Don’t forget Apple

The benefits of least privilege security for the Mac

Tweet

After years of being ignored as the eccentric choice for tech insurgents with a bigger bank balance, Apple Macs and iPhones are suddenly everywhere inside large businesses. Everyone and anyone has started using them from young workers on the switchboard and coders on the development team right up to the CEO on the board.

It’s a brand phenomenon that was arguably responsible for kick-starting the Bring Your Own Device (BYOD) movement that has seen personal devices become accepted as primary computers in many companies, a form of IT that would not long ago have seemed unthinkable and bizarre.

In 2015, VMWare estimated that more than two in three enterprises in the US now support Apple devices, reinforcing an earlier Forrester analysis that found one in five of the global professionals were now using an Apple product at work.

Despite this new-found popularity, the security regime inside many organisations has remained heavily focused on defending Windows. This is partly explained by the perception that Macs aren’t under threat to the same degree not helped by a chronic lack of sophisticated management tools.

For IT teams, this represents a challenge. Apple devices have suffered a growing number of security vulnerabilities across a patchwork of OS versions that need constant monitoring at a time when all the evidence points to a sudden surge in the level of targeting by cybercriminals.

These have included generalised but still serious attacks such as the sophisticated Flashback Trojan in 2012. Targeting a Java flaw, the Trojan infected well north of a million Apple computers before it was even noticed. Admins looking after Apple systems were rightly alarmed because the attackers had exploited the absence of security software on infected systems to hide the compromise.

Elsewhere, there have been sporadic reports of highly-targeted attacks on the platform, in some cases by nation states motivated by politics. In 2013, the Butterfly Group was blamed for a drive-by attack targeting Mac-using enterprise employees with the intention of stealing sensitive corporate data.

The implication is clear: Macs had gone from the computers of insurgent corporate creatives to an unintended back door into the heart of the network. Cybercriminals are on the chase and the assumptions that Apple is somehow different from Windows urgently needs to be re-examined. Beyond simply loading endpoint anti-malware software, new approaches have emerged to manage the Apple platform and Macs in particular. These can be divided into two types.

Infrastructure-based management

The first are add-ons for proprietary, centralised systems such as FireEye’s threat security platform, designed to examine traffic traversing network infrastructure for specific types of threat. For organisations that have already invested in these platforms, this approach makes sense because it integrates Mac endpoint protection with the same security used to protect other platforms.

Least privilege

A second approach, which mirrors its use in Windows security, is that of least privilege. This is simply the idea that a user should always be set up to use a computer with the fewest privileges they need to do their jobs.

Apple OS X has many of the same problems of containing privileges found on Windows, starting with the way users can elevate to administrator (or root) level up to version 11.10 (which employs sandboxing of core functions). On Windows this is run through User Account Control (UAC) while on OS X a password is required but the effect is the same: users who have admin access can become a security risk because they can do too much while users without a become a bottleneck when they request permissions.

Simply limiting OS X users to standard mode and leaving them in that state has big disadvantages. Users can’t add printers, change their time zone, running plug-in updaters and perhaps in some cases when visiting the app store for useful software additions. The potential for productivity-sapping frustration is huge.

As with Windows, a better solution is to employ a dedicated platform designed specifically to broker least privilege for OS X such as BeyondTrust’s PowerBroker Mac, which is based on a software agent security design.

The core idea is to run all users in standard mode, allowing them to elevate their privileges without giving them full admin-level access. A critical aspect is that the experience is seamless and automatic so users are not even aware that certain privileges are silently being elevated behind the scenes for specific actions.

Rule libraries

To get enterprises up and running, platforms will offer as many ready-built rules covering common applications (e.g. Apple, Adobe and Microsoft) users are likely to need to elevate privileges to use. Custom rules can be developed for additional applications with the flexibility to cope with software installers, a common user request.

Central management

From the admin point of view this should ideally be achieved in a way that integrates Mac rules into larger policies designed to perform the same actions for Windows and Linux users. Apple least privilege management is a distinct task but it shouldn’t become an island of management complexity marooned from other platforms.

Users can usually request access to an unusual application by providing a justification to the admin using a dialogue box. This persists throughout a session but will normally need to be renewed each time that application is run unless it is covered by a new rule. This might in future allow two-way interaction between the user and admin.

Reporting and analytics

Rules and policies can’t be static and must change over time. For admins this means keeping an eye on different metrics over time that provide insight into trends, for example which sets of user and applications are requesting privilege elevation and what they are attempting to do with access. Similarly, admins can keep an eye on failed elevation events, important where the agent has imposed a block on a possibly malicious application.

Wrinkles?

BYOD presents a challenge to the least privilege approach because the agent-based design assumes the system is running under the auspices of the IT department. That won’t usually be the case with BYOD. The assumed model with privilege management is, for the time being, full control, and that still requires that the Mac is part of the business’s IT estate.