Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building your macOS Baseline Requirements MacadUK 2018

345 views

Published on

Slides from 2018 MacAD.UK confernce
Synopsis: https://www.macad.uk/speaker/henry-stamerjohann/

When tasked with (re)building a security baseline for macOS clients, where do you start?
There’s obviously decisions to be made about what’s feasible in your organization (beyond if admin privileges should be the default). You need to weigh system stability and security with end-user productivity. Luckily for the macOS platform a rich ecosystem of tools exist to fill in the gaps and general guidance is available. The crucial part of making mindful and informed decisions is to first aggregate data from your IT environment. You can then decide what configurations to deploy and run recurring compliance checks based on an appropriate strategy. This session will cover fundamentals, highlight advanced considerations, and outline practical examples to apply when you’re conducting a (new) baseline for macOS clients.

Published in: Technology
  • Be the first to comment

Building your macOS Baseline Requirements MacadUK 2018

  1. 1. Henry Stamerjohann Apfelwerk GmbH & Co. KG
 Twitter: @head_min Slack: @henry hello (again)
  2. 2. Building your macOS Baseline Requirements
  3. 3. • Wide variety of endpoints in a mobile world • Mission to secure Hardware / Software configurations • Continuous Vulnerability Assessment • We are responsible for data (GDPR / EU-DSGVO) Today
  4. 4. • You’re asked to apply a Windows Security guideline to Macs • You’re questioned how Group Policy Objects (GPOs) can apply to Macs • You’re glued into looping-discussion how MDM / APNs works • InfoSec challenges you with: "Why should we trust 17.0.0.0/8" Imagine
  5. 5. Security Baseline
  6. 6. Network 
 segmentation Access control management System auditing Compartmen- talization Physical access Verify digital signatures Vulnerability 
 assessment Aggregate, 
 alert upon logs Managed 
 Updates Intrusion 
 detection Inventory Control Secondary 
 factors Remediation plan Components Platform firmware security Full disc encryption Forensics
  7. 7. Intrusion 
 detection Network 
 segmentation Access control management System auditing Compartmen- talization Physical access Verify digital signatures Vulnerability 
 assessment Aggregate, 
 alert upon logs Managed 
 Updates Inventory Control Secondary 
 factors Remediation plan Components Platform firmware security Full disc encryption Forensics
  8. 8. Intrusion 
 detection Network 
 segmentation Access control management System auditing Compartmen- talization Physical access Verify digital signatures Vulnerability 
 assessment Aggregate, 
 alert upon logs Managed 
 Updates Inventory Control Secondary 
 factors Remediation plan Components Platform firmware security Full disc encryption Forensics Training
  9. 9. • Basic (security) plan for IT systems • Identify and implement security measures • Complete for operational environment • Specific implementation documents Essentials
  10. 10. • Enforce compliance standards • Appropriate strategy to address security and end-user productivity • Include (simple) post-incident templates • Your security posture Objectives
  11. 11. • Patch your systems and software frequently • Disable services and limit access where possible • Ensure configuration settings stay compliant • Close the gaps when detected & keep improving Procedures
  12. 12. Creating policies too rigid, you’ll be taking the risk to fail !
  13. 13. Structure
  14. 14. Example: Security Baseline from CERN
  15. 15. Microsoft Security Compliance Toolkit
  16. 16. www.cisecurity.org/benchmark/apple_os/
  17. 17. github.com/drduh/macOS-Security-and-Privacy-Guide
  18. 18. github.com/drduh/macOS-Security-and-Privacy-Guide
  19. 19. • Config Profiles (MDM, manually deployed) • Scripts / CLI tools / Software • Conditionals / Extension Attributes • MDM commands (wipe/lock) Configuration elements
  20. 20. • Inventory information, management system • Scheduled intervals • Reporting / Dashboards / Logging • Change Detection, Alerting • Automation / programmed remediation Control Facilities
  21. 21. github.com/kristovatlas/osx-config-check
  22. 22. How many binaries and scripts inside? App Binaries Scripts Firefox.app Google Chrome.app Atom.app Xcode.app 8 12 30 1224 270 (bash, python, perl, node,..) 144 (bash, python, node,..) 6 (bash) - 122 Executable Bingo!
  23. 23. support.apple.com/en-us/HT208103
  24. 24. Repercussions Acknowledge risk of executing malicious binaries 
 Developers could blindly insert "bad code" or "backdoor mechanism", etc.
  25. 25. media.ccc.de/v/34c3-9249-hardening_open_source_development 34C3
  26. 26. Devs …what can go wrong ? • Flaws in development toolchains • Risk of code execution • Package managers (npm, hombrew) • Code or build scripts compromised • Hiding code from git diff (UTF-8 Character spoofing) • ASCII control characters copy/paste compromised
  27. 27. Executable Bingo!
  28. 28. www.tenable.com/products/nessus/nessus-professional
  29. 29. https://www.inspec.io
  30. 30. brew.sh
  31. 31. Application Lifecycle & Change management
  32. 32. Inspect content
  33. 33. Fingerprint binaries OracleJava9-9.0.1.0.11.pkg
  34. 34. Fingerprint binaries OracleJava9-9.0.4.0.11.pkg
  35. 35. Inspect for difference in detail
  36. 36. Discuss responsibly
  37. 37. Security Baseline (Management infrastructure)
  38. 38. • Configuration management to control server state • Build Multiple layers of defense • Limit access / API access • Use logging and intrusion detection Management services
  39. 39. Local logs
  40. 40. Log aggregation
  41. 41. Log aggregation
  42. 42. Log aggregation
  43. 43. http://dev-sec.io
  44. 44. http://dev-sec.io
  45. 45. OSQuery (Change detection)
  46. 46. https://osquery.io
  47. 47. https://osquery.io
  48. 48. https://osquery.io
  49. 49. Recurring check
  50. 50. Recurring check
  51. 51. Google Santa (Binary control)
  52. 52. https://github.com/google/santa
  53. 53. https://santa.readthedocs.io/en/latest/
  54. 54. Scan executable content
  55. 55. Scan executable content
  56. 56. Scan executable content
  57. 57. brew-openssl-1.0.2h.json Diff for analyze brew-openssl-1.0.2n.json
  58. 58. Event streams Action action (clause) execute once the probe fires Event point of instrumentation in the system Ship aggregate results &
 sync config Probe filter when certain event (described) happens >>> Event stream data is stored for historic inspection
  59. 59. https://zentral.io
  60. 60. github.com/zentralopensource/zentral
  61. 61. Open BSM audit
  62. 62. Open BSM audit
  63. 63. Open BSM audit
  64. 64. http://services.google.com/fh/files/misc/fleet_management_at_scale_white_paper.pdf
  65. 65. Rebuild your Security Baseline
  66. 66. Data Protection & Regulation
  67. 67. TY!
  68. 68. Q & A
  69. 69. Links https://github.com/apfelwerk/macadUK2018-baseline-requirements

×