, spy on users, steal credentials, act as
ransomware, or even become part of a Distributed Denial of Service (DDOS) botnet.
Like with traditional PC platforms, mobile still has to worry about protecting data from unauthorized access at rest and
in transit; traditional network level man-in-the-middle attacks on public Wi-Fi; and similar web application threats
(since mobile apps frequently access the same server endpoints as web applications). Employees today may use their
mobile devices to perform the same business functions and access the same data as their PCs or laptops; but what is
different is they are not physically connected to the corporate network, and likely, not even logged into the corporate
domain. There are times when organizations use mobile VPNs to access the corporate network, but more and more
frequently, mobile users access cloud services. It is not uncommon for corporate mobile users to access numerous
cloud-based applications that reside outside their enterprise. Each of these has its own credentials, again rarely linked to
enterprise. Getting visibility on the configuration, threats and behaviour of these mobile devices is a challenge, since
there are no "eyes" on the device like those attached to the network.
But this environment does not preclude tracking the threats and risks. The Critical Security Controls for Effective Cyber
Defense Version 6.0 (Controls) is that they are universal and high level enough to apply to any technology
implementation. Everyone needs to start with: "What is the mobile device?", "What is the configuration?" and "What
risks needs to be addressed?" Basically 1 - 3 of the Controls. Protection requires knowledge of what is being protected.
The real challenge to mobile security is the multitude of different mobile devices. With desktops, there are largely
commodity hardware running less than half a dozen different operating systems, and through conscientious
configuration management, usually a single or only a few different OS versions. Mobile devices have four different
popular software platforms, with dozens of different hardware vendors, and dozens of different carriers that affect the
platforms. The most prevalent platform presently has 11 OS version families, with sub-versions under them, which on
most devices are non-upgradable or forward compatible, and exist on dozen of hardware platforms and carriers. So the
permutations become enormous, and understanding the risks of each of these is overwhelming. This is why, for
enterprises that have strict security requirements, it is best to issue standard devices.
Within the Controls, application security (CSC 6), wireless device control (CSC 7), and data loss prevention (CSC 17)
all are relevant to mobile. Restricted use of administrative rights (CSC 12) is also something that could be implemented,
some MDM and mobile security platforms, have the ability to restrict administrative privileges to end users, which will
prevent removal of security protections or monitoring. Malware defenses (CSC 5) are very different than traditional PC
platforms. Secure configurations can also be applied (CSC 10), insecure features and functionality can be limited
(CSC 11), and cloud based boundary defense can be provided (CSC 13). All of these areas are described in more detail
in the table below. Using the Controls can be the framework to develop a security method and process to manage an
organization's mobile security risks.
4.1 CSC Mobile Device Security Description
Simple security steps should always be followed to reduce the likelihood from most Mobile threats: not Rooting or
rd
Jailbreaking a device; only obtain apps from the device vendor or the organization's app stores, not 3 party stores;
being wary of any app wanting to install a Profile on a mobile device, as well as if there is an "Untrusted App
Developer" popup for the app; and not leaving a device unlocked for long periods of time. For each Control, table 1
details the control's applicability to mobile and specific challenges, and considerations for implementation of that
control.
ETSI
8 ETSI TR 103 305-3 V1.1.1 (2016-08)
Table 1: Critical Security Controls (Version 6): Mobile Device Security
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
1 Inventory of Authorized and One needs to have knowledge of An organization cannot get an inventory of
Unauthorized Devices all devices used to access data mobile devices by running a scan to
and resources in the organization. discover what mobile devices are
Mobile devices are not perpetually connected; companies can use email
attached to the corporate network accounts, or active synchronization
like other IT systems, so new software to determine what mobile devices
methods need to be used to are used to access email (which is most
maintain the inventory. popular application for mobile devices).
Also, Mobile Device Management (MDM)
can support this by installing agents on the
mobile devices to push down configuration
and security profiles, monitor devices for
configuration changes, and provide access
controls based on policy.
