Without wishing to get into the ‘your Windows machine is a gazillion times less secure than my Mac' nonsense, and whilst admitting that this latest threat requires the end user to download and execute a malicious installer, three words still apply: damn end users.
Actually, let's rephrase that: damn enterprise IT support. Chances are that even if you work in an organisation where Macs are relatively plentiful, the IT support folk will be happier working on the Windows machines and feel a little lost on the Macs.
Isn't it about time that enterprise security got up to speed with the Mac threat?
Most enterprises remain firmly entrenched in Windowsville but that doesn't mean that Macs are an absent friend. Nor should it mean they are an invisible enemy. So, does the average organisation need to get a Maceducation?
Are MacOS devices largely ‘invisible' to enterprise security teams, at least in terms of the threat they represent?
“I don't think invisible is the right description” says Mark James, security specialist at ESET who continues “they are often seen as the least concern when comparing to Windows but I think more and more businesses are understanding that the MacOS threat is very real and needs addressing.”
Whilst they don't suffer as many or the constant attacks we see from the Windows environment, James insists that they certainly get their fair share of malware. He told SCMagazineUK.com “If it has an OS and it connects to a network or the internet” he concludes “it needs protecting.”
Guillaume Ross, senior security consultant with Rapid7 points out that “an issue often seen in enterprise environments is simply that while the Windows side is very well tooled and benefits from automation for the deployment of software, patches, security software and hardening, the Mac environment was typically only a very small portion of the fleet, left unmanaged, that started growing and now represents a significant part of the environment.”
What should the enterprise be doing differently to mitigate the risk that Macs represent, is it just a matter of education that MacOS isn't a risk-free zone or do they need to get to grips with the hardware/software in a more hands-on way?
Yoni Allon, lead researcher at LightCyber reckons that “many enterprises deal with Macs as they do with BYOD” explaining that they have few security measures in place, particularly compared to an all-Windows environment. “While we haven't seen a lot of Mac-specific malware in the wild” Allon warns “APTs do not limit themselves to Windows devices.”
There is, however, a growing user base of Macs in the enterprise and this is making them more valuable as a pivot point into networks. Since technology is changing fast, the amount of operating systems that enterprise security teams need to deal with is increasing, including mobile devices (Android, iOS), network devices (Cisco IOS, Junos, ScreenOS, embedded Linux), endpoints (Windows, Linux, MacOS), netbooks (Chrome OS), mainframes (Solaris, IBM's AIX and many more).
“This breadth of operating systems creates considerable challenges for organisations”, Allon explains, “there will never be endpoint protection for every device, particularly with newer IoT devices showing up everywhere. It's best to be realistic and expect that attackers will get into any given network. The key now is for some kind of network based solution that is agnostic to the tools and operating system used and can look for attack activities on the network.”
Alex Mathews, EMEA Technical Manager at Positive Technologies adds that "people are somewhat blinkered by Macs not historically being as much of a risk as PCs and need to be shaken from some of this ‘device-centric' malaise.” And Matthew Aldridge, Solutions Architect at Webroot, reckons that maybe enterprise security teams should remember that “since Mac OS version 10, Macs have been based on a Unix-type operating system derived from BSD, so they can act as great launch points for attacks once the compromised host moves within a secured corporate perimeter.”
Is there any kind of best practice documentation, or are security teams pretty much on their own as far as MacOS threats are concerned? “There's a number of best practices out there, because there are more and more enterprises that use the Mac” says Brian Best, Apple Strategist at SolarWinds MSP who goes on to point out that “ultimately, simple best practices that are analogous to those performed on Windows will keep most threats at bay.”
James Maude, senior security engineer at Avecto, agrees and told SC, “the best advice is to treat macOS the same as Windows and get the basics right. This includes measures such as the removal of administrative privileges to minimise employee access to sensitive data and blocking unknown applications from running. These are quick wins as they are straightforward to enforce but mitigate the vast majority of threats.”And finally, Bogdan Botezatu, senior e-threat analyst with Bitdefender says “there are best practices for integrating Macs and Apple mobile devices in an organisation's Active Directory, meaning that IT departments no longer have to either ban them or keep them on segregated networks. This means that group policies can also be enforced to Macs by the IT department.”