We’ll go over the remaining security features on macOSX in this blog.
9. Firewall
There is a built-in standalone firewall on MacOSX but it’s not enabled by default. In essence, the firewall allows the incoming connections while other has to be allowed explicitly.
In addition to that, the user can enable a stealth mode option which will ignore ICMP packets so other users on the network cannot easily confirm the presence of the system.
However, the software only allows users to manage incoming connections so in order to block outgoing connections, one has to resort to 3rd party applications. Blocking outgoing connections might prove useful to prevent malware from exfiltrating personal data or connecting to a C2 server.
10. File Vault
FileVault offers disk encryption to protect all data on the system just like BitLocker on Windows. When activated, FileVault will convert the macOS disk partition to an HFS+ encrypted file system.
So if the system were lost or stolen, the data will be unreadable to anyone who tries to read it. The first time setting up this feature can take several hours to encrypt all data. Afterwards, the encryption is done on the fly and will not be noticeable by the user.
11. Sandboxing & Runtime Protection
Often time that users download potential unwanted applications, or that existing software on a system may become compromised by an adversary. Sandboxing enables applications to run in isolation which protects the system if the software attempt to perform malicious activity. By default, all applications downloaded from the App Store are running in a sandboxed environment.
Attackers are getting more advanced and stealthier in how they operate. Traditional security measures relied on scanning a file to determine if it was malicious or not. MacOSX integrates a run-time protection feature that allows pages to be marked as NOEXEC (non-executable) and incorporates ASLR (Address Space Layout Randomization) into the kernel so malware cannot easily hijack other processes.
12. Security Chip
Since 2018, Apple offers macOS devices with a so-called Apple T2 Security Chip in which these microchips contain secure enclave with a separate co-processor. That secure enclave will handle all sensitive operations regarding cryptography and some peripheral access. The main idea behind such a secure enclave is that even with root and kernel access, malicious software cannot tamper or eavesdrop on the sensitive operations in the secure enclave whereas rootkits and kernel malware have full control over every operation on the system when using a traditional microchip. The T2 Security Chip will enable secure boot, handle bio-metric access (Touch ID) and perform the cryptographic operations needed for disk encryption.
Before the T2 Security Chip was offered, Apple provided another tool called eficheck which checks the integrity of the EFI firmware on the system for its validity so possible rootkits can be detected. This tool is available from MacOS High Sierra onwards.
Securing MacOS
We have gone through all of the security features on MacOS already. Now, we’ll discuss a few ways to harden the system as follows:
- Turn on the built-in firewall to properly filter and control access to services that are running on a system. Although firewalls are valuable, the best way to secure service is to turn it off. Therefore, verify that a service is required if it is turned on and the manage access to it with a firewall.
- If file sharing is needed, be sure to set up secure file sharing and carefully control access. Similar to the theme previous paragraph, limit or turn off file sharing if it is not needed.
- Setting up access lists is necessary but it is more important to monitor and keep access lists up to date. Job and access requirements change over time. Just because some needs access today does not mean that person will need access in a whole month.
SECURITY FEATURES Part 1 , SHODAN, IDS and IPS, Firewalls Introduction, Data Security
