Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CIS + STIG + NIST + Apple + Users = X.pdf

Jamf
November 13, 2019
83

CIS + STIG + NIST + Apple + Users = X.pdf

Jamf

November 13, 2019
Tweet

Transcript

  1. © JAMF Software, LLC
    CIS + STIG + NIST + Apple + Users = X
    9:00 - 9:45 a.m.
    UP NEXT

    View full-size slide

  2. © JAMF Software, LLC
    Erin McDonald
    Senior Professional Services Engineer

    Jamf
    275x275

    head shot
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.

    View full-size slide

  3. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    CIS + STIG + NIST + Apple + Users = X
    Presentation agenda:

    What is…

    Intersections

    Divergences

    How to deploy

    View full-size slide

  4. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Before we begin…

    View full-size slide

  5. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    What is… CIS
    Center for Internet Security

    Provides security guidelines for multiple OSes

    Volunteer-built

    View full-size slide

  6. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    What is… STIG
    Security Technical Implementation Guide

    Released by DISA

    Public resources available at https://public.cyber.mil/stigs/

    View full-size slide

  7. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    What is… NIST
    National Institute of Standards and Technology

    Agency within the US Dept of Commerce

    Publicly available guidelines for securing macOS devices only reference macOS 10.12

    View full-size slide

  8. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Where they agree
    • Encryption - FileVault 2

    • System Integrity Protection

    • ScreenSaver settings

    • Login Window banner

    • Firewall logging

    View full-size slide

  9. © JAMF Software, LLC
    Where they agree
    • Display login window as name and password

    • Disable services such as file sharing, Bonjour,
    internet sharing

    • Disable root access

    • Enable audit logging and ensure proper
    permissions

    View full-size slide

  10. © JAMF Software, LLC
    Where they agree
    • Disable auto login

    • Require password after sleep

    • Disable Remote Apple Events

    • Enable Gatekeeper

    View full-size slide

  11. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Where they differ
    • Disable Wi-Fi

    • Disable unused network devices

    • Remove temp and emergency accounts after
    72 hrs

    • Disable FaceTime, Messages, 

    Camera

    View full-size slide

  12. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Where they differ
    • iCloud settings

    • Enabling specific SSH settings

    • Disable iTunes File Sharing

    • Require smart cards

    View full-size slide

  13. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Where they differ
    • Disable location services

    • Updates must come from DoD server

    • Install AV and network scanning tools

    • Real time alerts for audit failure

    View full-size slide

  14. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Variables in the equation - Apple

    Use Apple products on enterprise networks

    https://support.apple.com/en-us/HT210060

    Provides detail on hostnames, ports, and proxy support

    View full-size slide

  15. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Variables in the equation - Apple

    Apple Certification Updates

    FIPS 140-2 Level 2 validation for Apple Secure Enclave
    Processor (SEP) Secure Key Store Module, v9.0

    https://support.apple.com/en-us/HT209632

    View full-size slide

  16. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Variables in the equation - Apple

    Apple Certification Updates

    August 1, 2019 - Apple has received ISO 27001 & 27018
    certifications expanding to include Apple Push Notification
    Service (APNs), Apple Business Manager and Apple Business
    Chat services

    View full-size slide

  17. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Variables in the equation - NIST

    Password Guidelines - TL;DR

    • 8 character minimum when a human sets it

    • 6 character minimum when set by a system/service

    • Support at least 64 characters maximum length

    • All ASCII characters (including space) should be supported

    View full-size slide

  18. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Variables in the equation - NIST

    Password Guidelines - TL;DR, continued

    • Truncation of the secret (password) shall not be performed
    when processed

    • Check chosen password with known password dictionaries

    • Allow at least 10 password attempts before lockout

    • No complexity requirements

    View full-size slide

  19. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Variables in the equation - NIST

    Password Guidelines - TL;DR, continued

    • No password expiration period

    • No password hints

    • No knowledge-based authentication (e.g. who was your best
    friend in high school?)

    • No SMS for 2FA (use a one-time password

    from an app like Google Authenticator)

    View full-size slide

  20. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Variables in the equation - NIST

    Password Guidelines

    FAQ for NIST Digital Identity Guidelines

    https://pages.nist.gov/800-63-FAQ/

    View full-size slide

  21. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Variables in the equation - Users

    View full-size slide

  22. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Deploying - How to solve for X
    Organization requirements

    Understand implications of each setting

    Audit first, then remediate small

    Communicate security expectations / settings to users

    View full-size slide

  23. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    Jamf Protect Insights -
    Allows you to set 

    which CIS Benchmarks
    you wish to audit
    against
    Deploying - How to solve for X

    View full-size slide

  24. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    780 px
    650 px
    CIS Audit and
    Remediation
    Available at
    https://jamf.it/CIS
    Deploying - How to solve for X

    View full-size slide

  25. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.

    Please don’t put anything especially
    important in this area.
    780 px
    650 px
    STIG Audit and
    Remediation
    Available at
    https://jamf.it/STIG
    Deploying - How to solve for X

    View full-size slide

  26. © JAMF Software, LLC
    UP NEXT
    An Insider’s Look at APU
    10:15 - 11:00 a.m.
    Thank you for listening!
    Give us feedback by
    completing the 2-question
    session survey in the JNUC
    2019 app.

    View full-size slide