2 Inventory of Authorized and There are millions of mobile apps MDM tools can inventory apps, and set
Unauthorized Software across dozens of different policies and whitelisting to promote use of
platforms. Mobile apps can bring secure versions of apps.
risks and threats to data and However there are privacy considerations
credentials. Being able to know in Bring Your Own Device (BYOD)
what is installed, and control scenarios, as the organization may not
access to malicious apps, and need to know what apps an individual has
insecure versions of apps is installed on their personal device for
important to protect the personal use.
organization.
3 Secure Configurations for Like with PCs, secure MDMs can restrict access to cameras,
Hardware and Software on configurations and monitoring of white-list Wi-Fi networks, apply password
Mobile Devices, Laptops, these configurations are critical to policy enforcement, and inventory what
Workstations, and Servers maintain trust with these devices. apps are installed.
Be aware, this last feature can be a privacy
issue in a BYOD scenario. An organization
may not want the liability of knowing or
having access to employee's personal
email, apps that track health information,
financial data, personal contacts and
calendars, apps used in their personal
lifestyle, or their location.
MDM tools can scale to hundreds of
thousands of devices, and provide the
necessary monitoring to be alerted when
devices are out of compliance; for instance,
if someone installs an unauthorized
application, turns off encryption, or
jailbreaks or roots their device.
ETSI
9 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
4 Continuous Vulnerability Mobile vulnerabilities are usually One cannot just run vulnerability scans on
Assessment and Remediation linked to versions of the Operating a network to scrutinize the mobile devices.
system, or malicious apps. Therefore, mobile vulnerability
Because mobile devices are not assessments should incorporate threat
always attached to the network, modelling, and understanding the devices,
vulnerabilities cannot be identified data, users, and their behaviours. MDMs
and managed like as done on can play a key role in gathering the
PCs, servers, or other information for the "what" and "who" for
permanently connected mobile management.
networked devices.
Also, there are number of mobile security
Mobile vulnerabilities also can point solutions that address strong
apply to many layers; hardware, authentication, data and application
OS (version), OS (configuration), security, security of data at rest and in
individual application (of which transit, and protection from network based
there are potentially millions), threats when connected to Wi-Fi, such as
network connection (cellular, man-in-the-middle attacks.
Bluetooth, WiFi, NFC), app stores, Organizations can choose to outsource
physical location (i.e., countries management of their MDM platform and
where the government monitors mobile support, similar to using Managed
mobile devices) and finally, Security Service Providers (MSSPs) to
whether the device is corporate- monitor and manage network security
owned or personal (privacy devices.
requirements).
5 Controlled Use of Many intrusions use valid Mobile devices are part of the network
Administrative Privileges credentials obtained either based on their credentials, not based on
through social engineering, or their connection. It might not be possible to
captured by other means. One control admin rights on mobile devices,
important risk in mobile is especially in a BYOD situation; but access
protecting credentials stored on based on least privilege may apply.
the device, because a user's It is dangerous to allow users to Root or
email account could also be a JailBreak mobile devices, because it opens
system or Domain Admin account. up risks to vulnerabilities running at that
lowest level.
Also, Admin control is different in
mobile devices. Malicious apps
are taking advantage of
unfamiliarity with the mobile
admin levels, and there are
malicious apps that obtain admin
rights so they can hide
themselves from the user.
ETSI
10 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
6 Maintenance, Monitoring & Monitoring is irrelevant if there is MDM and mobile security tools can provide
Analysis of Audit Logs not a process to identify events visibility by having agents on phones that
and respond to them. And this send events and alerts to a central server.
response should be matched with These can be integrated with traditional
the potential impact of the event. Security Operations platforms.
This is the human aspect: Different types of mobile monitoring
determining what events or alerts sources can provide different data. MDMs
can potentially damage the use the more traditional network operations
organization, and execute type of approach: Is the device live? What
response in a timely fashion
is the make model and version? Is it up to
based on that. date? What applications are installed? Has
the device been rooted or jailbroken? How
much traffic is it sending and receiving?
