With CYDEF’s recent coverage expansion to the macOS platform, we need to address the value of cyber security protection for Macs.
After all, aren’t Macs completely impervious to security threats?
The answer is no of course.
So why is the question “Do I need Malware Protection for Mac?” so popular?
This post will start by covering the security advantages of the macOS platform. Then, we’ll run through a few types of security threats and see if they affect Macs. Finally, we’ll circle back on the value of cyber security monitoring for Macs.
Benefits of the Mac Platform
The Mac platform does have cyber security benefits over the Windows platform. However, Macs are not as robust as one would like.
The primary benefits are:
- App Store walled garden
- People think theyMacs have nothing worth stealing
The Walled Garden Approach
The walled garden approach of the App Store is actually a very powerful tool to protect against malware. Apple spends a lot of time and money to review every single app that is loaded on the App Store to make sure it follows the strict terms of service.
In general, most egregious malware is caught before anyone can ever install it. This process makes the prevalence of malicious applications drastically lower than what we see in the “everything goes” world of Windows applications.
However, Apple’s protection applies only if users stay within the walled garden. Thus, one must trust that all users stay limited to only approved apps from the App Store and do not engage in content or software piracy.
People Think Macs Have Nothing Worth Stealing
The second benefit is purely a cost-benefit calculation on the part of the attackers.
macOS still has a small market share on desktops (around 17 %) and is eclipsed by Windows. A Windows malware will net the attacker 4 to 5 times more potential victims than a Mac malware. Specifically, if the attacker is after commodity resources such as bandwidth to send spam or assets to hold for ransom, they would definitely attack Windows desktops over Macs.
However, today, valuable data is typically hosted on cloud services or internal Windows or Linux servers. Therefore, Macs offer an additional attack surface for malicious actors to try and gain access to these extremely valuable data warehouses.
Moreover, modern Mac users are no longer the stereotypical artist with little to no net worth. Macs have been widely adopted as the platform of choice for software developers and corporate executives. As such, there is now a significant overlap between Mac users and crypto currency aficionados. The current value of data and access tokens stored on Macs are of huge interest to professional criminals.
Mac Security Threats
Despite its security advantages, below is a list of the types of security threats found on Macs.
Malicious and Unwanted Software
Even if there is less malware on Macs, there still is some. In particular, malware that targets people with at-risk behaviour (e.g., people who download pirated software) or people that have things worth stealing (e.g. cryptocurrency holders or developers).
Are there PuPs on Mac? Yup.
Mac ransomware? Also yes.
Espionage trojans? Naturally.
Full malware agents developed specifically for Mac platforms? Sure.
Fileless/living-off-the-land attacks? Absolutely.
In purely technical terms, you have the full range of malware represented.
So, the malware risk is still present for Mac.
You don’t even need to load malware on a machine to create security impacts, especially if you already have access. As discussed in CYDEF’s post on insider threat, insiders leveraging privileged access for personal benefits is an important threat vector. This is true regardless of platform.
However, it is important to remember many enterprise Mac deployments are not centrally managed by IT, but rather left to the users to self-manage. This means that many Mac users actually have access to administrator privileges on their machines.
This type of arrangement is much less prevalent in the Windows world where most machines are locked down by IT to prevent users from installing new software for example, because IT doesn’t want to deal with the problem. That also means that the power available to malicious insiders is on average greater in Mac environments.
Mac users are often still using cloud services, such as Microsoft 365, to do their daily work. This means that harvesting these credentials, notably via phishing, is still valuable for attackers. Since credential phishing is essentially cross-platform, relying on tricking the user rather and not on platform-dependent attacks, Mac users are just as exposed to it.
As for spear-phishing including booby trapped Word documents, that also works on macOS.
Final Verdict: Malware Protection for Mac
The attack surface between Windows and Mac is very similar even if they are not literally the same. Mac computers have a lesser risk of malware (under the condition you only install approved applications), but a higher risk of insider threat. Phishing, which is one of the top threats that we detect in our client base, is still as dangerous.
Is Malware Protection for Mac Worth It?
The real answer is the same as with any questions in cyber security: it depends.
In terms of cyber security, all the use cases that exist for Windows system exist for Mac as well. Whether they are worth it to you depends on your risk.
First, how confident are you that your users are well-behaved, will always install only approved applications and never interact with phishing emails (probability component of risk).
Second, are your Mac users stewards of any valuable information assets, or credentials to gain assets to valuable information assets (impact component of risk).
Even if you believe your risk is low, Mac coverage might still be worth it to cover compliance or regulatory requirements. Almost all cyber security compliance frameworks have requirements for continuous cyber security monitoring.
When the only Mac users in the company were the graphic designers, it might have been possible to carve out an exception for them. However, as Mac users become more widespread, it becomes hard to argue that the machine the developer uses to access the transaction database remotely is out of scope for PCI-DSS or that the executive laptop where he can access a web app to approve invoices worth hundreds of thousands of dollars is out of scope for SOX compliance.
What Can My Organization Do?
If you evaluate that you need more coverage for risk emanating from your Mac endpoints, CYDEF now extends its managed detection and response coverage to the macOS platform. Contact us if you want more information or register for a free trial.