Today’s Jamf Nation User Conference (JNUC) session took a deep dive into Center for Internet Security (CIS) validation. It included information about how to utilize open-source tools like scripts and extension attributes to assist with CIS enforcement, and it provided real-world examples that translate to any environment. From Jamf Professional Services, Katie English and Erin McDonald lead the conversation and provided the tools needed for successful implementation of CIS compliance.
Erin and Katie began by sharing a few key resources for anyone concerned with CIS:
- jamf.it/CIS_Sierra: The latest and greatest CIS enforcement and compliance toolset from Jamf Professional Services, including scripts and extension attributes.
- jamf.it/CIS_Webinar: A recording of Jamf’s recent CIS webinar for anyone new to the CIS benchmark and those interested in how Jamf Pro helps support enforcement and compliance.
- cisecurity.org: The CIS benchmark (Level 1 and level 2, scored and unscored.). The benchmark is a free download “created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government and legal”
Then they dove into CIS basics, discussing why CIS accountability lives with organizations, “it’s not as simple as adding an ‘Easy’ button,” quipped Katie. That’s why they’re here at JNUC 2017 - to give you tools to take back to your environments and to discuss with your organization so that you can make informed decisions related to how your organization implements CIS.
InfoSec 101 / Fundamentals
Katie kicked off the fundamentals with a focus on updating and patching Apple software. Katie recommended organizations avoid disabling critical tools such as GateKeeper and to ensure organizations only deploy software that’s signed by developers. To automate the process, organizations can offload administrative workflows by configuring the settings on end-user devices.
They discussed additional built-in tools such as FileVault and App Firewall, and then took a few moments to talk about access control with benchmark ranges for authorization, System Integrity Protection (SIP), smart card access and permissions.
An impromptu survey of the crowd yielded an expected result: most admins don’t like their organizations password policies. Katie touched on changes to how organizations handle password complexity and referenced the latest on password standards from NIST: NIST Special Publication 800-63B [jamf.it/NIST]. Spoiler alert: while complexity is still important, the new standards make for a much better end user experience. She recommended reviewing these new standards from NIST and sharing them with your organization.
InfoSec 201 / Services & Auditing
Erin took over to discuss the next level of the benchmark, where things really get interesting. Luckily, Erin shared additional helpful tools, such as a Bluetooth script admins can find at https://jamf.it/btCIS.
She walked through recommendations and considerations for iCloud back ups, Energy Saver, NTP, Time Machine, and more. For Logging and Auditing, Erin also discussed the defaults and the impact of “noisy logs”. The answer? “Organizations should ask themselves how often they really look through their logs and whether they need all that information” said Erin.
She also shared an extension attribute from Rich Trouton that admins will find useful at: https://jamf.it/RTxprotect
InfoSec 301 / Users
Katie dove into the more troublesome benchmark options. While opinions vary, Katie discussed the duality between full management and letting users have the experience they designed for themselves. Screen savers and inactivity settings are helpful security features Katie covered as clear examples of settings that everyone should manage.
Read the benchmark. It’s easy to read and understand what’s being enforced and why. You can also do a 1:1 comparison of the benchmark and github tools provided by Jamf and others in the community. Scripts and extension attributes are great resources to help with tasks and the community has provided a lot of content for admins.
Moral of the story? Organizations must choose for themselves how to enforce the benchmark. In the end, it’s all about reducing risk.