The security tools have more granular
logging, such as installation of known bad
or suspicious applications, application-level
changes to data, network routing changes,
SSL certificates used, VPN launching, and
in the case of cloud filtering; traditional
perimeter gateway logs for web traffic, or
other application traffic. There is also the
practice of monitoring account connections
to the network domain or a specific
application.
Metrics should be actionable, not just "how
many" of an event happened. More
effective things to track are: Am I getting
data from everything I should (how many
devices are sending events)? Is the right
data being collected (are all data logs the
correct ones)? Another item to track is the
turnover rate of mobile devices, which can
be higher than laptops. Multiple user
accounts may exist for the mobile devices.
7 Email and Web Browser Mobile devices change the Traditional email gateway security controls
Protections traditional enterprise architecture for SPAM and phishing reduction, and
by not only extending it outside a malware and malicious URL links apply to
traditional perimeter, but also mobile.
bypassing the need to route much Mobile security tools use an agent-based
or all traffic through the enterprise approach that gives a view to threats on
network due to use of cloud and to the mobile device, such as
services. However, web and email malicious applications and profiles, and
threats are still a concern with
malicious WiFi networks or Man in the
mobile devices. Middle web proxy attacks.
There are also tools and approaches that
funnel mobile traffic through filtering cloud
infrastructures that perform web gateway
filtering and security functions.
ETSI
11 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
8 Malware Defenses Mobile does not have same Traditional techniques of using Anti-Virus
concept of malware as with PCs. (AV) do not apply to mobile. AV is not
Mobile malware is really about feasible on some restricted operating
malicious apps. It takes more systems, due to the platform not allowing
diligence to understand current access at a level where applications can
threats, and the behaviour of have general knowledge about other
known malicious apps, which applications running on the device, and
often are re-packaged legitimate many argue that it is equally not effective
apps. on other operating systems.
Preventing the user from installing
Most restricted OS vulnerabilities only
these apps, intentionally or affect jailbroken devices; but that is
unintentionally is key. From a recently becoming less true.
BYOD perspective, personal Application whitelisting is a common
phones are a greater risk, as approach to mitigate malicious apps. But
users download a larger number user behaviour is also important. Users
of apps for personal use than should not install Profiles for apps that
business use. should not require one.
Also, mobile devices themselves There are mobile security tools that
are also risks to PCs. Email scrutinize apps for validate if they are
attachments forwarded from legitimate, and compare versions to
mobile devices might have PC known-bad repackaged apps.
malware that does not affect the Traditional PC USB port monitoring can
mobile device, but could infect the help with threat of mobile device connected
PC. Mobile devices connected via to PC.
USB to a PC could also have
malicious PC files as they can act
as removable media. PC AV also
cannot always scan mobile
devices like a traditional USB
drive.
9 Limitations and Control of The concept of network ports and Traditional guidance on limiting interfaces
Network Ports, Protocols and protocols do not apply to Mobile to only those required for purpose, and
Services like they do to PCs. restricting viewing or connecting to these
The only correlation is the turning interfaces apply.
on of different wireless interfaces,
such as WiFi, Bluetooth, or Near
Field Communications (NFC).
These should be controlled, as
they my broadcast presence of
the mobile device to the
surrounding area.
10 Data Recovery Capability Data recovery has always been One should verify and review backup (e.g.
inherent to the mobile process; cloud system) settings to make sure it is
unlike with PCs. Mobile devices backing up what is needed, and not what it
are replaced on a more frequent should not. This might include corporate
basis. And with portability comes email, corporate contacts or calendar, or
ease of loss, damage, or theft. So, documents to personal backup. The former
mobile has always had the ability would be stored on the corporate
to backup data (mostly to the Exchange server already. There might be
cloud) for easy transfer of corporate policy against backing up this
contacts and phone numbers, or data to a public cloud. Also, ensure there is
restoration of data to a new a good password or strong credentials
device, which promotes testing protecting that cloud backup.
the restore process.
