Author Topic: Australian Govt Issues Android and iOS Security Hardening Guides  (Read 129 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
The Australian Signals Directorate (ASD)’s Australian Cyber Security Centre (ACSC) has published a set of two guides designed to help the Australian government, commercial organizations, and enterprises harden the security of IOS and Android devices in their fleets.

ACSC also mentions that although some of the recommendations included in these guides will reduce security risks, they might also notably degrade the user experience and system functionality.

Therefore, organizations are advised to balance out the security and user experience requirements given that not all recommendations are designed to be suitable for all environments.

"Some security configuration instructions within this guide are complex, and if implemented incorrectly could reduce the security of the device, the network or the organisation’s overall security posture," says the ACSC.

"These instructions should only be interpreted by experienced systems administrators and should be used in conjunction with thorough testing."

ACSC recommendations apply to Samsung Galaxy S9 and S9+ running Android 8.0 or higher and Apple iOS 12 devices while being used within Australia, and are based on in-house technical testing, as well as on experiences shared by other organizations, and on consultation received from vendors.

Android security configuration suggestions

First of all, as general advice, the ACSC recommends upgrading all Android devices to the latest released operating system version to get all security patches for security vulnerabilities detailed in monthly released Android Security Bulletins.

Google also provides advice on how to check or change the security settings on Android devices, and on how to prevent unauthorized access to your device.

The most essential seven settings to be enabled to increase the security posture if Android smartphones and tablets are listed below:

Quote
• Application whitelisting: since this can't be configured on a system-wide basis, organizations should restrict access to the Play Store and block apps from unknown sources

• Patch applications: update applications when prompted by the device

• User application hardening: block pop-ups and Java from executing

• Restrict administrative privileges: Ensure that the MDM solutions used in deployment fully support the security features recommended in this guide

• Patch operating systems: ensure that operating system software updates are applied when prompted by the device

• Multi-factor authentication: authenticate through various Remote Server infrastructure (e.g. MDM, VPN) using usernames, passwords, and certificates

• Daily backups: while such backups are not possible without providing 3rd party apps with access, system managers can develop their own trusted application or vet existing solutions
The full-length security hardening guide for Samsung S9 and S9+ devices published by the ACSC is available on the cyber.gov.au platform.

iOS security hardening guidance

As general advice, for existing or planned organization-wide iOS deployments, ACSC recommends to actively test beta versions of iOS under Developer Preview and AppleSeed for IT Programs, and to always update to the latest iOS versions to mitigate security risks.

Organizations may also delay immediately updating the OS after consulting the update information available on Apple's security updates page for an informed decision.

Apple also provides its own iOS 12 security guide, with comprehensive information on various iOS security features from encryption and data protection to user password management and device controls.

Technical support for security issues is also available via the 'Get help with security issues' Apple support page, as are suggestions on how to secure iOS devices like using a complex passcode and enabling Touch ID or Face ID.

The most essential seven settings to be enabled to boost the security posture of iPhones and iPads are listed below:

Quote
• Application whitelisting: enforce specific versions of an application using a cryptographic signature

• Patch applications: remotely apply patches to organization-owned devices

• User application hardening: block Java and use content blockers

• Restrict administrative privileges: administrator permissions are restricted by default for both users and apps so no changes are needed

• Patch operating systems: remotely apply patches to organization-owned devices

• Multi-factor authentication: multiple authentication factors can be enabled

• Daily backups: supports remote backups of some content
Further information regarding ACSC's extensive guidance on how to harden the security of Apple iOS devices is available on the cyber.gov.au  platform.

source