Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/1/2020
09:45 AM
50%
50%

Rise in Remote MacOS Workers Driving Cybersecurity 'Rethink'

With twice as much malware now targeting Macs, IT pros need to scramble to adapt to a large, and likely permanent, work-from-home population, experts say.

With millions of people working from home due to the pandemic, the incidence of adware and potentially unwanted programs (PUPs) is rising much faster on Macs, and Mac-based companies are encountering similar cybersecurity issues to their Windows-based counterparts, according to IT and security experts presenting at the annual Jamf Nation Users Conference (JNUC) this week.

Historically, Mac users and their companies haven't had to worry nearly as much about malware as Windows users, but working from home has highlighted issues in managing remote Mac users. Many IT and security teams, however, haven't had to deal with the issues of managing technology for a zero-touch workforce, said Ed Joras, business development specialist at CDW, an IT solutions firm,during the virtual conference.

Related Content:

The Annoying MacOS Threat That Won't Go Away

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: What Legal Language Should I Look Out for When Selecting Cyber Insurance?

"The landscape has changed, and that will require a complete rethink of cybersecurity," he says. "We took all those people who work from the office and now they are at home, and they all became targets the minute that that happened." 

In a presentation on managing remote workers securely, Joras estimated that 25% to 35% of office workers will work from home for the foreseeable future. Rather than expending resources on creating cubicle farms, companies will focus on finding better ways to provision those workers, he said, noting that executives are increasingly describing the situation as "show up when you want to" (SUWYWT).

In terms of cybersecurity, that means focusing on Mac users as much as the devices, Joras said.

"When this settles out, a large group of users are not coming back to the office ever," he says. "What we have to think in terms of is hardened users and hardened user practices because they will always be the weak link in the security chain. We need to find a new balance."

With a remote workforce, security can be more challenging for Mac-reliant companies, especially because the platform is becoming a greater target of attackers, according to a presentation on Mac threats at the virtual conference. 

While detections of Mac-targeting adware, malware, and unwanted programs is only 14% of the total suspicious and malicious programs detected by security firm Malwarebytes, the average Mac encounters twice as much malware as the average Windows computer, said Thomas Reed, director of Mac and mobile security at Malwarebytes.

"Mac malware is on the rise. This is in part due to the rising marketshare of the Mac," he said. "It is also likely to be caused by who uses Macs. There are a lot of dirt cheap Windows machines ... but if you are buying a $2,000, $3,000 Mac, are they a good target? Most likely, yes."

Yet the two platforms see different threats. The vast majority of suspicious and malicious programs detected on Macs are adware and potentially unwanted program (PUPs), with malware accounting for only 0.3% of the detections

"Even though adware is something that a lot of people think is a nuisance, it is something that you don't want on your computer," Reed says. "There is a lot of potential for data exfiltration."

Yet Apple is making significant strides in locking down Macs against unwanted software and giving companies a reliable process for securely setting up systems for remote workers. Healthcare records management company Redox, for example, has a complete process for providing users with a new system straight from the factory while provisioning the system with access and security — a zero-touch process, said Kevin Friel, an IT engineer with Redox, in a presentation on provisioning remote users.

"The end result is a fairly efficient and secure process that allows our IT to reach into that Mac virtually and set it up," he says. "And to the end user, it just works."

For the most part, Apple has hardened the Mac system quite well. The increased requirements for signed code means most malware authors have instead decided not to sign their code and rely on convincing users to click through the warnings necessarily to allow an unsigned program to run.

"Signed malware has made it through before, but it certainly has gotten more difficult with Apple's notarization requirements," said Jaron Bradley, team lead for MacOS detections at Jamf, a device management firm focused on Mac and iOS. "Nowadays it is getting so hard to run applications if the application is not signed, [and] we are getting a lot of unsigned malware."

Yet more work remains to better allow the platform to be remotely managed and secured. For example, using telemetry from security or IT incidents to search for other users with the same problem or likely to encounter the same problem will be necessary, Friel said.

"We envision a time, when after assisting one user, we could scan the logs and find other Macs that are either having a similar issue or maybe moving in that direction," he said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
inforobob
50%
50%
inforobob,
User Rank: Apprentice
10/2/2020 | 11:13:28 AM
Vested Interest
Using a antivirus vendor as a source is not a good idea.  They have a vested interest in making people think Mac's need an antivirus and that the attacks are rampant. 

I have clients with Macs and I have seen only a slight increase in attacks over the last few years.

Robert

IT Consultant
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22850
PUBLISHED: 2021-01-19
HGiga EIP product lacks ineffective access control in certain pages that allow attackers to access database or perform privileged functions.
CVE-2021-22851
PUBLISHED: 2021-01-19
HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (document management page) to obtain database schema and data.
CVE-2021-22852
PUBLISHED: 2021-01-19
HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (online registration) to obtain database schema and data.
CVE-2021-3178
PUBLISHED: 2021-01-19
** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to preven...
CVE-2021-3177
PUBLISHED: 2021-01-19
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf i...