Implementing a comprehensive Mac anti-malware solution
If Gatekeeper, LSQuarantine and XProtect offer only a partial solution, what does a complete Mac anti-malware solution look like? It will have these components:
-
User education. Work with Mac users to help them understand that significant threats to Macs do exist. More will arrive as Macs become increasingly popular in business, and social engineering attacks are as likely to victimize Mac users as Windows users.
-
Layered protection. Constantly updated Mac endpoint protection is now essential— but so is protection for servers, mail and web gateways, and network infrastructure. Note that server applications such as WordPress and Drupal have been heavily exploited by malware capable of targeting Mac clients. Be aware that many lightweight virus scanners, especially those on integrated gateway and firewall devices, do not scan for Mac malware and exploits, leaving them essentially unprotected at this layer.
-
Mac-specific expertise. Either hire Mac specialists or train existing staff on the platform’s unique characteristics. For instance, heuristic firewall and router policies may need to reflect differences in Mac traffic associated with Safari web browser pre-caching or network discovery broadcasts generated by the Mac’s Bonjour services. Knowledgeable file system configuration choices can harden dual-boot Mac/Windows systems against attack. Where Mac users rely on Mail.app or other UNIX-style back-end mail clients, careful decisions about mail storage can make it less likely that Windows users will inadvertently open infected .zip files. While the Mac’s underpinning is based on BSD UNIX, its user interface is not. Therefore, generic UNIX knowledge is very helpful, but not necessarily sufficient.
-
Strong IT processes and policies. Wherever possible, extend ITIL-type best practice policies to Macs as well as PCs. Provide for rapid and automated patching of Macs as well as Windows devices. And, of course, patch Java, Flash, and applications as well as OS X itself. If possible, control users’ ability to install new software. Make sure your internal developers digitally sign their own OS X software. Finally, manage your logs. Macs log virtually everything in real time, making it possible to identify new security threats and halt them via firewall policy changes or by isolating portions of the network.
-
Realism. Since Macs are often used by senior executives and creative teams who need maximum control over their computers, you may need to accept that some Macs will be untrusted. But untrusted should not mean unprotected. You should still offer users whatever protection is practical. And organizations can’t forget legal requirements associated with security and breach notification. These requirements may be especially important to enforce where senior executives are involved. Many security experts argue that perimeters are becoming less defensible, and conclude that all systems should be treated as untrusted, not just Macs.
< Back Next >