Why Enterprise Security Teams Must Grow Their Mac Skills

From coffee shops to corporate boardrooms, Apple devices are everywhere. So why are organizations so doggedly focused on Windows-only machines?

Sarah Edwards, SANS Instructor & Author

November 1, 2016

5 Min Read
Dark Reading logo in a gray background | Dark Reading

Times are changing. While Windows still reigns in the enterprise, Mac computers are making serious inroads. Once primarily used by graphic designers and marketing folks, today Macs are used by system analysts, programmers, IT departments, road warriors - even executives. Turning a blind eye to Macs will not make them go away. To keep corporate networks secure, security professionals must add the Mac OS to their knowledge database. 

With its cult-like following and more and more people using iPhones and iPads in their personal lives, it’s no surprise employees want to use Apple devices in the work environment, too. From a user perspective, Macs are considered significantly easier to use than PCs, and a much more stable environment than Windows. (Who hasn’t gotten the "blue screen of death?") While we can’t say a Mac never crashes, in comparison to Windows, it is rare.

Mac is also very appealing - from a technical perspective - to IT professionals, software developers, and digital forensic analysts.  For example:

  • For IT professionals the Mac has built-in scripting abilities to automate routine tasks. There are also many security and IT admin tools available for the Mac, including some that have been ported over from *nix systems, a security and admin favorite. 

  • Developers can easily program the next great app with a Mac with minimal configuration and setup time. Many development tools are built right in to the operating system or are a quick download away. In fact, more and more Windows software has been ported over to the Mac operating system for this very reason. Developers are not only developing for Windows but for Mac, iOS, and Android devices as well; they are finding more market share with appealing to multiple markets.

  • Forensic examiners have the ability to run some forensic tools natively on the Mac. They also have the option to run a variety of virtual machines, including Windows and Linux, to take advantage of other tools and capabilities.

It’s like having the best of all operating systems available at one time. The Mac OS has the Unix bones, command lines, and other utilities that are very useful for IT - with many of these capabilities built right into the operating system.

Mac OS Is No Longer Immune to Malware
While it is unrealistic to expect a Mac-only enterprise any time soon, Macs are clearly making significant inroads - enough so that security professionals no longer can afford to turn a blind eye to their use, or fail to support them. 

The truth is, Macs are at risk for the same type of threats as a Windows system, just at a smaller scale - for now. Similar to Windows users, there is the risk of Mac users clicking on links they shouldn’t, or inserting a USB that was tampered with, unbeknownst to the user. Regardless of the size, one successful network intrusion can have a severe impact on a business. Therefore, security professionals must be able to recognize the symptoms of a compromised Mac just as they do for a Windows-based computer.  

Securing Macs Versus Securing PCs
While the major processes are the same, the intricacies of each system are different. Yes, both Windows and Mac devices need antivirus, a firewall, and other security software. However, while the security configurations of Macs are more akin to those used on Unix-based systems, they still have specific Mac-only security settings. These features include Gatekeeper, System Integrity Protection (SIP), XProtect, Sandboxing, and File Quarantine. So while the concepts are the same, the backend is a different.

Security professionals must learn the nuances of a Mac in order to be effective in securing them. Without this knowledge, it is impossible to know what vulnerabilities exist and how to fix them without breaking something else. For example, if you need to reconfigure the firewall or block certain ports, will those actions affect how the Mac works? They might. Enterprise security teams will need to understand the intricacies of the Mac in order to know what files need additional protection, and where user-based documents are located in order to keep them safe.

How to Grow Mac Skills
Windows-specific security documents are plenty. Best practices documents and data sheets on how to secure Windows 7, Windows 8, and Windows 10 are seemingly everywhere. On the Mac side, however, there are significantly fewer of these guides, which leaves security professionals on their own to find information.

Participating in Mac-specific security courses is a great first step. Conducting research and sharing it through blogs or speaking at industry conferences will also be extremely important in helping security professionals grow Mac skills. The industry needs to hear about the success and failures of security teams that are securing Mac systems because Macs are not going away, and the Mac OS X is going to become an increasingly popular attack vector. Like it or not, Mac will be a greater part of an enterprise security professional’s life sooner than you think.

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

About the Author

Sarah Edwards

SANS Instructor & Author

Sarah Edwards is an instructor with SANS and the author/instructor of SANS FOR518: Mac Forensic Analysis. A devote user of Apple devices for many years, Sarah has worked specifically in Mac forensics since 2004, carving out a niche for herself when this area of forensics was still new.

Sarah has worked with federal law enforcement agencies on a variety of high-profile investigations in such areas as computer intrusions, criminal cases, counter-intelligence, counter-narcotics, and counter-terrorism. Her research and analytical interests include Mac forensics, mobile device forensics, digital profiling, and malware reverse engineering.
Interested in learning more about Mac forensic analysis?

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights