The Australian Signals Directorate (ASD)s Australian Cyber Security Centre (ACSC) has published a set of two guides designed to help the Australian government, commercial organizations, and enterprises harden the security of IOS and Android devices in their fleets.
ACSC also mentions that although some of the recommendations included in these guides will reduce security risks, they might also notably degrade the user experience and system functionality.
Therefore, organizations are advised to balance out the security and user experience requirements given that not all recommendations are designed to be suitable for all environments.
"Some security configuration instructions within this guide are complex, and if implemented incorrectly could reduce the security of the device, the network or the organisations overall security posture," says the ACSC.
"These instructions should only be interpreted by experienced systems administrators and should be used in conjunction with thorough testing."
ACSC recommendations apply to Samsung Galaxy S9 and S9+ running Android 8.0 or higher and Apple iOS 12 devices while being used within Australia, and are based on in-house technical testing, as well as on experiences shared by other organizations, and on consultation received from vendors.
Android security configuration suggestionsFirst of all, as general advice, the ACSC recommends upgrading all Android devices to the latest released operating system version to get all security patches for security vulnerabilities detailed in monthly released
Android Security Bulletins.
Google also provides advice on
how to check or change the security settings on Android devices, and on
how to prevent unauthorized access to your device.
The most essential seven settings to be enabled to increase the security posture if Android smartphones and tablets are listed below:
Application whitelisting: since this can't be configured on a system-wide basis, organizations should restrict access to the Play Store and block apps from unknown sources
Patch applications: update applications when prompted by the device
User application hardening: block pop-ups and Java from executing
Restrict administrative privileges: Ensure that the MDM solutions used in deployment fully support the security features recommended in this guide
Patch operating systems: ensure that operating system software updates are applied when prompted by the device
Multi-factor authentication: authenticate through various Remote Server infrastructure (e.g. MDM, VPN) using usernames, passwords, and certificates
Daily backups: while such backups are not possible without providing 3rd party apps with access, system managers can develop their own trusted application or vet existing solutions
The full-length
security hardening guide for Samsung S9 and S9+ devices published by the ACSC is available on the cyber.gov.au platform.
iOS security hardening guidanceAs general advice, for existing or planned organization-wide iOS deployments, ACSC recommends to actively test beta versions of iOS under Developer Preview and AppleSeed for IT Programs, and to always update to the latest iOS versions to mitigate security risks.
Organizations may also delay immediately updating the OS after consulting the update information available on
Apple's security updates page for an informed decision.
Apple also provides its own
iOS 12 security guide, with comprehensive information on various iOS security features from encryption and data protection to user password management and device controls.
Technical support for security issues is also available via the '
Get help with security issues' Apple support page, as are suggestions on
how to secure iOS devices like using a complex passcode and enabling Touch ID or Face ID.
The most essential seven settings to be enabled to boost the security posture of iPhones and iPads are listed below:
Application whitelisting: enforce specific versions of an application using a cryptographic signature
Patch applications: remotely apply patches to organization-owned devices
User application hardening: block Java and use content blockers
Restrict administrative privileges: administrator permissions are restricted by default for both users and apps so no changes are needed
Patch operating systems: remotely apply patches to organization-owned devices
Multi-factor authentication: multiple authentication factors can be enabled
Daily backups: supports remote backups of some content
Further information regarding ACSC's extensive guidance on how to
harden the security of Apple iOS devices is available on the cyber.gov.au platform.
source