Mac Attacks Do Happen: How to Protect an Office of ApplesApril 21, 2014 by Daniel Humphries
Apple has long enjoyed a uniquely intense brand loyalty from its customers, particularly among younger, tech-savvy and affluent consumers. Lately, however, the global tech giant has been making waves in a market less commonly associated with cool, creative types.
According to a recent Wall Street Journal report, government and business spending on Apple products is surging, with Apple-loving employees helping drive this change. The iPhone in particular serves as the tech “gateway drug,” which, the report says, is “prompting corporate tech managers to rewrite policies and change traditional buying patterns.”
Chip Pearson, CEO of JAMF, a firm that helps businesses manage Apple products, recently told Cult of Mac that his company’s software now manages five times as many Apple devices as it did three years ago. Meanwhile, an impressive 25 percent of laptops in use at networking giant Cisco are now MacBooks.
Of course, aside from making employees happy, Mac adoption makes a lot of sense from a security perspective: as everybody knows, Macs don’t get viruses.
Now, when you read that last sentence did you spit out your coffee and denounce me as a blithering buffoon? Or did you nod your head and keep reading? If the latter, then it is my sad duty to inform you the idea that “Macs don’t get viruses” notion is a myth—albeit a very popular and powerful one.
The whole “Macs don’t get viruses” notion is a myth—albeit still a very powerful one. Indeed, until 2012 the claim “It doesn’t get PC viruses” was included in Apple’s official Mac marketing, at which point it was removed.
But the myth persists: we surveyed 500 people and found that only 33 percent of respondents believed the statement “Macs don’t get computer viruses” was false. Meanwhile, 67 percent either agreed with this statement or didn’t know whether this statement was true or false—and the distinction between ignorance and confusion makes little difference from a security perspective.
Do you agree with the following statement? Macs don’t get computer viruses.
With results like this, it’s little surprise that Matt Curtin, author, lecturer and founder of security and privacy firm Interhack, argues that it’s “a reasonable assumption that a lot of Mac users are terribly naive” when it comes to security.
The simple truth about a Mac is that it’s just a machine, or as Tyler Durden put it in Fight Club:
“You are not special. You are not a beautiful or unique snowflake.”
This being the case, what steps should Mac users take to protect their devices? We spoke to three experts to identify the biggest security risks of using Apple products, and what you can do about them.
Where Did ‘Macs Don’t Get Viruses’ Originate?
According to Brian Foster, CTO for computer security firm Damballa (which counts three of the top six major motion picture studios among its customers), viruses were a problem on Macs before they were ever a big problem on PCs.
“I worked at Symantec for 21 years, and the first Symantec antivirus product came out for Mac before it did for PC,” Foster says. “I’ve seen everything from common malware to more targeted attacks on Macs.”
Although they’re not impervious to risk, it is true that Macs have historically suffered fewer virus attacks than PCs. But, Foster explains, this isn’t due to some type of mysterious technological magic that happens on Macs—it comes down to simple economics. Since PCs are much more common than Macs, they’re a “target rich” environment for hackers and cyber crooks looking to make money or wreak havoc.
As Adam Gray, CTO of Novacoast, says, “The sheer number of Apple users versus Windows users wouldn’t give you a large enough platform to reap the benefit you want if you’re going to write malware.”
However, Gray stresses, just because criminals have less of an incentive to target Macs, “that doesn’t mean [Mac users] aren’t at risk.”
Foster agrees, and says this risk is likely to increase as Mac adoption grows. “Apple today is in the top three as far as platforms for laptops go. So sure, there are lots of Windows PCs, but there’s also a hefty number of Macs out there now,” he says.
Mac Security Risks Are Technological and Sociological
While Mac’s OS X system may be less alluring to cyber criminals than PCs, our experts say that today’s malware writers prefer not to target operating systems, but instead the vulnerabilities in the applications that run on top of these systems.
The issue here for Mac users is that a lot of applications users work with today run on all platforms—Macs included. For instance, Foster explains, if a hacker finds a vulnerability in Adobe Flash, “he could use it to gain access to a PC or a Mac.”
Java is another common app framework that has been exploited to give malicious hackers access to both Macs and PCs. “When you look at how machines are infected, so much happens through the Web browser and the plug-ins in that space,” Foster says.
But once again, most people are unaware of the threats these apps can pose to their machines. Of the 500 people we surveyed, only 10 percent of respondents correctly knew that Apple doesn’t check third party software that runs on Macs for malware.
Do you agree with the following statement? Apple checks software that runs on Macs for malware.
It is perhaps unsurprising then that, in Foster’s line of work, he says it’s “fairly common” to see Mac users being less vigilant about running security software and keeping it up to date versus Windows users.
This complacency invites risk. In one example, Foster recalls an incident when his firm discovered malicious activity occurring exclusively on Macs. “But when we told our customers that this was happening, we received emails saying, “You’re wrong; we use Macs, they can’t be infected,” he says.
Not only did this malware exist, it was later named the “Flashnet” botnet, and went on to affect over 600,000 Macs around the world by hijacking vulnerabilities in Adobe and Java.
But the persistence of an obsolete myth may not be the only source of Mac user naivete. Curtin suggests that Apple’s marketing encourages many people to view their Macs simply as appliances for doing “cool” things.
“People think about a Mac as an email, writing or poster-making machine,” he says. “They become focused on appliance’s function at that moment.”
Instead, Curtin emphasizes, users need to think more carefully about risk, because Macs are complex machines that “have the ability to share files at the same time you’re typing a letter to Grandma,” and users “are no less a target and their systems are no safer.”
