Why Wait for OSX Exploitation?

I was asked recently if Macs are being targeted more and as a result do they need to be managed at the same level as Windows computers.

If you have something of value, e.g. Government, Fortune 500, China is made at you, it doesn’t matter if it is being targeted more in general.  Skillful attackers with deep pockets will come.   Politically motivated APT has targeted OS X computers in Tibet for example.   The more general computer user and lesser known companies are more likely to worry about OS  X malware falling into the hands of less capable attackers through commodity exploit dealers such as virus exploit kits.   An exploit kit is sold or hosted, there is a campaign to drive traffic to the site.   And the site has a variety of payload for known software vulnerabilities.   The concern here is usually unpatched software and users who can be tricked into installing malware.

Earlier this year, hundreds of thousands of Apple OS X users had malware installed via a Java software vulnerability.   This 2011 blog post by Websense talks about the increase in Apple malware and its inclusion in do-it-yourself crimewave kits.

Of course some of this Apple malware talk can be discounted because it is from venders.   It seems it has been ‘year of the apple malware’  more than when every year was going to finally be the year PKI took off.   Only Android malware is hyped more.

That said, the time has long passed for when Apple should no longer be able to skirt under the radar of corporate security.   The writing is clearly on the wall.   The same care and feeding is required of Apple computers in an enterprise.   And not just for malware.

How is backup handled?   Does it backup with the same enterprise software or is it performed on an individual basis depending on their .cloud settings?

What security configuration is applied?   Is there a password policy?   Is there a screensaver?

If any antivirus software is installed is it a random collection of free and pay software from various venders?   It should use your enterprise product so you can look in one place and verify that virus definition files are up to date.   And if a malware detection were to actually occur on a mac, you’d want automatic notice from your enterprise antimalware product.   Relying on the user to tell you about the detection seen by their standalone product is so 1990s.

Encryption.   In post places this doesn’t occur for the Windows boxes.   Here in the DC are its pretty common to see pre-boot authentication for encryption on laptop screens when you go to conferences.   Is the encryption enterprise ready?   Is the product recoverable   Some will care if it is FIPS 140-2 certified.   Do you have provable security (for safe harbor)?   While it is the easy thing to do to use Filevault 2, from an enterprise perspective it may be better to deploy a Mac version of your encryption product that reports in to the same server.

If you deploy a web security product on laptops to prevent malware and porn when the users are out of the office, shouldn’t the Mac get that same level of protection (some would say restriction)?

What about patch management?   While you dont have the same volume of issues, there are clearly security updates from Apple that you need to make sure are deployed.   Third party products aren’t as clear.   Many times the vulnerability only affects Windows.   But you never know.

I know, the security software agent doom spiral was introduced slowly on Windows machines.   With ANY attempt to encroach on the Apple users self-entitlement they are going to cry out just like the Windows users did the first time SMS 2.0 was deployed over a decade ago.   The time has come.  We can’t put it off any longer.   If Apple’s are part of your enterprise, why shouldn’t they be managed at the same level as the Windows computers?  Why wait until you’re exploited.