206 – Configure communication protocols

Summary

The system must keep mobile devices communication protocols hidden, protected with credentials or turned off. This refers to protocols that allow data exchange such as Bluetooth, NFC and Tethering.

Description

This is requirement emphasizes in protecting mobile devices against unauthorized access by using different types of attacks, such as Bluejacking, Bluesnarfing, eavesdropping, data interception, etc. Turning off or securing communication protocols that are not actively used reduces the attack surface of the mobile device.

Supported In

Advanced: True

References

• OWASP10-A5. Security misconfiguration
• OWASPM10-M3. Insecure communication threat agents
• SANS25-18. Use of hard-coded credentials
• CMMC-AC_L2-3_1_18. Mobile device connection
• CMMC-SC_L1-3_13_1. Boundary protection
• HITRUST-09_s. Information exchange policies and procedures
• HITRUST-09_v. Electronic messaging
• OSSTMM3-9_2_2. Wireless security (logistics) - Communications
• PTES-4_5_3. Threat capability analysis - Communication mechanisms
• PTES-5_2_2_2. Vulnerability analysis - Network vulnerability scanners (service based)
• NIST800171-1_16. Authorize wireless access prior to allowing such connections
• NIST800171-1_18. Control connection of mobile devices
• SIGLITE-SL_142. Is there a mobile device management solution in place?
• SIG-M_1_25. End user device security
• CWE25-798. Use of hard-coded credentials

Last updated

2024/02/05