Fluid Attacks policy on endpoint security | Fluid Attacks

Endpoint

Requirements for Laptops

Device Management

At Fluid Attacks, in order to protect our clients data we administer our devices with a Mobile Device Management (MDM) tool.

This tool enables us to manage how our devices are being used and harden the devices' security by installing pre-configured profiles.

Each user account is associated with a device and the access to these is also monitored and controlled.

The profiles are set up with different configurations following our criteria.


MDM Profile reference in machines used by Fluid Attacks

Devices Policy

Since we use different configuration profiles for our laptops for users and admins, said profiles are configured with different policies:

  1. Authorization: How the devices can be accessed only by its intended users and how permissions over said device are managed. We comply with the following criteria:

    1. Laptops' passwords and data are only visible by its user, the use of KeyChain is mandatory for all users for security purposes, also to protect passwords saved on the KeyChain it automatically gets locked when the computer is locked or suspended.

    2. Only administrators have access to administration data, also admin users permissions are limited for their tasks, meaning there's no root users nor root accounts enabled.

    3. Automatic login is disabled to prevent data leaks, password is required for any system configuration and to access data.

    4. A minimum set of requirements must be followed for passwords: a minimum set of 16 characters including at least two non alphanumeric, not to have two consecutive nor three sequential characters, at least one number and one alphabetic, not to be the same as the previous 50 passwords.

    5. Passwords have an age limit established, and a history of passwords is saved for future passwords checking.

      Requirements300, 185, 375, 096, 033, 341, 095, 341, 257, 186, 229, 227, 380, 300, 310, 133, 130, 129, 141, 369.

  1. Updates: Keep devices and Apps updated with its latest and secure versions.

    2. Users: Control about how login is made on the device and local accounts are created improving the security:

      1. The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out.

      2. The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system.

      3. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed.

          Requirements142264265266319.

    1. Preferences: What the user can accomplish with manual configurations on the devices, restrict access to unnecessary system configurations to devices depending on its use for the different roles.
          Requirements265, 261, 266, 177, 045, 046, 339, 185, 273, 141, 173.

    1. Networking: How we handle insecure protocols and services which can compromise the data stored on the devices:

        1. HTTP Apache server and NFSD is part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.
            Requirements265266.

      1. Auditing: How we handle logs and monitor our devices for auditing purposes:

        1. The audit system writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. ACLs should not be used for these files.

        2. The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled.

            Requirements080377378079075.

      1. Removable devices: All removable devices can be limited and controlled, including external disks, disk images, DVD-RAM, USB storage devices, also removable disc media as CDs, CD-ROMs, DVDs and recordable discs.
            The status of the control can be:
        1. Mountable
        2. Not mountable
            Our current policy is completely restrictive, none of these devices can be mounted.

            Requirements265266273.

      Requirements for Mobile Devices

      Our collaboration systems also provide security requirements that mobile devices must comply with before enrolling in the organization's systems. This is especially useful as personal mobile devices are common targets for malicious hackers.

      Some of the requirements are the following:

      1. Having a separate work profile to isolate the information from the rest of the phone.
      2. Establishing a strong passphrase.
      3. Setting biometric authentication in case the device supports it.

      References

      1. SOC2®-CC6_2. Logical and physical access controls
      2. MITRE ATT&CK®-M1043. Credential access protection
      3. SANS 25-14. Improper Authentication
      4. POPIA-3A_23. Access to personal information
      5. PDPO-S1_4. Security of personal data
      6. CMMC-IA_L1-3_5_2. Authentication
      7. HITRUST CSF-10_c. Control of internal processing
      8. OWASP MASVS-V8_10. Resilience requirements - Device binding
      9. OWASP ASVS-4_3_1. Other access control considerations

      Requirements

      1. 033. Restrict administrative access
      2. 045. Remove metadata when sharing files
      3. 046. Manage the integrity of critical files
      4. 075. Record exceptional events in logs
      5. 079. Record exact occurrence time of events
      6. 080. Prevent log modification
      7. 095. Define users with privilege
      8. 096. Set user's required privileges
      9. 129. Validate previous passwords
      10. 130. Limit password lifespan
      11. 133. Password with at least 20 characters
      12. 141. Force re-authentication
      13. 142. Change system default credentials
      14. 173. Discard unsafe inputs
      15. 177. Avoid caching and temporary files
      16. 185. Encrypt sensitive information
      17. 186. Use the principle of less privilege
      18. 205. Configure PIN
      19. 213. Allow geographic location
      20. 227. Display access notification
      21. 229. Request access credentials
      22. 231. Implement a biometric verification component
      23. 257. Access based on user credentials
      24. 261. Avoid exposing sensitive information
      25. 264. Request authentication
      26. 265. Restrict access to critical processes
      27. 266. Disable insecure functionalities
      28. 273. Define a fixed security suite
      29. 300. Mask sensitive data
      30. 310. Request user consent
      31. 319. Make authentication options equally secure
      32. 326. Detect rooted devices
      33. 329. Keep client-side storage without sensitive data
      34. 339. Avoid storing sensitive files in the web root
      35. 341. Use the principle of deny by default
      36. 369. Set a maximum lifetime in sessions
      37. 373. Use certificate pinning
      38. 375. Remove sensitive data from client-side applications
      39. 377. Store logs based on valid regulation
      40. 378. Use of log management system
      41. 380. Define a password management tool