Blog: How Tos

Get your Macs back on track- Apple security for Windows experts

consultant-placeholder10 Ken Munro 28 Oct 2013

Are there any Apple Macs on your network? Absolutely sure? When was last time you had a good walk around? Did you go and visit your marketing people and see what they’re using?

In corporate IT departments there is often a limited understanding of Apple systems security. We’ve seen this manifested in very limited local lock down of Macs, and excessive privileges being given to them. The problem tends to be compounded when there are just a handful of Macs being used in a broadly Windows environment- usually in marketing departments where they’re used by design and dev creative types.

So what are the implications of this lack of lock down? How capable is your endpoint protection and anti-virus? Do you have a dedicated client for Apple machines? Is one installed, and if not how would you know?

Another concern should be the control you have over devices that can connect to those Macs. USB port control makes data theft and malware spreading more difficult, but tends to be enforced in Windows environments. Have you the same protection against Macs? How can you stop users syncing corporate data with the iCloud? If they’re using personal iPhones too, through an MDM system, what’s to stop them being backed up to a Mac with iTunes- there’s another potentially unsecured system handing your corporate data.

What if it’s a MacBook that leaves the office with the user, how good is it’s full disc encryption? Sure, a Windows laptop loss might be tolerable if you have faith in your corporate encryption product, but are you as comfortable with a Mac being lost or stolen? If you have no idea what OSX version it’s running, and how well updated it is, it could well be vulnerable to the Firewire/Thunderbolt encryption bypass attack, enabled by the Inception tool. Recent OSX and FileVault versions are OK, but older versions (‹ Lion 10.7.2) are open to this abuse.

Chances are that if you’re not regularly and frequently managing the security of that Mac it’s also likely that the user has root permissions, and one thing that we have learned is that users love to turn their automatic updates off. You can run a group a policy to enforce auto updating, but it’s not a simple exercise.

To compound these issues creative types are often the most vocal on social networks, making them clear targets for useful information gathering. A simple assumption made by an attacker that they are more likely to own a Mac means that an exploit could be delivered relatively easily.

The icing on the cake with Mac security issues is user attitude. There is a popular myth that Macs are not vulnerable, and if they are there are so few exploits that securing them is a waste of time. Wrong, wrong, wrong. They may be a little more secure than Windows boxes by default, but being blasé is just not helpful.

OK, enough with the doom-mongering and Mac/user bashing!

What can you do about these potential headaches? Well, that depends on the number of Apple systems being attached to your network. The first step is to audit what you’ve got, which might even mean chatting to people in likely departments (Marketing?). If there are only a smattering of devices then you should audit them by hand. Review OS versions, check patch freshness, review apps etc. and draw up a simple policy for maintenance and use. Even better if you can find someone in your IT department who is an Apple fanboi (or girl) to do this for you.

If you have more than a handful of Macs then you really should have the policies and software in place to diminish the risk. In our experience it is the organisations with huge numbers of Windows boxes and just a few Macs that suffer the biggest problems in this respect. If I wanted to target such an organisation the least supported/most neglected desktop OS would be my favoured vector.

You could argue that any non-Windows system which isn’t being actively managed is a risk, but Macs are more likely to be implemented just under the radar, and in departments that don’t have an acute sense of security.