What are the actual security risks of OS X for businesses?

Macs are an increasing focus for cyber-criminals

Many people have, over the years, bought an Apple Mac believing not just that they are a thing of beauty, but also much more secure than a Windows PC. But has the security of OS X been overplayed?

Take, for example, the recent FREAK vulnerability – it hit OS X just as badly as it hit Windows PCs, leading Apple to roll out a security update to machines running OS X (and iOS and Apple TV devices as well).

In IT security firm Secunia's Vulnerability Review 2015, Apple's Mac OS X placed 13th with 147 vulnerabilities, with Microsoft's Windows 8 in 20th place (on 105).

More and more organisations are deploying Macs and so OS X has increasingly come into the sights of criminals looking for a way into an enterprise's infrastructure. And that's why it's wise for businesses to consider and discuss the risks of Apple's operating system.

Attack surface

OS X has not represented a large enough 'attack surface' to warrant the attention of professional hackers, though this is changing, as we have seen the last 18-24 months.

"There have been a number of high-profile examples including Flashback, Wirelurker, and more recently, Thunderstrike," says Jeff Erwin, chief ececutive of Intego. "Therefore businesses should consider not only protecting their OS X installations from malware, but also pay close attention to the other aspects of IT security."

He says that features such as Gatekeeper and OS X's stricter application controls are helpful, but they only protect against threats that affect a local machine.

Operating under the radar

"Any non-Windows system which isn't being actively managed is a risk, but Macs are more likely to be implemented just under the radar, and in departments that don't have an acute sense of security," says Ken Munro, senior partner at ethical hacking firm Pen Test Partners.

He says that part of the issue in managing Macs is one of a clash of cultures. "Macs occupy a strange position, technology-wise, between UNIX box and Windows box, and that makes them difficult to understand from the perspective of Windows or UNIX sysadmins."

Munro says there's a 'them and us' mentality, which sees many pro-PC IT teams view Macs with suspicion at best and downright disdain at worst. "But in reality, there are some parallels between Windows and Mac OS X in that attack vectors are roughly similar," he adds.

Browser-based attacks are the most common but others include Flash, Adobe Reader, and Java, yet there are few Mac-friendly information security tools that work on OS X. Some Data Loss Prevention (DLP) for example only covers USB device control, which is a tiny piece of what some companies uses DLP for.

Munro says that despite the common ground, the Mac community still tends to operate in isolation.

"We've seen this manifested in very limited local lockdown of Macs, and excessive privileges being given to them. The problem tends to be compounded when there are just a handful of Macs being used in a broadly Windows environment – usually in marketing departments where they're used by design and dev creative types," says Munro.

In these scenarios there is often a separate sys admin for the OS X assets, who doesn't sit under the Head of IT, and who also has very little interest (or knowledge) in information security. Munro says that centrally managing OS X assets in this kind of set-up isn't easy.

"Even if the IT Sec team do manage to persuade the OS X sys admin to do the bare minimum and install antivirus on all Mac devices, it then isn't centrally managed, and alerts don't report back to a management console. There was no way to report on it, nor know if they were up to date," he adds.