How to Protect Your Mac (All Businesses)
First the bad news: if you (or your employees) have already switched on your Mac and started using it without manually configuring your defenses, you’re already at risk. Most Mac security protections are not automatically enabled, which means every user needs to spend time configuring their security and privacy settings. Of the 500 people we surveyed, a paltry 8 percent were aware that Mac security settings need to be manually enabled:
Do you agree with the following statement? Macs have their security settings switched on by default.
The good news is that there are ways to protect yourself. Whether you’re a lone wolf micro-business operating out of Starbucks or a 100-person organization with multiple devices, here are a few basic steps you can take to begin safeguarding your organization’s Macs right away:
➔ Turn on both the firewall and application firewall. This second part is particularly essential, Gray says, because it prevents your devices from running applications that are not approved by Apple or one of its trusted developers.
➔ Encrypt the file system. Doing so means that, if your device is stolen or breached, your information will be much harder to access. Curtin adds that you should also set up a strong password to make intrusion harder.
➔ Make sure automatic security updates are working. This should be activated by default, but Gray advises against leaving anything to chance to chance—check it.
➔ Review which apps have access to your personal data. Examples include your calendar and contacts apps. When apps that access the Internet for services (and there are lots of them) have unchecked access to your private information, this heightens your exposure to threats.
➔ Ensure your third and fourth party software is up-to-date. According to Gray, the most important systems to monitor are Adobe Flash and Java, and it’s “absolutely critical” to update them.
➔ Remove administrative privileges from your user account. Instead, Gray recommends creating a separate administrative account. This mitigates risk, and can reduce the extent of the damage to your machine if this account is compromised.
Invest in third party antivirus software. Don’t just trust Apple’s built-in defense options, Gray says: buy anti-virus from a respected manufacturer such as Symantec, or Novacoast’s 4Shadow intrusion detection software.
How to Protect Your Mac (Larger Businesses)
Bigger firms will require more extensive layers of security in order to protect the many devices they run. Foster recommends the steps below, stressing that these measures are not Mac-specific, and can apply equally to an office of PCs. In fact, that’s the point—a Mac should be treated like any other machine.
➔ Set up an “OS agnostic” network security system. This will protect any devices you have on the network, whether Mac, Windows, Linux or Android-based. For instance, Foster recommends “firewalls, automated breach defense solutions and Intrusion Prevention Systems.”
➔ Install an endpoint security platform. These platforms run on every device, but can be centrally managed by a single administrator. The most crucial of all is a regularly updated antivirus platform.
➔ If you permit visitors to log onto your network, set up Network Access Controls. Foster recommends Forescout, which interrogates every device that connects to the network to make sure it is configured appropriately and running the right level of security software.
➔ Ensure security when employees are off-site. Foster recommends OpenDNS, which has a cloud-based enterprise level product that will extend security to employees even when they’re away from the office. At the very minimum, Curtin recommends using a Virtual Private Network to encrypt all data that flows back into your office.
Apple’s Mobile Devices: So Far, So Secure
Although Macs may not be invincible, Apple’s mobile devices have (until now) enjoyed extremely strong security. Foster attributes this to the fact that while Mac computers run on the “relatively open” OS X platform, which allows third parties to develop software that hasn’t been quality checked by Apple, iPhones and iPads use iOS, which is a closed system. This means only official apps downloaded from the Apple store that have been vetted by Apple will work on them.
However, this tightened security means that businesses can only do what Apple permits on a mobile device. In the past, companies had trouble finding a mobile device management (MDM) platform that enabled them to exercise appropriate control over employee devices—there were difficulties with remote wiping, for instance.
Today, however, Foster says Apple has partnered with MDM vendors to resolve these issues, and with the right platform companies, can enforce such encryption, remote wiping and passcode usage. Gray recommends MDM platforms such as Mobileiron, Symantec or Airwatch.
Even so, employers should beware of “jailbroken” devices, i.e. iPhones or iPads that have been reconfigured by their users to escape the restrictions placed on them by Apple, as these devices are susceptible to risk.
“The malicious software out there for iPads and iPhones has really only been shown to run on devices that have been tampered with,” Gray explains, “but if your employees are jailbreaking company devices then you may have other issues than just security to worry about.”
If you operate a Bring-Your-Own-Device (BYOD) policy, there’s very little you can do to stop employees tampering with their own devices. To protect your business from the consequences of these actions, Gray recommends configuring your mobile security to enforce a policy that prevents your company’s applications from running on jailbroken devices.
Your Mac Is Not a Special Snowflake, and That’s Okay
Some Apple users may well worship in the Cult of Mac, but at the end of the day, these devices are merely clever combinations of plastic and circuitry, and users have to think about securing them as they would similar machines.
“There’s always risk involved in everything we do,” Curtin says. “We accept the risk of driving a car because it gets us where we want to be faster, but we realize that someone else might drive a car into us. Computing is no different from anything else we engage with day to day.”
While Apple users don’t need a PhD in computer science, Curtin recommends taking the time to understand their devices.
“Knowing how something works is critical to becoming good at anything,” he says. “So when it comes to security, you have to know what all these pieces are—what does it mean to turn on a firewall? What does it mean to turn on encryption?”
Indeed, as Apple products grow in popularity and more businesses adopt them, they’re likely to become a more attractive prospect to cybercriminals. You might never be targeted, but why take the risk? That would be dumb. And Mac users aren’t supposed to be dumb.