Mobile Is Another Endpoint: CIS Critical Security Controls for Mobile

Share this blog

Mobile Is Another Endpoint: CIS Critical Security Controls for MobileCISOs and CIOs don’t have it easy. I know. Understatement. As technology evolves, both must stay true to the times while maintaining their company’s compliance, security and safety.

In 2008, the Center for Internet Security (CIS) was established and published best practice guidelines for computer security, known as the “Critical Security Controls for Effective Cyber Defense.” While the Critical Security Controls became a document that many CISOs and CIOs referenced daily, I doubt anyone thought mobile devices would need to be addressed.

Afterall, in 2008 mobile devices were not being used as they are today (don’t forget, the iPhone was first introduced only a year earlier). Mobile devices are now the de facto platform for productivity in business. Today, the traditional computing devices (e.g., servers, desktops and laptops) upon which enterprises have focused their security and compliance efforts, represent only 40 percent of the endpoints accessing corporate data and networks. The remaining 60 percent of devices are mobile. 

In the first of a two part series, Zimperium looks at how the Center for Internet Security (CIS) has expanded its well-known “Critical Security Controls” to cover mobile. The CIS Critical Security Controls help security teams assess current security controls and set goals to improve procedures to protect sensitive data while maintaining reasonable access to critical assets. 

JT Keating, Zimperium’s Vice President of Product Strategy, presented a webinar on August 7th and looked at how CIS’ “20 Critical Security Controls” covers mobile. Watch the on-demand webinar to learn more about:

  • The specific categories outlined CIS Critical Security Controls for Mobile;
  • Which Controls are addressed by mobile device management (MDM) companies; and 
  • Which Controls are addressed by mobile threat defense (MTD) companies like Zimperium

Why “Critical Security Controls for Mobile” are Important to CISOs and CIOs

In 2008, the Center for Internet Security Critical Security Controls for Effective Cyber Defense was established as a response to extreme data losses experienced by organizations in the US defense. Their publication was initially developed by the SANS Institute, with ownership transferring to the Council on Cyber Security (CCS) in 2013 and then to CIS in 2015.

The CIS Controls are a prioritized set of actions collectively forming a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. And now mobile devices.

The CIS Controls were developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls – including the mobile version – come from a wide range of sectors including retail, manufacturing, healthcare, education, government, defense, and others.

The CIS Critical Security Controls: Mobile Security details the control’s applicability to mobile and specific challenges and considerations for implementation of that control. The twenty controls are:

  1. Inventory of Authorized and Unauthorized Devices 
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges
  6. Maintenance, Monitoring & Analysis of Audit Logs
  7. Email and Web Browser Protections
  8. Malware Defenses
  9. Limitations and Control of Network Ports, Protocols and Services
  10. Data Recovery Capability
  11. Secure Configurations for Network Devices such as Firewalls, Routers and Switches
  12. Boundary Defense
  13. Data Protection
  14. Controlled Access Based on the Need to Know
  15. Wireless Access Control
  16. Account Monitoring and Control
  17. Security Skills Assessment and Appropriate Training to Fill Gaps
  18. Application Software Security
  19. Incident Response and Management
  20. Penetration Tests and Red Team Exercises

In the on-demand webinar, we review each control, explain the importance to the CISO/CIO and detail considerations for each. 

In our next webinar, on August 14th, we will look at how the non-profit, MITRE has applied its well-known Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework to cover mobile devices and attacks. 

As part of Zimperium’s world class technical team covering both North American Enterprise and Public Sector, Raleigh brings 20 years of Cybersecurity expertise to our customers.Empowering a deep understanding of the technology and the threat landscape for partners and customers alike.