ETSI TR 103 305-3-2016 CYBER Critical Security Controls for Effective Cyber Defence Part 3 Service Sector Implementations (V1 1 1).pdf

1、 ETSI TR 103 305-3 V1.1.1 (2016-08) CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations TECHNICAL REPORT ETSI ETSI TR 103 305-3 V1.1.1 (2016-08)2 Reference DTR/CYBER-0012-3 Keywords Cyber Security, Cyber-defence, information assurance ETSI 650 Route

2、des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.or

3、g/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in

4、contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of st

5、atus. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx

6、 Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI

7、. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks

8、 of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 305-3 V1.1.1 (2016-08)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Exe

9、cutive summary 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 5g33.1 Definitions 5g33.2 Abbreviations . 6g34 Critical Security Controls: Mobile Device Security . 7g34.0 Introduction 7g34.1 CSC Mobile Device

10、Security Description 7g35 Critical Security Controls: Internet of Things Security 16g35.0 Introduction 16g35.1 CSC IoT Security Description 16g3History 26g3ETSI ETSI TR 103 305-3 V1.1.1 (2016-08)4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have b

11、een declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards

12、“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not refere

13、nced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER). The present document is part 3 of a multi-part deliverable

14、. Full details of the entire series can be found in part 1 i.3. Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expressi

15、on of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Executive summary The present document is an evolving repository for guidelines on service sector Critical Security Control implementations. Because of their rapidly scaling importance

16、and need for defensive measures, the mobile device and Internet of Things (IoT) sectors are treated. Introduction The individual service sector guideline clauses below provide subject matter introductions. ETSI ETSI TR 103 305-3 V1.1.1 (2016-08)5 1 Scope The present document is an evolving repositor

17、y for guidelines on service sector Critical Security Control implementations. Because of their rapidly scaling importance and need for defensive measures, the mobile device and Internet of Things (IoT) sectors are treated. The CSC are a specific set of technical measures available to detect, prevent

18、, respond, and mitigate damage from the most common to the most advanced of cyber attacks. The present document is also technically equivalent and compatible with the 6.0 version of the “CIS Controls Mobile and IoT Companion Guides“ October 2015, which can be found at the website https:/www.cisecuri

19、ty.org/critical-controls/ i.1. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific re

20、ferences, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The follow

21、ing referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 The Center for Internet Cybersecurity: “CIS Controls Mobile and IoT Companion Guides“ October 15, 2015. NOTE: Available at https:/www.cisecuri

22、ty.org/critical-controls.cfm. i.2 NIST SP 800-101: “Guidelines on Mobile Device Forensics“. i.3 ETSI TR 103 305-1: “CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present

23、document, the following terms and definitions apply: Critical Security Control (CSC): specified capabilities that reflect the combined knowledge of actual attacks and effective defences of experts that are maintained by the Council on Cybersecurity and found at the website https:/www.cisecurity.org/

24、critical-controls/ ETSI ETSI TR 103 305-3 V1.1.1 (2016-08)6 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: 6LoWPAN IPv6 over Low power Wireless Personal Area Networks API Application Programming Interface ARM Advanced RISC Machine AV Anti-Virus BYOD Br

25、ing Your Own Device CIS Center for Internet Security COOP Continuity of Operations CSC Critical Security Control or Capability DDOS Distributed Denial of Service DiS Data-in-Storage DoS Denial of ServiceEEPROM Electrically Erasable Programmable Read-Only Memory GSM Global System for Mobile Communica

26、tions HART Highway Addressable Remote Transducer ICS Industrial Control SystemsIDS Intrusion Detection Systems IoT Internet of Things IP Internet Protocol IPS Intrusion prevention system IPsec Internet Protocol security IPv6 Internet Protocol version 6 IT Information Technology LDAP Lightweight Dire

27、ctory Access Protocol LE Low Energy MDM Mobile Device Management MSSP Managed Security Service Provider NFC Near Field Communication NIST National Institute of Standards and Technology OS Operating System OWASP Open Web Application Security Project PC Personal Computer PIN Personal Identification Nu

28、mber RF Radio Frequency RSU Road Side Unit RTOS Real-time Operating System SCADA Supervisory Control and Data Acquisition SIEM Security Information Event Management SP Special Publication SPAM unsolicited or undesired electronic message(s) SSH Secure Shell SSL Secure Sockets Layer TCP Transmission C

29、ontrol Protocol TCP/IP Secure Sockets Layer TLS Transport Layer Security TV Television URL Uniform Resource Locator USB Universal Serial Bus VLAN Virtual Local Area Network VPN Virtual Private Network ETSI ETSI TR 103 305-3 V1.1.1 (2016-08)7 4 Critical Security Controls: Mobile Device Security 4.0 I

