Hardening operating systems is extremely difficult, I put a ton of research into it, but making it harder for APTs is always valuable. Linux with GRSecurity used to be the gold standard. Not sure what is now.
I noticed a lot of "zero days" or vulnerbilities target specific versions of popular software so there may be plenty of security in obscurity just based on the nature of the hacking business. And there's a huge shadowy hacking business if you weren't aware.
And as a side note one thing I learned from grugq is that managing your identity online is worth 10 fold than any of this hardening business. Creating fake identities with real back stories and linkedin pages etc. That sort of thing. But that getting a little deep into the "shadowy arts" of the infosec world.
> NSA released a now older OSX hardening PDF, still lots of relevant stuff:
> Disable Unnecessary Services: The following services can be found in /System/Library/ LaunchDaemons. Unless needed for the purpose shown in the second column, disable each service using the command below, which needs the full path specified: sudo launchctl unload -w PathToPlistFile
Today, you can't do that unless you disable, well, a different security setting.
https://cirka.net/wiki/_media/macosx_hardening_tips.pdf
And NIST did a long form one as well for macOS Sierra (10.2)
https://csrc.nist.gov/CSRC/media/Publications/sp/800-179/rev...
Hardening operating systems is extremely difficult, I put a ton of research into it, but making it harder for APTs is always valuable. Linux with GRSecurity used to be the gold standard. Not sure what is now.
I noticed a lot of "zero days" or vulnerbilities target specific versions of popular software so there may be plenty of security in obscurity just based on the nature of the hacking business. And there's a huge shadowy hacking business if you weren't aware.
And as a side note one thing I learned from grugq is that managing your identity online is worth 10 fold than any of this hardening business. Creating fake identities with real back stories and linkedin pages etc. That sort of thing. But that getting a little deep into the "shadowy arts" of the infosec world.