Charles Edge’s research while affiliated with University School and other places

Whether you’re dealing with a car or a computer, poor maintenance habits lead to the same consequence: disaster. You’re on the freeway, carefully driving at the posted speed limit, and your engine suddenly dies. You go to the mechanic, who roots out the cause: your timing belt broke. You would have replaced your timing belt, had you kept to the maintenance schedule and taken your car in for service at 60,000 miles. Airline maintenance crews who stick to a steadfast and detailed maintenance schedule rarely have this happen to them, mainly because they know precisely on what date the plane was maintained, at what time, and what maintenance was performed.

The word cryptography is derived from the Greek words kryptos, meaning “hidden,” and grafein, meaning “to write.” Throughout history, cryptography has been used to hide messages inside tradional means of communication that might otherwise be intercepted. Doing so is accomplished by concealing the contents of the message from all except who has the key to unlock it. In modern times, cryptographic techniques are used to protect e-mail messages, information transmitted over the internet, credit card information, and data on corporate networks.

This chapter discusses two critical security features in OS X: application signing and the App Sandbox. These technologies were both introduced with Mac OS 10.5 and provide facilities that improve the overall security of the platform. Incidentally, both technologies are also heavily leveraged by iOS, the underlying operating system on the iPhone, iPad, iPod Touch, and AppleTV.

Identity theft is the fastest-growing crime in the world. According to the Federal Trade Commission (FTC), identity theft is the top concern of people contacting the agency, and has now passed drug trafficking as the number-one crime in the world. Nearly everyone I know has a friend that has had a run-in with some form of identity theft. And a likely spot to find plenty of information about someone, in order to masquerade as them, is their computer. And more specifically, the browser: the gateway people use to access the Internet. Threats to online privacy can be reduced by leveraging some very practical security with regards to our Internet browsers.

A common theme that you may be noticing in this book revolves around the concept of confidentiality. In a computer security context, confidentiality is the notion that sensitive data is accessible by only those users who have been approved or authorized for access to that data. For many organizations, and indeed for many malfeasants, data confidentiality is the most significant aspect of security. Certainly sabotage is a significant threat to many organizations, and often a source of incentive for many hackers, but more often than not the end-goal is to gain access to information. Whether it’s personal information that facilitates identity theft, or highly valuable corporate secrets, information is highly valuable, both to you and those that would do you harm. In many corporate environments, the policy to encrypt data may be simply due to legal necessity, as there is liability involved with leaking certain data, such as personally identifiable information and payment records. Recent research indicates that loss of corporate secrets can result in an even more dangerous financial windfall for a company. Thus, protecting that data should always serve as job number one for end user’s and system administrators alike.

“Stop hackers dead in their tracks by securing your systems and network.” That has been our mantra up to this point. However, there is another piece in the security pie that often goes unexamined. Any conversation about security on a system or network must go beyond discussing the prevention of unauthorized access and into what happens when an incident leaves you hating life. And we start that conversation with backup, because the capacity to recover data minimizes the potential impact of an attack. Securing the data on these systems with a reliable data backup scheme is a crucial element in any security framework.

To many, the very mention of protecting a Mac against malware is actually a pretty inappropriate conversation. But it’s an obsession to many at Apple. And because they do a pretty darn good job of protecting users, there’s not a lot of concern that needs to be had. However, some caution goes a long way in case things get through Apple’s vaunted defense system. That build-in defense system includes technologies like Xprotect, which is like a built-in signature-based anti-virus solution, LSQuarantine, which marks anything downloaded as protected, SIP, which protects Apple’s protected space and drivers from infection by third party software, and a robust signing requirement, which makes it difficult for a user to get malware on their system. But it can happen, so we’ll look at what you need to do when it does.

Infiltration is a very real problem for network administrators, one that can lead to confidential data being leaked outside of your controlled environment. Every day, new attacks are developed that try to breach a network’s security perimeter. Building a secure network requires that a number of key software and hardware components are implemented and configured correctly. But securing a network is not just about acquiring the right network hardware to block unwanted traffic. What is more important is understanding how a network works, how Internet traffic is managed, how information flows within that network, and what services need to be secured that control the traffic. One cannot fully secure what one does not understand.

iCloud is a cloud service provided by Apple. A basic iCloud account is free and provides a connection to calendars, contacts, and other services that integrate with your Mac. Because iCloud has services that integrate with the Mac, it’s more than a traditional cloud solution, though. An iCloud account has options that include tracking the physical location of your Apple devices and potentially escrowing keys used for decrypting hard drives and remotely controlling computers. Because the iCloud account provides access to your computer, securing the account and the connection between the computer and the account is of paramount importance. This security starts with the Apple ID and extends to the settings used when setting up iCloud-based services on your Mac.

OS X Server is an app that runs on a standard Mac. This app is available on the App store and very straight forward to setup. The Server app contains a faux root of the former OS X Server operating system within the app bundle, which contains a number of binaries that should be secured for those that use an OS X Server. It may look similar, but the Server app brings some very different functionality to an OS X Client,. The differences lie in the fact that Mac OS X Server, like most other servers, should be used exclusively to share data. That data is shared across a variety of protocols, according to the type of data being shared. Therefore, it naturally follows that you will need to take additional precautions to properly secure OS X Server on a per-service basis. In this chapter, we’ll primarily focus on the services that are specific to the Server app and how to secure them, paying attention to where the best practices differ from a standard Mac client.