OS X Security
Download
Report
Transcript OS X Security
Apple Technical White Paper
Presented By : Rajhesh Babu
Introduction
Overview
Secure Data Storage & Deletion
Public Key Infrastructure
Firewalls
Core Security
Malware Protection
Privacy
Conclusion
Security is one of the main concerns of any Operating
system.
Apple strives to ensure that the core of the operating
system provides critical protection for services,
applications and data.
In the view for the organization’s security, all security
options should be examined and the need for security
must be balanced.
OS X is designed to provide concrete defenses against
outside security threats with a series of protective
systems.
OS X and many of it’s integrated services are built on a
foundation of open source solutions.
Strong security is a benefit of open source software. An
open source development approach provides the
transparency to ensure OS X is as secure as possible.
OS X has a number of features designed to protect the
confidentiality of users and their data.
OS X provides easy-to-use methods for ensuring that
files stored are securely protected using Advanced
Encrypted Standard(AES).
The Data storage options include FileVault 2 and
Encrypted Containers(also called as Disk Images).
OS X also provides methods for deleting files securely
which prevents deleted files from being recovered.
Data deletion options include Secure Empty Trash,
Secure Erase and Remote Lock and Wipe.
FileVault 2 :
FV2 was introduced in OS X Lion, provides full disk
encryption for Data-at-rest(DAR) protection.
Initial encryption is fast and unobtrusive, meaning all
data is encrypted in the background.
During the setup, FV integrates a recovery key as a
safety net for accessing the encrypted volume.
The two different recovery keys are personal recovery
key and institutional recovery key.
With FV 2 enabled, a user must enter valid login
credentials or a recovery key before the computer can
access the files and continue with the boot process.
Encrypted Containers – Disk Images:
With the Disk Utility tool, you can easily create
encrypted Containers known as “disk images”, by using
128-bit or a stronger 256-bit AES encryption.
When the underlying disk image is encrypted, any files
and folders placed under it are encrypted and
decrypted automatically.
When you decrypt a disk image, blocks of file data are
decrypted in real time.
This encryption/decryption process is nonintrusive to
the user and creating an encrypted disk image is
simple as clicking the the New Image button in Disk
Utility.
Secure Empty Trash:
OS X includes a Secure Empty Trash command to
prevent deleted files from being recovered.
You can access the same functionality and more
advanced management from the command line.
Secure Erase:
Just as deleting a file from a computer doesn’t truly
remove it, erasing the hard drive doesn’t truly remove
the data from a drive.
Disk Utility includes a variety of options to securely
erase old data on an entire drive or volume.
The secure erase options are
1. Fastest : default action that occurs when you erase or
reformat a drive or volume.
2. Zero Out Data : This option will write zeros over all
the data at once. This is the quickest but less secure.
3. 3-pass secure : This option is a DOE-compliant 3 pass
secure erase.
4. Most secure : This writes seven diff passes of
information to the drive. Time consuming, but secure.
Remote Lock and Wipe :
Using OS X, you organization’s IT department can
offer users a web-based method for remote locking
and even wiping their systems.
IT can use Profile Manager to lock, Unlock and wipe a
remote MAC without user intervention.
Public key Infrastructure(PKI) is all the components
(i.e hardware,software,policies,processes) and the
complex interactions that occur among them.
OS X is designed as a OS based PKI where all the
services are performed by the OS and not by the
individual applications.
Digital Certificates : The fundamental basis of a PKI is
a “digital identity”, which consists of a digital
certificate and corresponding public and private keys.
OS X uses digital certificates to support secure
collaboration and enable the following services:
Authentication
Data Integrity
Encryption
Nonrepudiation
Technologies in OS X that can use digital certificates:
FileVault/encrypted disk images
Login Window
Safari
Remote Login
Mail
System Administration
Basic purpose of a firewall is to control connections
made to a computer from other computers or devices
on a network.
For casual users, Apple provides an “Application layer
firewall” where users can control connections on a per
application basis, rather than per service basis.
For IT professionals with more complex needs and
knowledge, Apple provides “IPFW2 firewall” for finer
grained control. Since IPFW2 processes traffic at
packet level which is lower in the networking stack
than the Application Layer Firewall.
In addition to securing local data and network access,
OS X employs techniques to protect the core
functioning of the operating system and applications.
Some Techniques are
1. Mandatory Access Controls : This access control
mechanism enforce restrictions on access to system
resources.
Mandatory access controls are integrated with the
exec system service to prevent execution of
applications that aren’t authorized.
2.
Sandboxing : This helps ensure applications do only
what they are intended to do and prevent malicious
code from hijacking applications and OS services to
run their own code.
3.
Execute Disable : One of the most common
techniques used by developers of malicious software
to gain unauthorized access is called “buffer
overflow”.
To avoid this OS X has provided no-execute stack
protection by taking advantage of the XD function
available in recent Intel processors.
Protecting data, workstations and servers within a
network goes beyond encryption and access controls.
OS X is not generally associated with high risks for
viruses or other forms of malware, some forms of
malware have been discovered that may affect it.
Application Quarantine : Quarantining applications
help prevent users and processes from accidently
running applications of unknown origin, which are
potentially malicious.
Identification and Removal : When unknown executable
code is downloaded to the Mac, OS X provides
protection by ensuring that the code will never execute
if it’s one of the known pieces of malware.
Because the malware code is already quarantined, OS
X can remove the malware and notify the user of the
blocked attempt.
Antivirus Protection : When the antivirus deployment to
the OS X systems within an organization is centrally
managed, you can use central antivirus management
to alert administrators the presence of viruses on
individual systems.
With increased number of devices , apps and services,
the increase need for keeping personal info private.
For example : when using navigation or mapping
services users must allow their private devices to
provide exact location data, but revealing those details
can expose private info to unauthorized service or
application.
Location Services : OS X provides preference controls
and ability to control location services.
Includes a Privacy Pane – for enabling and disabling
location services as well as usage of data.
Online Privacy : A Privacy pane provides info about
and control over online privacy.
Users can clear website data, customize cookie settings
and decide whether websites can request location
information.
Privacy pane in Safari also includes web history, where
each site is stored and what data is stored on the Mac.
Security is the ever-present concern of every IT
department regardless of the OS they use.
OS X offers a solid set of security components that are
built-in to every Mac.
Industry-standard solutions and meeting the security
guidelines from the U.S federal government agencies
make the impact of security.
Apple’s Technical White Paper
http://www.securemac.com/macosxsecurity.php
https://www.apple.com/mac/
http://en.wikipedia.org/wiki/Mac_OS
http://en.wikipedia.org/wiki/OS_X
Questions???
Thank you