11 Secure Configurations for This section has less little direct
Network Devices such as affect on mobile security. There is
Firewalls, Routers and Switches guidance on WiFi security, but it
applies to all computing devices.
ETSI
12 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
12 Boundary Defense Mobile devices remove the Organizations can choose to VPN Mobile
concept of the infrastructure traffic to their infrastructure, where
boundary by often accessing traditional boundary defense guidance
cloud-based services directly, applies. However, there are also tools and
without routing through corporate approaches that funnel mobile traffic
infrastructure. through filtering cloud infrastructures that
However, Boundary Defense perform web gateway filtering and security
applies to Mobile as traditional functions.
firewall restrictions, security
monitoring sensors, email, web
gateway filters, IDS and IPS
alerts, and proper logging of
events and alerts to feed the
incident response process are all
important. These can be
implemented in a cloud-filtering
infrastructure where mobile
devices are routed instead of
through the enterprise.
Coordination or integration with
cloud vendors can implement
change control to customize these
rules, or performing the same with
direct control of these rules will be
required. Consider these filters an
extension of the security
perimeter, and apply the same
rigor to applying of policy, change
control, and system monitoring.
13 Data Protection Almost all mobile devices have Traditional guidance on encrypting data
the ability to encrypt their data at one the devices, and using a VPN with
rest, and include a PIN or good encryption for protecting sensitive
password (or biometric) to restrict data in transit still apply to Mobile.
access. Some devices can link There are VPNs that allow mobile devices
encryption or identity to a to connect to corporate network to access
hardware root of trust. applications or data shares, as well as
Mobile devices can use traditional application specific VPNs that encrypt the
VPNs for network or application data in transit for that application. Some of
access. Though most mobile these technologies include a hardware
applications store data in cloud, component, such as a microSD chip, for
which could require partner or encryption key management.
vendor protection requirements Traditional enterprise Data Loss Prevention
built into the agreement.
can be helpful for email and network stored
The entire data supply chain data. But cloud applications and data may
should also need to be examined, be more difficult to get visibility from mobile
not just at collection points. Is this device and user access. There are tools
data flowing to a back end that leverage cloud service APIs to gain
system? Is data stored in multiple this visibility, or filtering clouds that proxy
places? Is this data in a cloud? In mobile users to these external services,
what country is this data stored which can provide a source for data access
(for privacy considerations)? controls.
Organizations with Bring Your Own Device
(BYOD) programs will need to consider
end user privacy implications within
policies and security monitoring and
operations procedures.
ETSI
13 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
14 Controlled Access Based on the This control is has no specific Traditional access and authorization
Need to Know application to Mobile, as the control guidance applies to Mobile.
concept of controlled access to
data is universal for different data
access.
Since mobile devices are more
personal devices, and do not
usually store data like PCs,
access controls are at closer to
where the data is stored.
15 Wireless Access Control WiFi controls still apply to Mobile, Traditional guidance on WiFi security with
such as restricting connection to use of strong credentials for connectivity,
only authorized devices, and use encrypted links, and restricting
of encryption and authentication, unauthorized device connectivity.
but with mobile devices wireless Mobile security tools use an agent-based
includes cellular, Bluetooth, and approach that gives a view to threats on
potentially NFC as well. and to the mobile device, such as
Unlike with PCs, there is limited malicious applications and profiles, alerting
risk to remote connection to the to malicious WiFi networks or Man in the
device, like connecting via Telnet Middle SSL/TLS web proxy attacks.
or SSH to the mobile device, like
on a PC; but, there are network
level man-in-the-middle attacks,
which can sniff unencrypted
traffic, or re-route traffic to
insecure web sites that can steal
credentials.
16 Account Monitoring and Control Account monitoring is performed Many organizations are using cloud
mostly on enterprise platforms, applications; those additional credentials
and not on the mobile device. will need to be disabled during employee
However, always-remote access, separation as well. Keeping track of these
and use of cloud-based external credentials might take
applications can complicate management, or federating these
visibility and auditing. credentials with identify management tools.
