Company Security

To ensure the secure storage and handling of our customer data, we have implemented a number of security measures:

Security Patching

Every endpoint used in the IRON service should have recent (<2 days) patches installed and restarted, especially for the operating system. This is verified by the sensors we run on our own equipment.

Password Management

Password management should happen on our 1Password instance for all credentials used within IRON. Following requirements apply:

  • hardware security key MFA
  • strong +30 character passwords
  • MFA OTP storage
  • 1Password firewall rules
  • 1Password recent device requirements
  • periodic password breach reports
  • 1Password notifications to our Slack instance

Single-Sign On

Every service we use should work over SSO to our Google Workspace instance to handle authentication. This will automatically make use of the hardware security key on Google Workspace side. Our SSO provider, Google Workspace, has Google Advanced Protection turned on. We use hardware security keys which are both in a safe physical location

EDR Coverage

Every device used within IRON should run a healthy Sensor with the sensitivity level set to Aggressive. This sensor should report back to the IRON internal Falcon instance.

Acceptable Use Policy

IRON employees are not allowed to run any software on their devices that falls under these categories:

  • Pirated or Cracked software
  • Software of questionable origin
  • Software that is not performs questionable device or network activity
  • Software that is known to cause data loss, insecure configuration or exhibit malicious activity

Physical Security

  • Access control
  • A systematic security strategy to lock the building
  • IRON employees are not allowed to leave their devices unattended in public spaces.

CIS IOS Benchmark

CIS rulesAppliedComments
1. Recommendations for End-User Owned Devices
Ensure a ‘Consent Message’ has been ‘Configured’X
Ensure ‘Controls when the profile can be removed’ is set to ‘Always’X
Ensure ‘Allow voice dialing while device is locked’ is set to ‘DisabledX
Ensure ‘Allow Siri while device is locked’ is set to ‘Disabled’X
Ensure ‘Allow managed apps to store data in iCloud’ is set to ‘Disabled’X
Ensure ‘Force encrypted backups’ is set to ‘Enabled’X
Ensure ‘Allow users to accept untrusted TLS certificates’ is set to ‘Disabled’X
Ensure ‘Allow documents from managed sources in unmanaged destinations’ is set to ‘Disabled’X
Ensure ‘Allow documents from unmanaged sources in managed destinations’ is set to ‘Disabled’X
Ensure ‘Treat AirDrop as unmanaged destination’ is set to ‘Enabled’X
Ensure ‘Allow Handoff’ is set to ‘Disabled’X
Ensure ‘Force Apple Watch wrist detection’ is set to ‘Enabled’X
Ensure ‘Show Control Center in Lock screen’ is set to ‘Disabled’X
Ensure ‘Show Notification Center in Lock screen’ is set to ‘Disabled’X
Ensure ‘Force fraud warning’ is set to ‘Enabled’X
Ensure ‘Accept cookies’ is set to ‘From websites I visit’ or ‘From current website only’X
Ensure ‘Managed Safari Web Domains’ is ‘Configured’X
Ensure ‘Allow simple value’ is set to ‘Disabled’X
Ensure ‘Minimum passcode length’ is set to ‘6’ or greaterX
Ensure ‘Maximum Auto-Lock’ is set to ‘2 minutes’ or lessX
Ensure ‘Maximum grace period for device lock’ is set to ‘Immediately’X
Ensure ‘Maximum number of failed attempts’ is set to ‘6’X
Ensure ‘VPN’ is ‘Configured’X
Ensure ‘Allow user to move messages from this account’ is set to ‘Disabled’X
Ensure ‘Notification Settings’ are configured for all ‘Managed Apps’X
2. Additional RecommendationsX
Ensure device is not obviously jailbrokenX
Ensure ‘Software Update’ returns ‘Your software is up to date.’X
Ensure ‘Automatic Downloads’ of ‘App Updates’ is set to ‘Enabled’X
Ensure ‘Find My iPhone/iPad’ is set to ‘Enabled’ on end-user owned devicesX
Ensure the latest iOS device architecture is used by high-value targetsX

