CIS + STIG + NIST + Apple + Users = X.pdf

Transcript

1. © JAMF Software, LLC
   CIS + STIG + NIST + Apple + Users = X
   9:00 - 9:45 a.m.
   UP NEXT
   

   View Slide

2. View Slide

3. © JAMF Software, LLC
   Erin McDonald
   Senior Professional Services Engineer
   
   Jamf
   275x275
   
   head shot
   In session recording, Picture-in-Picture
   of you presenting will be placed here.
   
   Please don’t put anything especially
   important in this area.
   

   View Slide

4. © JAMF Software, LLC
   In session recording, Picture-in-Picture
   of you presenting will be placed here.
   
   Please don’t put anything especially
   important in this area.
   CIS + STIG + NIST + Apple + Users = X
   Presentation agenda:
   
   What is…
   
   Intersections
   
   Divergences
   
   How to deploy
   
   

   View Slide

5. © JAMF Software, LLC
   In session recording, Picture-in-Picture
   of you presenting will be placed here.
   
   Please don’t put anything especially
   important in this area.
   Before we begin…
   

   View Slide

6. © JAMF Software, LLC
   In session recording, Picture-in-Picture
   of you presenting will be placed here.
   
   Please don’t put anything especially
   important in this area.
   What is… CIS
   Center for Internet Security
   
   Provides security guidelines for multiple OSes
   
   Volunteer-built
   
   

   View Slide

7. © JAMF Software, LLC
   In session recording, Picture-in-Picture
   of you presenting will be placed here.
   
   Please don’t put anything especially
   important in this area.
   What is… STIG
   Security Technical Implementation Guide
   
   Released by DISA
   
   Public resources available at https://public.cyber.mil/stigs/
   
   

   View Slide

8. © JAMF Software, LLC
   In session recording, Picture-in-Picture
   of you presenting will be placed here.
   
   Please don’t put anything especially
   important in this area.
   What is… NIST
   National Institute of Standards and Technology
   
   Agency within the US Dept of Commerce
   
   Publicly available guidelines for securing macOS devices only reference macOS 10.12
   
   

   View Slide

9. © JAMF Software, LLC
   In session recording, Picture-in-Picture
   of you presenting will be placed here.
   
   Please don’t put anything especially
   important in this area.
   Where they agree
   • Encryption - FileVault 2
   
   • System Integrity Protection
   
   • ScreenSaver settings
   
   • Login Window banner
   
   • Firewall logging
   
   

   View Slide

10. © JAMF Software, LLC
    Where they agree
    • Display login window as name and password
    
    • Disable services such as file sharing, Bonjour,
    internet sharing
    
    • Disable root access
    
    • Enable audit logging and ensure proper
    permissions
    

    View Slide

11. © JAMF Software, LLC
    Where they agree
    • Disable auto login
    
    • Require password after sleep
    
    • Disable Remote Apple Events
    
    • Enable Gatekeeper
    

    View Slide

12. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Where they differ
    • Disable Wi-Fi
    
    • Disable unused network devices
    
    • Remove temp and emergency accounts after
    72 hrs
    
    • Disable FaceTime, Messages, 

    Camera
    

    View Slide

13. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Where they differ
    • iCloud settings
    
    • Enabling specific SSH settings
    
    • Disable iTunes File Sharing
    
    • Require smart cards
    

    View Slide

14. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Where they differ
    • Disable location services
    
    • Updates must come from DoD server
    
    • Install AV and network scanning tools
    
    • Real time alerts for audit failure
    

    View Slide

15. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Variables in the equation - Apple
    
    Use Apple products on enterprise networks
    
    https://support.apple.com/en-us/HT210060
    
    Provides detail on hostnames, ports, and proxy support
    

    View Slide

16. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Variables in the equation - Apple
    
    Apple Certification Updates
    
    FIPS 140-2 Level 2 validation for Apple Secure Enclave
    Processor (SEP) Secure Key Store Module, v9.0
    
    https://support.apple.com/en-us/HT209632
    

    View Slide

17. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Variables in the equation - Apple
    
    Apple Certification Updates
    
    August 1, 2019 - Apple has received ISO 27001 & 27018
    certifications expanding to include Apple Push Notification
    Service (APNs), Apple Business Manager and Apple Business
    Chat services
    

    View Slide

18. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Variables in the equation - NIST
    
    Password Guidelines - TL;DR
    
    • 8 character minimum when a human sets it
    
    • 6 character minimum when set by a system/service
    
    • Support at least 64 characters maximum length
    
    • All ASCII characters (including space) should be supported
    
    

    View Slide

19. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Variables in the equation - NIST
    
    Password Guidelines - TL;DR, continued
    
    • Truncation of the secret (password) shall not be performed
    when processed
    
    • Check chosen password with known password dictionaries
    
    • Allow at least 10 password attempts before lockout
    
    • No complexity requirements
    

    View Slide

20. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Variables in the equation - NIST
    
    Password Guidelines - TL;DR, continued
    
    • No password expiration period
    
    • No password hints
    
    • No knowledge-based authentication (e.g. who was your best
    friend in high school?)
    
    • No SMS for 2FA (use a one-time password
    
    from an app like Google Authenticator)
    

    View Slide

21. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Variables in the equation - NIST
    
    Password Guidelines
    
    FAQ for NIST Digital Identity Guidelines
    
    https://pages.nist.gov/800-63-FAQ/
    

    View Slide

22. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Variables in the equation - Users
    

    View Slide

23. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Deploying - How to solve for X
    Organization requirements
    
    Understand implications of each setting
    
    Audit first, then remediate small
    
    Communicate security expectations / settings to users
    

    View Slide

24. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    Jamf Protect Insights -
    Allows you to set 

    which CIS Benchmarks
    you wish to audit
    against
    Deploying - How to solve for X
    

    View Slide

25. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    780 px
    650 px
    CIS Audit and
    Remediation
    Available at
    https://jamf.it/CIS
    Deploying - How to solve for X
    

    View Slide

26. © JAMF Software, LLC
    In session recording, Picture-in-Picture
    of you presenting will be placed here.
    
    Please don’t put anything especially
    important in this area.
    780 px
    650 px
    STIG Audit and
    Remediation
    Available at
    https://jamf.it/STIG
    Deploying - How to solve for X
    

    View Slide

27. © JAMF Software, LLC
    UP NEXT
    An Insider’s Look at APU
    10:15 - 11:00 a.m.
    Thank you for listening!
    Give us feedback by
    completing the 2-question
    session survey in the JNUC
    2019 app.
    

    View Slide