30、ntroduction Mobile devices are starting to replace laptops for regular business use. Organizations are building or porting their applications to mobile platforms, so users are increasingly accessing the same data with mobile as with their laptops. Also, organizations have increasingly implemented Br

31、ing Your Own Device (BYOD) policies to manage this trend. However, many organizations have been struggling with the increase of personal mobile devices, and do not fully understand the security risks they may bring. There are concerns that their compact size makes them easy to lose, that they run ne

32、wer operating systems that do not have decades of use and examination to uncover their weaknesses, and that there are millions of potentially malicious mobile applications that access data, spy on users, steal credentials, act as ransomware, or even become part of a Distributed Denial of Service (DD

33、OS) botnet. Like with traditional PC platforms, mobile still has to worry about protecting data from unauthorized access at rest and in transit; traditional network level man-in-the-middle attacks on public Wi-Fi; and similar web application threats (since mobile apps frequently access the same serv

34、er endpoints as web applications). Employees today may use their mobile devices to perform the same business functions and access the same data as their PCs or laptops; but what is different is they are not physically connected to the corporate network, and likely, not even logged into the corporate

35、 domain. There are times when organizations use mobile VPNs to access the corporate network, but more and more frequently, mobile users access cloud services. It is not uncommon for corporate mobile users to access numerous cloud-based applications that reside outside their enterprise. Each of these

36、 has its own credentials, again rarely linked to enterprise. Getting visibility on the configuration, threats and behaviour of these mobile devices is a challenge, since there are no “eyes“ on the device like those attached to the network. But this environment does not preclude tracking the threats

37、and risks. The Critical Security Controls for Effective Cyber Defense Version 6.0 (Controls) is that they are universal and high level enough to apply to any technology implementation. Everyone needs to start with: “What is the mobile device?“, “What is the configuration?“ and “What risks needs to b

38、e addressed?“ Basically 1 - 3 of the Controls. Protection requires knowledge of what is being protected. The real challenge to mobile security is the multitude of different mobile devices. With desktops, there are largely commodity hardware running less than half a dozen different operating systems,

39、 and through conscientious configuration management, usually a single or only a few different OS versions. Mobile devices have four different popular software platforms, with dozens of different hardware vendors, and dozens of different carriers that affect the platforms. The most prevalent platform

40、 presently has 11 OS version families, with sub-versions under them, which on most devices are non-upgradable or forward compatible, and exist on dozen of hardware platforms and carriers. So the permutations become enormous, and understanding the risks of each of these is overwhelming. This is why,

41、for enterprises that have strict security requirements, it is best to issue standard devices. Within the Controls, application security (CSC 6), wireless device control (CSC 7), and data loss prevention (CSC 17) all are relevant to mobile. Restricted use of administrative rights (CSC 12) is also som

42、ething that could be implemented, some MDM and mobile security platforms, have the ability to restrict administrative privileges to end users, which will prevent removal of security protections or monitoring. Malware defenses (CSC 5) are very different than traditional PC platforms. Secure configura

43、tions can also be applied (CSC 10), insecure features and functionality can be limited (CSC 11), and cloud based boundary defense can be provided (CSC 13). All of these areas are described in more detail in the table below. Using the Controls can be the framework to develop a security method and pro

44、cess to manage an organizations mobile security risks. 4.1 CSC Mobile Device Security Description Simple security steps should always be followed to reduce the likelihood from most Mobile threats: not Rooting or Jailbreaking a device; only obtain apps from the device vendor or the organizations app

45、stores, not 3rdparty stores; being wary of any app wanting to install a Profile on a mobile device, as well as if there is an “Untrusted App Developer“ popup for the app; and not leaving a device unlocked for long periods of time. For each Control, table 1 details the controls applicability to mobil

46、e and specific challenges, and considerations for implementation of that control. ETSI ETSI TR 103 305-3 V1.1.1 (2016-08)8 Table 1: Critical Security Controls (Version 6): Mobile Device Security Critical Security Controls (Version 6): Mobile Device Security CSC # Control Name Applicability to Mobile

47、 Mobile Device Security Challenges and Considerations 1 Inventory of Authorized and Unauthorized Devices One needs to have knowledge of all devices used to access data and resources in the organization. Mobile devices are not perpetually attached to the corporate network like other IT systems, so ne

48、w methods need to be used to maintain the inventory. An organization cannot get an inventory of mobile devices by running a scan to discover what mobile devices are connected; companies can use email accounts, or active synchronization software to determine what mobile devices are used to access ema

49、il (which is most popular application for mobile devices). Also, Mobile Device Management (MDM) can support this by installing agents on the mobile devices to push down configuration and security profiles, monitor devices for configuration changes, and provide access controls based on policy. 2 Inventory of Authorized and Unauthorized Software There are millions of mobile apps across dozens of different platforms. Mobile apps can bring risks and threats to data and credentials. Being able to know what is installed, and control access to malicious apps, and inse