Endpoint
11/1/2016
02:30 PM
Sarah Edwards
Sarah Edwards
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Enterprise Security Teams Must Grow Their Mac Skills

From coffee shops to corporate boardrooms, Apple devices are everywhere. So why are organizations so doggedly focused on Windows-only machines?

Times are changing. While Windows still reigns in the enterprise, Mac computers are making serious inroads. Once primarily used by graphic designers and marketing folks, today Macs are used by system analysts, programmers, IT departments, road warriors - even executives. Turning a blind eye to Macs will not make them go away. To keep corporate networks secure, security professionals must add the Mac OS to their knowledge database. 

With its cult-like following and more and more people using iPhones and iPads in their personal lives, it’s no surprise employees want to use Apple devices in the work environment, too. From a user perspective, Macs are considered significantly easier to use than PCs, and a much more stable environment than Windows. (Who hasn’t gotten the "blue screen of death?") While we can’t say a Mac never crashes, in comparison to Windows, it is rare.

Mac is also very appealing - from a technical perspective - to IT professionals, software developers, and digital forensic analysts.  For example:

  • For IT professionals the Mac has built-in scripting abilities to automate routine tasks. There are also many security and IT admin tools available for the Mac, including some that have been ported over from *nix systems, a security and admin favorite. 
  • Developers can easily program the next great app with a Mac with minimal configuration and setup time. Many development tools are built right in to the operating system or are a quick download away. In fact, more and more Windows software has been ported over to the Mac operating system for this very reason. Developers are not only developing for Windows but for Mac, iOS, and Android devices as well; they are finding more market share with appealing to multiple markets.
  • Forensic examiners have the ability to run some forensic tools natively on the Mac. They also have the option to run a variety of virtual machines, including Windows and Linux, to take advantage of other tools and capabilities.

It’s like having the best of all operating systems available at one time. The Mac OS has the Unix bones, command lines, and other utilities that are very useful for IT - with many of these capabilities built right into the operating system.

Mac OS Is No Longer Immune to Malware
While it is unrealistic to expect a Mac-only enterprise any time soon, Macs are clearly making significant inroads - enough so that security professionals no longer can afford to turn a blind eye to their use, or fail to support them. 

The truth is, Macs are at risk for the same type of threats as a Windows system, just at a smaller scale - for now. Similar to Windows users, there is the risk of Mac users clicking on links they shouldn’t, or inserting a USB that was tampered with, unbeknownst to the user. Regardless of the size, one successful network intrusion can have a severe impact on a business. Therefore, security professionals must be able to recognize the symptoms of a compromised Mac just as they do for a Windows-based computer.  

Securing Macs Versus Securing PCs
While the major processes are the same, the intricacies of each system are different. Yes, both Windows and Mac devices need antivirus, a firewall, and other security software. However, while the security configurations of Macs are more akin to those used on Unix-based systems, they still have specific Mac-only security settings. These features include Gatekeeper, System Integrity Protection (SIP), XProtect, Sandboxing, and File Quarantine. So while the concepts are the same, the backend is a different.

Security professionals must learn the nuances of a Mac in order to be effective in securing them. Without this knowledge, it is impossible to know what vulnerabilities exist and how to fix them without breaking something else. For example, if you need to reconfigure the firewall or block certain ports, will those actions affect how the Mac works? They might. Enterprise security teams will need to understand the intricacies of the Mac in order to know what files need additional protection, and where user-based documents are located in order to keep them safe.

How to Grow Mac Skills
Windows-specific security documents are plenty. Best practices documents and data sheets on how to secure Windows 7, Windows 8, and Windows 10 are seemingly everywhere. On the Mac side, however, there are significantly fewer of these guides, which leaves security professionals on their own to find information.

Participating in Mac-specific security courses is a great first step. Conducting research and sharing it through blogs or speaking at industry conferences will also be extremely important in helping security professionals grow Mac skills. The industry needs to hear about the success and failures of security teams that are securing Mac systems because Macs are not going away, and the Mac OS X is going to become an increasingly popular attack vector. Like it or not, Mac will be a greater part of an enterprise security professional’s life sooner than you think.

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Sarah Edwards is an instructor with SANS and the author/instructor of SANS FOR518: Mac Forensic Analysis. A devote user of Apple devices for many years, Sarah has worked specifically in Mac forensics since 2004, carving out a niche for herself when this area of forensics was ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NachoV
50%
50%
NachoV,
User Rank: Apprentice
6/13/2017 | 6:12:07 AM
Re: amazing
Super, You have really nice thoughts over this topic. Keep it up! Thanks
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/12/2017 | 12:38:39 PM
Who Is the Audience Here?
The thing that has always kept me in the security wheelhouse is the amazing range of opportunities.  One reason there are so many opportunities is the great disparity between actual need and "professional"/"Enterprise" offerings.  Much like those who came up in the GNU/Linux world (my involvement with Red Hat implementations in the 90s is how I got into software), security techs are probably just as frustrated as we Linux geeks were with the commercial side of their industry.  That is, on one hand you have the InfoSec underground, lock pickers and code crackers who work regularly on systems of all breeds (from VMS to GNU/Linux to Windows), and you have the "professionals" who often focus on Windows environments.  But whose fault is that?

