About a month ago Apple released security updates
for Mac operating systems, as
well as a security update for the iPhone and iPad. For many observers, particularly the media, this was an extraordinary
event, as there is a perception of invulnerability as it relates to Mac and
other Apple products. Unfortunately this
is more myth than fact. The reality is
that today there is exists malware that is specifically designed to target and
exploit weaknesses with Mac platforms. This
can easily be explained by examining market penetration of the various
operating systems. Until recently the
majority of business in America utilized Windows based machines. There is an economic term that helps explain
this phenomenon, homo economicus. Homo economicus or economic human, is the
concept that humans as rational and self-interested creatures that look to
maximize utility as a consumer and profit as a producer. In other words, humans, in this case cybercriminals
desire to make the most impact with the lowest cost. Cybercriminals
recognize that Windows dominate the personal and business computer market, so by targeting the Windows OS they will get the
“biggest bang for their buck” .
Recent
surveys of American business indicate that Mac’s are more popular than ever, so
one can expect that there will be an increase in the volume of malware attacks
specifically targeting Mac OS’s.
Unfortunately, culturally the myth of Macs invulnerability to malware
still exists and it can lead to some serious security concerns for
organizations and user.
Symantec recently completed a study of Mac machines
that were infected with malware and found that only 2.5 percent of threats
found on Macs are Mac malware. The
remaining malware was Windows malware.
Mac users were being tricked into downloading malware, the good news is
that 97.5 percent of the time the malware would not impact the Mac machine. The
bad news is that if the Mac was connected to a shared drive, or transferred the
malware to a USB which was then inserted or shared with a Windows machine then
that Windows machine is a potential victim.
Clearly there is a significant fewer number of
malware attacks directed at Mac than Windows.
For a historical context, ELK Cloner was the first self-propagating
piece of malware was designed to attack the Apple II in 1982. The first piece of malware targeting Mac was
in 1987 called nVIR. More of an annoyance
than destructive, they both were designed to spread via contaminated floppy
disks. Over time the Mac OS operating
system was hardened and the ability to introduce malware on the system was more
difficult. Malware writers began to rely
on social engineering and Trojans to trick users into installing the
malware. More recently, in 2012 one Mac
threat (Flashback) infected approximately 600,000 machines, or about 1 out of
every 100 Macs worldwide. It targeted a java vulnerability to gain access to
the machines that visited an infected website. The bad news is that Mac users seem to be as
susceptible to downloading malware as a pc user. By perpetuating the myth that Macs are not as
susceptible to malware as pc machines seems to lead to as risky or perhaps
riskier behavior for the Mac user.
Apple has recognized that there is an increased
threat level directed at their OS and did respond with XProtect for the Snow
Leopard OS. XProtect would proactively
identify malware during the download process and notify the user, giving them
the option of cancelling the download or moving it to trash. It was a
definition based malware that is designed to work just like traditional
antivirus software. Unfortunately, Apple
is somewhat secretive about how it works.
There is limited information on the Apple website about how it works,
when it is being updated or what it is being updated with.
More recently Apple released GateKeeper, in the
Mountain Lion OS. GateKeeper, is a
behavioral based protection tool that asks the user various questions about
their downloading behavior, where the use downloads from. Depending on where the user indicates where
they download from will dictate the security notifications they receive and the
guidance GateKeeper provides.
Unfortunately these developments have not deterred malware
writers from targeting Mac OS. The 2013
Internet Security Threat Report, Volume 18 found the following:
- 42% increase in targeted attacks in 2012.
- 31% of all targeted attacks aimed at businesses with less than 250 employees.
- One waterhole attack infected 500 organizations in a single day.
- 14 zero-day vulnerabilities.
- 32% of all mobile threats steal information.
- A single threat infected 600,000 Macs in 2012.
- Spam volume continued to decrease, with 69% of all email being spam.
- The number of phishing sites spoofing social networking sites increased 125%.
- Web-based attacks increased 30%.
- 5,291 new vulnerabilities discovered in 2012, 415 of them on mobile operating systems.
Assuming that Mac OS and IOS
continues to gain market share in both personal and business use, we can expect
there to be continued interest on the part of malware writers and
cybercriminals in targeting the various OS.
Organizations that are adopting the Mac OS will struggle to provide
adequate security controls over the OS for two reasons, the misconceptions of the users, and the lack of developer information relating to security controls of the OS.
In today’s cyber environment, organizations must make security decisions based on meaningful risk analysis and threat matrixes. In order for Mac and iOS to be adopted by more organizations there must be an increase in transparency on what Apple is doing to protect their various operating systems from these threats. I would expect that organizations would demand more information from Apple on how they are protecting against malware and targeted threats directed at the Mac and IOS operating systems, as a means to protect their networks, before we see wide spread integration into the business environment.
In today’s cyber environment, organizations must make security decisions based on meaningful risk analysis and threat matrixes. In order for Mac and iOS to be adopted by more organizations there must be an increase in transparency on what Apple is doing to protect their various operating systems from these threats. I would expect that organizations would demand more information from Apple on how they are protecting against malware and targeted threats directed at the Mac and IOS operating systems, as a means to protect their networks, before we see wide spread integration into the business environment.