As Apple’s market penetration continues to grow among enterprises, so does the number of malicious hackers targeting Mac users. Although Apple officially began recommending that Mac users load antivirus software as far back as 2002, Apple's “Macs are secure” marketing message has been so durable that many enterprises are just beginning to initiate antivirus scanning on Mac-based networks.
The main weakness that Mac attackers look to take advantage of is Mac users themselves.
Thankfully, now all of the major antivirus vendors such as Symantec Corp., McAfee Inc., ESET and Avast Software offer Mac-specific antimalware products for enterprises with centralized management employing proactive protection methods such as heuristic analysis, generic protection, and on-access scanning to detect and remove threats. Unfortunately, there are a number of security issues that Mac malware scans alone can't fix. In this tip, we'll cover some of those Mac enterprise security issues and how to mitigate some of the more likely Mac endpoint threat vectors.
There are certainly aspects of the Mac OS that inhibit successful attack development for hackers. Mac OS X is based on UNIX, so the security of the underlying code base has been thoroughly proven over time. It also uses sandboxing to separate applications and processes to restrict file access and the actions programs can execute. This makes it harder for malware to access data created and used by other applications.
However, the structure of the bundle architecture used for storing applications and user documents makes it easier for an attacker to piggyback executable code within an existing trusted application than in a Windows environment. A bundle is a special folder that appears to the user to be a single executable file, but in fact can store multiple resources. While this enables programmers to keep files required by an application such as graphics, help files and other resources together in one location, hackers can install multiple malicious executables into the folder too. When the user executes the bundle, the virus code executes instead of the genuine application.
While the application storage issue is concerning, the main weakness that Mac attackers look to take advantage of is Mac users themselves; in my experience, they tend to be far less security aware than Windows users. Although a dialog box now appears requesting permission to run any new program downloaded from the Internet, its importance or relevance is not appreciated by most Mac users. Two weeks after the release of its AV for Mac Home Edition, antivirus vendor Sophos released data showing that a significant number of Macs running Sophos software had been infected with malware. This malware included Mac-native threats, both OS and third party, along with Java-based malware. There are also well-known Mac Trojans that are often disguised by hackers on BitTorrent sites or planted on websites as tempting downloads or plug-ins required to view a video.
While regular Mac malware scans with updated antimalware products from established vendors will certainly help defend against the low-hanging fruit of malware attacks, as with virtually any endpoint defense strategy, a combination of technology and training is necessary.
In addition to the antivirus technology discussed above, administrators should deploy what have become standard security controls on a Windows network, including network access control, Web security gateways, data loss protection (DLP) and security information and event management (SIEM) products, all of which help provide real-time threat analysis and protection. As Mac users are increasingly under attack, reassessing the exposure to new threats is essential. This undoubtedly shows that more robust security controls like those mentioned above need to be in place to reduce the increased risks to an acceptable level.
Beyond deploying antivirus software and the other technologies mentioned above, enterprises should also consider whitelisting or blacklisting applications to reduce the overall attack surface by ensuring users only have approved and necessary programs. The Mac App Store potentially makes controlling apps easier than on Windows machines. Consider mandating data or full-disk encryption too.
A Mac enterprise needs to reinforce any such Mac security technology initiative with security awareness training for its users; otherwise, it’s a losing battle. Training sessions should dispel the myth that Macs are immune from malware and that users need to be just as security conscious as their Windows peers. The dangers and automation of drive-by attacks must be clearly explained so users understand they are not unaffected by the growing reach and sophistication of modern hackers. A support desk for users to report any unusual Mac behavior, such as slower response times and unexpected pop-ups, all classic signs of malware, helps network administrators quickly isolate and contain any infections.
Until enterprises with Mac users implement more specific, deliberate steps to defend against the growing threat to Mac endpoints, they will increasingly be perceived as a soft target by cybercriminals. That's reason enough to ensure enterprise strategy ranges beyond Mac malware scans to include more sophisticated technology and training methods.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.
This was first published in February 2012