17 Security Skills Assessment and This control does not specifically Training users and administrators on risks
Appropriate Training to Fill apply to Mobile. and threats specific to mobile platforms is
Gaps prudent.
ETSI
14 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
18 Application Software Security Many organizations are Web application security techniques are
concerned about mobile recommended when building secure
application security, especially mobile apps, including following the Open
with the millions of apps available Web Application Security Project (OWASP)
for personal and business use. Top 10.
Luckily, secure web application The quick win is to make sure the
development and security testing legitimate version of an app is being used;
has a long history, and directly and that it is up to date. If the app is not
applies to mobile apps. downloaded from the vendor's app store,
Many mobile apps are simply web
there is a much greater risk of installing a
based, while those using a native malicious app, or "evil twin" or
app running on the mobile device "repackaged" version of the legitimate app.
are just a client for a web-based Some of the other guidance, like error
application. checking on user input, testing in-house
Mobile primary application risks and 3rd party apps, and hardening the
are the mobile apps themselves, back end all directly apply when developing
attempting to access data on the secure mobile applications.
phone, or in some case, a few Agent-based mobile security tools can also
nasty applications can corrupt the reduce the risk of malicious behaviour of
underlying operation system in mobile apps, be preventing installing
something called a rootkit, which Profiles, or preventing Man in the Middle
then renders all OS behaviour website request hijacking or redirect
untrusted. attacks.
Some additional threats for
malicious native apps include
affecting device itself by turning
on the camera or microphone,
accessing contacts or emails,
logging geolocation, capturing
credentials, initiating toll calls or
texts, or nuisance issues like
resource saturation that drains the
battery.
ETSI
15 ETSI TR 103 305-3 V1.1.1 (2016-08)
Critical Security Controls (Version 6): Mobile Device Security
CSC # Control Name Applicability to Mobile Mobile Device Security Challenges and
Considerations
19 Incident Response and Like with PCs, now that many Traditional Incident response guidance
Management users access organization data applies to Mobile. This includes the need
and services with mobile devices, for planning, defining roles and
the need to identify, investigate, responsibilities, and escalation path.
respond and recover from Operations personnel and incident
incidents involving mobile devices responders will also require training on
is important. what to look for with unusual behaviour on
the mobile devices. Having visibility into
mobile operations, such as described
previously in CSC 6, will help in identifying
these events.
One challenge is the vast quantity of
different types mobile device hardware,
even among generations of products.
When talking about data forensics on
mobile devices, there is a wealth of
different types of data available to support
the objective of the acquisition; be it
eDiscovery, miss-use, or evidence
collection to support a criminal case.
People have their whole life on their
phones, from calendar, phonebook, and to
do list, to photos, video and voice
recordings (including messages). There is
the geolocation data from pictures, social
networking check-ins and a few
applications store ones "last active
location." The history of whom a person
communicated with can be obtained from
phone logs, text messages, email, and
social networking. Information on mobile
forensics procedures should be referenced
[i.2].
20 Penetration Tests and Red With traditional Pen testing, the There is the ability to sniff traffic over the
Team Exercises cycle of running scans to see air, perform man-in-the-middle on a mobile
what ports are open, and what session, and even do application re-
services are running to see if direction attacks; but the primary threat
there are vulnerable versions of vectors are the mobile apps themselves, as
those services to exploit does not discussed in CSC 18. The traditional
apply. However, phishing and approach for mobile app testing has been
other social engineering are code review tools, but standard web proxy
relevant to mobile. tools and web application penetration
testing techniques apply.
Use of test lab and devices for more
thorough hardware examination is relevant
to mobile.
