In the past, the supposed walled garden surrounding Apple Inc. products has given average Mac users an aura of security invincibility. Even though some of the first viruses targeted Macs, this common perception of the Mac’s inherent security superiority stems largely from Apple’s successful marketing efforts, emphasizing the inability of viruses to penetrate the Mac ecosystem.
...Mac administrators typically can’t see beyond the imaginary “walled garden” to realize the risk that malware poses to their systems.
In truth, Apple has had better luck at minimizing the security concerns for Mac users around malware in the past than Microsoft. Some of this good fortune was the result of Apple’s decisions to use open source core components, which keep attackers out of its walled garden, plus malware authors focused more on attacks aimed at the much larger Windows’ user base.
Apple’s luck, however, is quickly running out. The recent spread of the Flashback malware served as another wake-up call for the average Mac user and enterprises with Macs on their networks: Successful mass malware attacks against Macs are a reality. In this tip, we will examine why recent malware, including Flashback, are having success against the Mac, and what steps Mac enterprise security specialists can take to protect Macs endpoints from malware.
Current malware payout on the Mac
Conventional wisdom suggests Macs haven’t been targeted in the past because the payout for malware developers hasn’t been high enough. Andy Greenberg, who recently wrote about research by Adam J. O’Donnell concerning when the Mac’s rising market share would lead to it being the target of malware authors, indicated the Mac has passed the necessary market share threshold to make it worthwhile for malware authors to attack Macs. This research was based on antimalware effectiveness and that Mac users predominately don’t use antimalware software.
Listen to this tip
as an MP3!
Listen to Reassessing Mac enterprise security in face of Flashback malware as an MP3 here.
Flashback captured usernames and passwords and sent them to infected command-and-control (C&C) systems. Its success – infecting as many as 600,000 Macs at its height, the most widely propagated Mac malware to date – hinged on a vulnerable Java installation on Mac endpoints. Many believe Apple could have greatly stemmed the spread of Flashback by providing a Java patch more quickly, and by helping users detect the malware on their machines. That said, the most important takeaway from Flashback is that Mac malware authors are starting to build malware kits with similar features as ones seen on PCs, namely individual pieces of malware with multiple variants that exploit multiple flaws. So if one exploit fails, another exploit may do the trick.
Macs can run antimalware software and there are several signature-based Mac antimalware products available from major antimalware vendors (Kaspersky, McAfee, Symantec, etc.), but Mac administrators typically can’t see beyond the imaginary “walled garden” to realize the risk that malware poses to their systems. A lack of security awareness among many Mac users has also contributed to this problem. Apple’s slow response to acknowledge vulnerabilities, patch vulnerabilities, and push updates has also allowed malware authors to attack easier targets than many Windows systems.
Enterprise Mac malware response
Enterprises with Macs on their network, which today is likely all enterprises, should plan to include Macs in their general security program alongside Windows and other systems. This means Macs should be patched, encrypted, deployed securely and managed like Windows machines. While different tools may be required to secure Macs, there are tools, like NetBoot, auto-updates and others, that allow consistent security controls to be deployed to an enterprise’s Macs. As expected, this should include antimalware tools in addition to the built-in antimalware utility XProtect.
Alternative OS security
Does the Kindle Fire’s Silk browser compromise enterprise security?
Adjust Android device security settings for the enterprise.
Microsoft has supported Windows XP for a long time. In contrast, Apple only supports the current and previous version of OS X, so Macs prior to 10.6 will stop receiving updates when version 10.8 comes out. 10.6 was released in August 2009, so enterprises must update their OSes to ensure they continue to receive security updates. Even though Flash and Java are not installed on Macs by default, applications should also be updated regularly to run the most current versions available. For Macbooks that store sensitive data, using the File Vault encryption options or a third-party utility to encrypt data provides further protection. Every enterprise has technically adept users that can manage all of these activities themselves, but average enterprise users can be supported most efficiently by using a central management system like Apple Remote Desktop, Open Directory or Microsoft Active Directory with a third-party plug-in to manage disk encryption, authentication, security configurations and updates.
Any organization that hasn’t included Macs in its general security program should consider doing so now before a larger problem arises. With more enterprises and end users focusing on Mac security, they can encourage Apple to take a more proactive slant towards security response. Apple made some good design decisions with Mac OS X, iOS and its application store, but its security response issues continue to cause problems for average Mac users and enterprises alike. If Apple doesn’t improve its security response, it may lose the trust of its user base.
About the author:
Nick Lewis (CISSP) is an information security architect at Saint Louis University. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and previous at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.
This was first published in July 2012