=======

CIS Apple macOS 11.0 Benchmark

CIS rulesAppliedComments
1. install Updates, Patches and Additional Security Software
Verify all Apple-provided software is currentX
Enable Auto UpdateX
Enable Download new updates when availableX
Enable app update installsX
Enable system data files and security updates installX
Enable macOS update installsX
Computer Name ConsiderationsX
2. System Preferences
Turn off Bluetooth, if no paired devices existX
Show Bluetooth status in menu barX
Enable “Set time and date automaticallyX
Ensure time set is within appropriate limitsX
Set an inactivity interval of 20 minutes or less for the screen saverX
Secure screen saver cornersX
Familiarize users with screen lock tools or corner to Start Screen SaverX
Disable Remote Apple EventsX
Disable Internet SharingX
Disable Screen SharingX
Disable Printer SharingX
Disable Remote LoginX
Disable DVD or CD SharingX
Disable Bluetooth SharingX
Disable File SharingX
Disable Remote ManagementX
Disable Content CachingX
Disable Media SharingX
Ensure AirDrop Is DisabledX
Enable FileVaultX
Ensure all user storage APFS volumes are encryptedX
Ensure all user storage CoreStorage volumes are encryptedX
Enable GatekeeperX
Enable FirewallX
Enable Firewall Stealth ModeX
Enable Location ServicesX
Monitor Location Services AccessX
Disable sending diagnostic and usage data to AppleX
Limit Ad tracking and personalized AdsX
Camera Privacy and Confidentiality ConcernsX
iCloud configurationX
iCloud keychainX
iCloud DriveX
iCloud Drive Document and Desktop syncX
Time Machine Auto-BackupX
Time Machine Volumes Are EncryptedX
Disable Wake for network accessX
Disable Power NapX
Enable Secure Keyboard Entry in terminal.appX
Ensure EFI version is valid and being regularly checkedX
Automatic Actions for Optical MediaX
Review Siri SettingsX
Review Sidecar SettingsX
3. Logging and Auditing
Enable security auditingX
Configure Security Auditing Flags per local organizational requirementsX
Retain install.log for 365 or more days with no maximum sizeX
Ensure security auditing retentionX
Control access to audit recordsX
Ensure Firewall is configured to logX
Software Inventory ConsiderationsX
4. Network Configurations
Disable Bonjour advertising serviceX
Enable “Show Wi-Fi status in menu bar”X
Create network specific locationsX
Ensure http server is not runningX
Ensure nfs server is not runningX
Review Wi-Fi SettingsX
5. System Access, Authentication and Authorization
Secure Home Folders-No multiple Users on our endpoints.
Check System Wide Applications for appropriate permissionsX
Check System folder for world writable filesX
Check Library folder for world writable filesX
Configure account lockout thresholdX
Set a minimum password lengthX
Complex passwords must contain an Alphabetic CharacterX
Complex passwords must contain a Numeric CharacterX
Complex passwords must contain a Special CharacterX
Complex passwords must uppercase and lowercase lettersX
Password AgeX
Password HistoryX
Reduce the sudo timeout periodX
Automatically lock the login keychain for inactivityX
Use a separate timestamp for each user/tty comboX
Ensure login keychain is locked when the computer sleepsX
Do not enable the “root” account
Disable automatic loginX
Require a password to wake the computer from sleep or screen saverX
Ensure system is set to hibernateX
Require an administrator password to access system-wide preferencesX
Ensure an administrator account cannot login to another user’s active and locked sessionX
Create a custom message for the Login ScreenX
Create a Login window bannerX
Do not enter a password-related hintX
Disable Fast User SwitchingX
Secure individual keychains and itemsX
System Integrity Protection statusX
Enable Sealed System VolumeX
Enable Library ValidationX
6. User accounts and Environment
Display login window as name and passwordX
Disable Show password hintsX
Disable guest account loginX
Disable “Allow guests to connect to shared folders”X
Remove Guest home folderX
Turn on filename extensionsX
Disable the automatic run of safe files in SafariX
7. Appendix: Additional Considerations
Extensible Firmware Interface (EFI) passwordX
FileVault and Local Account Password Reset using AppleIDX
App Store Password SettingsX
Apple Watch features with macOSX
System information backup to remote computersX
Touch IDX