ETSI
16 ETSI TR 103 305-3 V1.1.1 (2016-08)
5 Critical Security Controls: Internet of Things Security
5.0 Introduction
Internet of Things (IoT) is an expansion of the Internet to include ubiquitous smart end devices providing a variety of
services and functions in the commercial, consumer, and government environments. Many applications, and in
particular the legacy applications known as Industrial Control Systems (ICS), Supervisory Control and Data Acquisition
(SCADA) systems, modern digital factory and health care networks, as well as onboard systems in ships and cars,
healthcare devices, etc. are in reality Intranets of Things (IoT), using standalone networks, with proprietary and custom
protocols designed for use in trusted, secure environments. Business exigencies and efficiencies drive increased
connectivity of these custom intranets to the corporate network and from that to the Internet, providing adversaries and
hackers new access vectors to launch attacks against these important networks. Thus, it is natural that the Critical
Security Controls also be directly applicable to the current and future IoT networks.
Most IT practitioners are familiar with standard office and other ubiquitous computing environments, and have limited
exposure or training in the custom IoT networks, networks that may be run by plant or facility engineers. It is useful to
highlight the difference in perspective demanded by legacy and future IoT networks when applying the Controls.
Table 2 highlights some key areas where IoT systems may differ from the standard corporate IT systems with which
most Controls practitioners are familiar. Engineering analysis of the IoT system needing security controls should
explore these and any other systems' specific differences in deciding the correct control prioritization for optimal risk
mitigation under resource constraints.
Table 2: Security related differences of IoT systems from standard corporate IT systems
Standard Corporate IT Systems IoT Systems
General TCP/IP stack. General-purpose messaging and file Proprietary protocol stack elements; byte-oriented link
transfer. protocols. Well-defined messages and message
sequencing. Designed for reliability in the presence of noise.
Commodity hardware. Commodity cybersecurity appliances Custom hardware or operating system implementations.
and software solutions. Use of limited kernel capabilities.
Updated frequently; patches for security and feature Long-term, reliable devices. 5 - 10 years or more; rarely
improvement. Relatively short version life. changed, and if so, done with a full, complete flash or
EEPROM upgrade.
End-points and some networking devices accept and run IoT devices do not download general files or respond to
non-mission specific data and host non-mission-specific unknown messages. In fact, many devices are susceptible
processes. to DoS attacks (e.g. by a naïve penetration tester using a
commodity tool) because they are not designed to deal with
unknown message formats or protocol violations that would
not be caused by "known" means (e.g. noise dropping
packets).
Security built into the user interface, and includes user Security assumes physical integrity. If attackers can open
authentication. the IoT box and connect to the maintenance port, they are
"in.".
Anomalies are the norm. Anomalies are rare, and trigger high-visibility alarms/alerts.
(Strong security feature)
5.1 CSC IoT Security Description
Several global topics apply to many, if not all, of the Critical Security Controls. Network segmentation and controls, in
particular, including Firewalls, VLAN segmentation, Intrusion Detection Systems (IDS), Intrusion Prevention Systems
(IPS), and actual air-gapping are all both primary controls as well as compensating controls where many of the other
Controls are unavailable or inadvisable.
Support for robust independent testing of security controls for new development is a chance to finally implement those
controls that have been lacking in legacy devices. And evaluation of security controls as well as prior testing of the
controls in these devices as a part of Enterprise purchase decisions will help to foster acceptance of the need for controls
and development of same.
ETSI
17 ETSI TR 103 305-3 V1.1.1 (2016-08)
Table 3: Critical Security Controls (Version 6): IoT Security
Critical Security Controls (Version 6): IoT Security
CSC # Control Name Applicability to IoT IoT Security Challenges and Considerations
1 Inventory of Authorized and This control is especially important Network scans for legacy and non-PC devices
Unauthorized Devices in the context of the IoT. may be dangerous, putting IoT endpoints into
Organizations should deploy error states; limited implementation of standard
technology that tracks the myriad solutions possible where devices run IP stacks.
IoT devices that will be deployed Passive line and/or RF monitoring may be
across the Enterprise. required.
Understanding which device types Proprietary communications protocols with
and, in some cases, which specific application-specific messaging and command
device instances are authorized to and control are often used in lieu of any
connect to the network is the authentication mechanism, making remote
starting point to adapting this recognition of a device as "unauthorized"
control to the IoT. difficult.
This may require s
...