After years of attempting to generate love by claiming that a Mac “doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” (apple.com 2012)”, Apple has introduced technology for at least 4 different approaches to strengthening OS X resistance to hostile malware.
These features include:
- OS X sandbox
Each of these features is an attempt to compensate for and overcome software architectures, designs, and implementations that are overly-permissive — resulting in software that too easily “trusts.” They represent the type of “bolt on security” that Financial Services enterprises are expected to implement throughout their secure software practices. “Secure-enough” software needs to be created or adapted with that goal in place throughout the entire SDLC and/or acquisition process and must not treat risk management as something that is applied to software only after it is finished.
There is a lot of evidence that these features are still far too little, too late. In a recent presentation at RSA, Patrick Wardle, Director of Research, Synack, described the current situation as “lots of Macs, feeble anti-malware protections, os x malware, and limited detection/prevention tools.” He then walked the audience methodically through exploits against each of the Apple OS X anti-malware protections, and then outlines a range of approaches to Mac malware persistance. Finally, he mentions a couple tools for detecting OS X malware: knockknock (ui) & blockblock.
Wardel’s presentation references OS X malware/exploit work by fG!. In one relatively recent talk at SyScan15, after 165 slides outlining OS X threat vectors and their exploit he concluded that “Apple product security strategy is reactive not proactive. If they have any strategy at all…”
These guys don’t represent an isolated fringe of the the professional risk management world. They are serious professionals, attempting to help others “get it.” Their work seems to be a shout for recognition that OS X malware-enabled exploits represent a foundational and (for most Financial Services enterprises) critically-important risk.
Why is this such a big deal? Remember, each of our organizations needs to be diligent and effective at resisting attack along all vectors, while attackers need only be successful against one of them. Attackers know that Macs are vulnerable via a number of vectors, that Mac security products are not great, and that Mac users are finding ways to “plug them into” corporate environments.
For many Financial Services enterprises, request by request, exception by exception, members of the workforce have been hosting an increasing range of business activities on Macs (on both unmanaged, and under-managed endpoints). They are granted remote access. They are plugged into our “trusted” internal networks. And they get the same “trusted” access as heavily-managed, standard Windows endpoints. Sometimes an organization has a fog of “managed” or “secured” and authorized Macs that mask this core risk management issue — which, for the most part, remains the same.
As a result, we need to help our leaders carefully think through:
- Whether this is risk-appropriate for any given Financial Services use case,
- What alternatives to current Mac-enabled practices exist, and should we migrate to them? Are isolation techniques “good-enough?”
- How we are going to protect our assets and operations from the threat vector Mac endpoints pose?
- How are we going to tell our Mac endpoints risk management story to all relevant stakeholders?
“Malware Persistence on OS X Yosemite” by Patrick Wardle (http://www.rsaconference.com/speakers/patrick-wardle).
Thursday, April 23, 2015
“BadXNU — A rotten apple!.” by fG!/@osxreverser (https://reverse.put.as/about/)