The Center for Internet Security (CIS) does a great job of producing high-quality documentation on how you can harden pretty much any popular operating system, appliance or application. The National Institute of Standards (NIST, Series 800 docs) and the National Security Agency (NSA) also have some really good documentation. I would highly recommend you use those docs as guides. And I challenge you to implement as many of their recommendations as possible. However, implementing configuration changes to be more secure will ALWAYS break something! You've been warned. Computing devices were made for convenience - not security. We should press the vendors to ADD MORE security features.
Here is the list of the top 10 configuration items you absolutely MUST implement today to lock down your Mac.
1. Encrypt your hard drive - the entire thing, not just your home folder. The ability to encrypt your hard drive comes standard in Mac OS X. Very nice! It can take about an hour depending on the size of your hard drive. This step "should" be part of a thorough system lock down or hardening of Mac OS X. It's easy and free. And only takes a little over an hour - most of it will be spent encrypting your hard drive!
2. Scheduled your computer to check for and install updates daily. This includes updating your anti-virus software signatures daily too. See item 5 below. Apple does a pretty good job keeping up with software updates - especially ones that may expose you to malicious activity. In reality any vendor will always lag behind getting updates out. In business being "first to market" will often have priority over releasing a perfect product.
3. Take physical security seriously. How many MacBooks have been taken when people have stepped away from them "just for a moment." Take it with you where ever you go - including the bathroom. Out of site, out of mind. This applies to your Mac at work too. If you are lucky enough to have been provided a Mac at work then demand the employer also purchase a cable lock for it. Everybody wants Apple products these days.
4. Be stealthy. Enable stealth mode in the Advanced section of your local firewall. Your computer won't respond to or even acknowledge attempts to access it from the network. This makes the computer virtually invisible to Internet Control Message Protocol (ICMP - aka Ping). I've used tools like Wireshark and NMAP and under normal queries your Mac won't show up on the network!
5. Download and install Sophos Anti-Virus (the Mac Home Edition is free). The install and configuration is quick and easy. Takes 5 minutes. Mac OS X - like any software ever developed is vulnerable to security issues. Click here for a brief history of Mac vulnerabilities. I like Sophos because it's free but I REALLY like it because it's effective. Sophos for Mac is award-winning software!
6. Disable all those automatic and unnecessary services. Disable automatic logins, auto play (for usb, CD/DVD, etc.), disable all sharing services (especially printing, Bluetooth, automount, etc.), and even turn off your wireless connection when you're not using it. Disable the root login too. I know it's a pain to turn on/off your wireless and other services. But honestly introducing this type of randomness in availability and accessibility makes it frustrating for someone or something that keeps trying to access your Mac. It's unlikely you'll turn on/off background services - like network services and automatic update services. It's easier to simply turn on/off your wireless connection. The basic rule is never share or automatically play/mount/bind anything (including using cron). These features should require manual effort and/or authentication. This may be the most difficult of all the top 10 changes to secure your Mac. And it's the most likely to break some application from working properly. You can tackle all of these services by configuring them NOT to startup in /etc/hostconfig. Beware /etc/hostconfig is going away soon (maybe as soon as Mac OS X 10.8!). It's good idea to turn off services in phases. Turn off the service, reboot, see what's still running (and what you can really live without) then repeat until you can still do your work while knowing that no unnecessary services are running. The same technique applies to what is listening at the network level.
7. Require authentication at every level, firmware (BIOS), single user mode, booting from CD/DVD, etc. Also, require authentication for ANY configuration change and shutdown/reboot. Always create passwords that are complex. I recommend 12 characters minimum - if the software application supports it (and most do). That increases the time to discovery exponentially! What about using the Keychain app? Don't. If you must then use a portable drive to store keychains (like Ironkey) and keep the login and individual keychain items secure. It's also a good idea to keep a specific keychain for different purpose - so all your eggs aren't in one basket.
8. Use secure remove (srm) and secure empty (and secure erase empty space) to delete personal files you no longer need. Secure remove/empty will remove evidence in slack space on your storage device that the file ever existed. If you do a lot of command line work with your Mac then set up an alias so the remove command (rm) calls srm instead. I like the secure erase options so much I'd recommend starting with doing a secure erase of the entire disk before installing Mac OS X!
9. Audit review and Logging. Splunk and Logrythm are popular software applications that help make sense of the tons of events that happen on a system. They aren't free. Splunk offers you the ability to search your logs like doing a simple Google search. A properly configured Mac can be set up to see who is logged in and when an important system file (like /etc/shadow) was changed. Tripwire is another product to track changes on a Mac. The basic idea in this item is to at least configure your Mac to audit events and log information. You should then set triggers to alert you but this could take a product like Splunk. The console application that comes with Mac OS X can help you view what is happening in realtime for the system, kernel, Library logs, and many, many others. To make sense of all that data you probably want something like Splunk or Logrythm. Your configuration state should be static but you have to check or automate this check. Windows 7 has its system recovery tool and Solaris (11) will keep the state of your configuration - or return to it when you logoff or reboot. Why doesn't Mac OS X have this yet? We're seeing more and more secure configurations with the ability to keep the state of the system in compliance. Often times a patch can reset a configuration item or otherwise break a secure configuration. Being able to keep or return to a specific state of configuration is a great tool for security practitioners. And if something changes then auditing and/or logging should catch these events and alert on them.
10. Check and Set permissions appropriately. On a Mac you can set up a command in cron to check and/or set permissions to their factory default. The syntax from the command line is simple - "diskutil repairPermissions /". Too many third-party applications come with permissions so any user can read, modify or execute. Remember these default settings were made for convenience - not security. Home directories should NEVER be set to allow other users access from any account besides their own. I really hate unowned files. And I bet you I can find some on any Unix-Linux-based system. This theme also applies to configuring applications to run in a chroot jail. A chroot jail is a isolated place where an application can run without affecting other applications. You might also hear this called operating in a sandbox. It's a popular security concept. The NSA helped to create Security Enhanced Linux (SELinux) which does the same sort of thing (really too well actually). Since Mac OS X is really Linux (based on a TrustedBSD - Berkely Software Distribution - Framework) things like chroot security techniques apply. Along this same line of thought - don't install unnecessary software packages. It's easy to get carried away downloading free software. Remember, software can't be trusted.
Much of the security benchmarks, metrics and assessment tools can be found free online. The Center for Internet Security hosts 63 benchmarks and 28 metrics at the time of this writing. It's likely you'll find your product on their site, download the PDF for free and start configuring your system to be more secure. CIS also provides tools for examining your operating system. Click here to see what CIS has to offer. Bastille for Mac is a tool to help secure your Mac operating system quickly and easily.
The problem with automating secure configurations for devices, operating systems and applications is one size doesn't fit all. Every place of employment and individual is different. Much of the problem of Internet thievery stems from the fact people don't lock down their computing device. Every hardware/software device sold is NOT secure out of the box. Their default configuration is actually very exposed to many common vulnerabilities. Most people don't bother or don't know they should lock down their new Mac when they get it home. Many people don't believe they need that much security or don't use their device to do anything very private (or don't care if anyone is watching). It doesn't matter, it still needs to be locked down.
No comments:
Post a Comment