This article is a call to the "Industry" more than anything.  While Enterprise environments in many sectors may have heavy Windows leanings from infrastructure to end user devices, I don't think the bulk of "true" security professionals need to be told Mac or any other non-Windows device should be the next mastered.  Dedicated InfoSec pros are hacking every known OS under the sun, including embedded OS, router software, etc.  It's unusual to not know tech like OS X and only know Windows when you are passionate about security.  That said, the certificate mills and standard InfoSec security training grounds are not always as diverse, and to be fair many folks who may make good security engineers are only getting one side of the story when they get educated.  Some of this is due to massive software security companies that sell Windows-oriented Enterprise apps.

I think the main message should be not just to move into Mac and OS X mastery and documentation, but to understand InfoSec covers it all.  Windows, AIX, HP-UX, IRIX, GNU/Linux, Mac OS X, BSD, Solaris and OpenVMS at a minimum.  Add on top of that all the custom OS (many of them built on the Linux kernel anyway), such as Cisco IOS.  Let's encourage the exploration of many toolkits, in multiple languages, on multiple systems.  Empowering InfoSec pros in this way will give them a huge advantage against cyber criminals who already know this truth.  Heck, send them out of school not just with their certs but also with a good lock picking kit in their back pocket.  Teach them more and you will get more in return!

   
AnasE928
50%
50%
AnasE928,
User Rank: Apprentice
6/9/2017 | 3:29:07 PM
mac is coming in the way
mac is becoming the leading platform for developement and designing 
90% of web developers now uses Mac devices 
<a href="https://www.freesteamwalletcode.com/">free steam wallet codes</a>
marting123
50%
50%
marting123,
User Rank: Apprentice
11/15/2016 | 6:09:25 PM
amazing
Thank you, I've been seeking for info about this subject matter for ages and yours is the best I have discovered so far.
marting123
50%
50%
marting123,
User Rank: Apprentice
11/15/2016 | 5:24:24 PM
Amazing
Amazing post, thanks a lot my friend, you've shared me great information which I need, professional! For the enterprise securty teams, sure must grow their skills, thanks! waiting for your update :)
ClaireEllison
50%
50%
ClaireEllison,
User Rank: Apprentice
11/15/2016 | 4:15:37 PM
Re: amazing
Excellent article plus its information and I positively bookmark to this site Hi Sarah, thanks for your great article! You shared me the information which I found for a long time, amazing!
ClaireEllison
50%
50%
ClaireEllison,
User Rank: Apprentice
11/10/2016 | 4:42:33 PM
amazing
Excellent article plus its information and I positively bookmark to this site Hi Sarah, thanks for your great article! You shared me the information which I found for a long time, amazing!
macooxii
50%
50%
macooxii,
User Rank: Apprentice
11/9/2016 | 2:09:17 AM
amazing
Hi Sarah, thanks for your great article! You shared me the information which I found for a long time, amazing! You are expert! I have bookmarked your great post and shared into my social network, great! Waiting for your new article, thanks!
Benefiter
50%
50%
Benefiter,
User Rank: Apprentice
11/3/2016 | 10:50:25 AM
Re: From here we got the tips!
Thank you, I've been seeking for info about this subject matter for ages and yours is the best I have discovered so far.
AndreGironda1
100%
0%
AndreGironda1,
User Rank: Strategist
11/2/2016 | 12:49:03 PM
Mac on the way out, but maybe not iDevice
Haven't you heard the good news? Mac computers are on their way out of the Enterprise. Everyone has shiny, new laptops with 32GB of DRAM or more, but Apple decided to ship the latest MacBook Pro with only 16GB of DRAM. No self-respecting app developer, system administrator, or DFIR professional can stand five minutes on a laptop with only 16GB of DRAM.

Tell me how I'm supposed to acquire memory from a machine with 16G or 32G of DRAM and spin up an equivalently-sized ramdisk on a laptop with only 16G of DRAM? It's NOT PHYSICALLY POSSIBLE. I have to defy physics -- and that's what Apple has done: defied their ability to sell laptops due to the laws of physics.
iDevices will still be around, of course. I do recommend that DFIR and other cyber security professionals up their game when breaking iOS and iOS apps. For example, the Daniel Mayer idbtool should be common knowledge to all experts. Repackaging apps is another huge win. Everyone should get a free version of the LE-version of Cellebrite -- apparently you can, too, now because these tools were leaked online by a reseller!
 
What a magical year for Apple. 2017 is going to be so much pwn
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.