• United States



Peeling Apples – Reconsidering Mac Security

Nov 13, 20083 mins
Data and Information Security

I’ve spent almost 2 years bashing OS X security and more specifically Apple’s information security program.  Well, while fawning over a friend’s MacBook Air (MBA) yesterday I had an epiphany.  Have I been too hard on Apple?  Is the security inherent in OS X sufficient for Apple’s core audience?

Let me start by informing you that my aforementioned friend is known on the national and international stage as an information security guru.  Heck, he’s even graced the cover of this very publication (the “Time – Man of the Year” for information security if you will).  My friend’s glorious new MBA was being hobbled by so many security utilities that I wouldn’t have wanted to use the darn thing.    Granted  all of these tools weren’t Mac specific, but were instead “feature” of the infrastructure in use at the organization.  After finding the right wireless network, the browser based network authentication didn’t work easily or quickly.  Then toss into the fray, the VPN software with multiple authentication requirements, and finally the anti-virus software just to add a final layer of confusion.  Somewhere in this chaos an Apple update had gotten stuck during installation causing the machine to stall indefinitely.  …and the chaos continues…

On my drive home I thought about my own experiences with Apple gear in various incarnations.  During all the time that I’ve used Macs, I’ve only had one update break during installation.  I’ve run anti-virus for all of probably 2 days during that time and have had ZERO problems.  Let me be clear, my naked Macs have traveled internationally and have attached to countless public hot spots in the U.S.  I run a firewall and other than that rely on only the inherent hardening of the Apple OS.  This brings me to my point. 

Are the security needs for Apple gear the same as those for Windows gear?  On a base level, I’ll still say yes.  There are general do’s and dont’s that apply to all types of hardware and software.  Conversely, I am guessing that none of you would run a Windows laptop without first adding a firewall and anti-virus software at a minimum.  For a Mac, this isn’t all that unusual.  In fact at one point it was standard practice to remove or disable anti-virus so that certain programs would run properly.  Have we yet seen a sweeping Mac virus?  No.  Any truly significant exploit of the OS itself?  No.  Sure, there have been vulnerabilities in applications, but that applies on both sides of the Windows/Apple debate.  Ultimately, we should consider whether or not Apple’s base level security is appropriate for those in the creative arts, students,  and researchers.  These groups represent the bulk of Apple’s audience. 

There is undoubtedly a need in some organizations for the cacophony of security gadgetry mentioned above, but is that need representative of the needs of the core?  For these folks, the dependability and simplicity of the Apple OS is paramount to infinite layers of security.  So, I am not necessarily wrong in my prior estimations of Apple security, but I do need to take a broader view and include not only the corporate perspective, but also a view that is more representative of Apple’s target audience. 

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.