Macs and malware, part 2: Are Macs more secure?
By N‑able
Are Macs more secure? If that’s not the very definition of a clickbait headline, I don’t know what is.
Spoiler warning: While I have opinions, I’m not a security expert with multiple certifications or years of experience in the field. So, I won’t take sides as to which operating system is the most secure.
The first follow-up question you should ask, dear reader, is, “More secure than what?” Certainly, modern macOS is more secure than previous generations of OS X. You would have to roll back the clock to a time before Macs could connect to the internet to find one more resistant to remote exploits. Data loss was a concern, though, since those early compact Macs had integrated handles. If your physical security wasn’t sufficient, all your work could literally walk out the door. That is, if you had one of the fancy Macs with a hard drive. Otherwise, all of your documents were safely tucked away on floppies.
But I digress. My point in writing this post is not to indulge my nostalgia for computing in that simpler era. At least not my only point.
Security Lasagna
The best approach to security, regardless of the platform you’re securing, is layered security. As you can see, the N‑able example security model consists of many layers, like an onion. And, like an onion, when someone cuts through those layers, it will bring tears to your eyes.
Most of the tools I wrote about in part 1 of this series exist at the center of the model: the device and applications layers. Which makes sense, as those protections are built into Apple’s hardware and operating systems. It’s those outer layers, beyond the individual user’s control, where most vulnerabilities reside.
You will likely be familiar with the common types of threats that affect computers today: adware, ransomware, spyware, and bots. The significant distinctions between them can be derived from the attacker’s preferred method of making an illicit profit. With ransomware, you pay them directly. They could instead slurp up and sell your information or sell access to your computer to other attackers to use in their attacks. Regardless of the “business model”, all malware has one thing in common: the attacker needs to get your computer to run their software.
To be fair, Macs are at a slight advantage in this respect: a malicious application written for Windows just won’t run on a Mac. And with a market share of about 10% (depending on whose numbers you go by) it’s even difficult to get some legitimate software vendors to provide Mac versions of their apps. As a smaller potential target, there’s less incentive to write Mac-specific malware.
But—like I keep telling people—Mac malware exists, so it’s part of the Mac admin’s job to be ever vigilant.
As an MSP or IT pro, securing your customers’ data from threats at each layer boils down to three essential functions. First, prevent an attacker or their software from gaining access. Second, alert the admin and user if their device does get breached. And finally, remove any traces from the affected machines, or at least quarantine the infection so it doesn’t spread. Or, “Protect. Detect. Disinfect.”
I’ll start with “protect”.
What’s our vector, Victor?
One of the scarier terms in the modern IT vocabulary is “attack vector”. In this case, scary is good, because the visceral fight-or-flight response it evokes reminds you that you’re a target, or at least your data is. An attack vector is the path (vector) that an attacker uses to get to you. Any gaps in your security onion are potential vectors for malware to ooze in.
The simplest method of delivery, and therefore the most common, is email. Mac or Windows user, everyone gets email. Everyone gets spam (even John Dvorak). Everyone gets scams, phishing links, and infected attachments. Aside from the aforementioned Windows executables that won’t run, Macs have no inherent advantage here. Even an all-Mac business needs to invest in good email filtering.
More sophisticated, and more difficult for the average user to detect than phishing (e.g. an email with grammatical and spelling errors with a suspicious attachment), are so called “drive-by” attacks. You follow a dodgy link, or just visit one of your bookmarked websites, and an ad or script embedded on the site squeezes through a vulnerability in your web browser to infect your machine. Often, the target is the browser itself, which then opens the doors to further unwanted guests. All the major web browsers, and quite a few minor ones, have Mac versions. Most, if not all of them, have been vulnerable to published exploits in the past. This is where a DNS filter is particularly useful, as it will prevent the devices on your network (Mac, PC, or mobile) from connecting to the sites that host the source of the infection in the first place.
It’s 2022 (right?), and RDP is still a popular and viable attack vector for Windows PCs connected to the internet. Remote Desktop Protocol, advertising a machine’s availability on the common port 3389, is such low-hanging fruit for the bad guys that there are search engines (that I will not link to) dedicated to RDP-enabled endpoints. Seriously, turn that off. RDP is generally a non-starter on Macs, but there are other convenient ways to offer up remote control of your Mac. With employees and clients all over the map, you can’t simply block remote access outright, unfortunately. But it can be locked down by tweaking firewall rules to limit connections to trusted networks and turning all the security features of your remote app to 11.
Last, and most dangerous of all the attack vectors, is social engineering. No amount of technology can fix people. The best you can do is make it harder for your users to do naïve things like allowing a stranger on the phone to walk them through downloading and installing remote desktop software to fix “Windows error messages”. Personally, I enjoy wasting the time of these scammers when I can, and I have yet to find one that wasn’t stymied by the fact I was using a Mac.
Protect. Detect. Disinfect.
Once something has made its way past your defenses, all is not lost as long as you can catch malware before it can do any damage. A signature-based antivirus or, better yet, a behavior-based EDR, can quarantine and remove the nasty buggers. Just be sure to keep it updated.
© N‑able Solutions ULC y N‑able Technologies Ltd. Todos los derechos reservados.
Este documento solo se proporciona con fines informativos. No debe utilizarse para obtener orientación legal. N‑able no ofrece ninguna garantía, implícita o explícita, ni asume ninguna responsabilidad legal o jurídica por la exactitud, integridad o utilidad de cualquier información contenida en este documento.
N-ABLE, N-CENTRAL y otras marcas comerciales y logotipos de N‑able son propiedad exclusiva de N‑able Solutions ULC y N‑able Technologies Ltd., y pueden ser marcas sujetas al derecho anglosajón, estar registradas o pendientes de registro en la Oficina de Patentes y Marcas de Estados Unidos o en otros países. El resto de marcas comerciales mencionadas en este documento solo se utilizan con fines de identificación y son marcas comerciales (o marcas comerciales registradas) de sus respectivas empresas.