Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. (M1051: software update)
o Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
o Safeguard 7.2: Establish and maintain a remediation process: Establish and maintain a risk-based remediation strategy, documented in a remediation process, with monthly or more frequent reviews.
o Backup 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a vulnerability scanning tool compliant with SCAP. Perform scans on a monthly or more frequent basis.
o Backup 7.7: Fix detected vulnerabilities: Fix detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
o Backup 16.13 Perform application penetration testing: Perform application penetration testing. For mission-critical applications, authenticated penetration testing is better suited to detecting business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester's ability to manually manipulate an application as an authenticated and unauthenticated user.
o Safeguard 18.1: Establish and maintain a penetration testing program: Establish and maintain a penetration testing program appropriate to the size, complexity and maturity of the business. Penetration testing program characteristics include scope, such as network, web application, application programming interface (API), hosted services, and physical premises controls; frequency; limitations, such as acceptable hours and excluded types of attacks; contact details; corrective actions, such as how results will be communicated internally; and retrospective requirements.
o Safeguard 18.2: Perform periodic external penetration testing: Perform periodic external penetration testing based on program requirements, at least annually. External penetration testing should include reconnaissance of the business and environment to detect actionable information. Penetration testing requires specialist skills and experience and should be carried out by a qualified party. The test can be performed in a transparent box or an opaque box.
o Backup 18.3: Remediate Penetration Test Results: Remediate penetration test results based on company policy for scoping and prioritization of corrective actions.
Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Management of privileged accounts)
o Backup 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
o Backup 5.4: Restrict admin privileges to dedicated admin accounts: Restrict admin privileges to dedicated admin accounts on company assets. Conduct general computing activities, such as browsing the Internet, emailing, and using the Productivity Suite, from the user's primary, non-privileged account.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict web content)
o Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on company assets or receives a documented exception. Review monthly or more frequently.
o Backup 2.7: Allowed List of Allowed Scripts: Use technical controls, such as digital signatures and version control, to ensure that only allowed scripts, such as specific .ps1, .py, etc. files, are allowed to execute. Block the execution of unauthorized scripts. Reassess every two years or more frequently.
o Backup 9.3: Maintain and enforce network-based URL filters: apply and update network-based URL filters to prevent a business asset from connecting to potentially malicious or non-malicious websites approved. Example implementations include category-based filtering, reputation-based filtering, or the use of blocklists. Apply filters for all company assets.
o Backup 9.6: Block unnecessary file types: Block unnecessary file types that attempt to access the company's email gateway.
Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
o Safeguard 10.5: Enable Anti-Exploit Features: Enable anti-exploit features on enterprise assets and software where possible, such as Microsoft Data Execution Prevention (DEP), Windows Defender Exploit Guard (WDEG) or Apple System Integrity Protection (SIP). and the guard.
Block code execution on a system through application control and/or script blocking. (M1038: Prevention of executions)
Safeguard 2.5: Authorized Software Allowlist: Use technical controls, such as the Application Allowlist, to ensure that only authorized software can run or be accessed. Reassess every two years or more frequently.
Backup 2.6: Allowed List of Allowed Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc. files, are allowed to load into a system process. Prevent unauthorized libraries from loading into a system process. Reassess every two years or more frequently.
Backup 2.7: Allowed List of Allowed Scripts: Use technical controls, such as digital signatures and versioning, to ensure that only allowed scripts, such as specific .ps1, .py, etc. files, are allowed to execute. Block the execution of unauthorized scripts. Reassess every two years or more frequently.
Use features to prevent suspicious behavior patterns from appearing on endpoint systems. This could include a suspicious process, file, API call, etc. (M1040: Endpoint Behavior Prevention)
Backup 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where applicable and/or supported.
Backup 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution to enterprise assets, where applicable and/or supported. Example implementations include using an Endpoint Detection and Response (EDR) client or a host-based IPS agent.
