The specter of advanced persistent threats (APTs) hangs over a growing number of conversations these days about enterprise security, and has prompted businesses to take a closer look at how they can make their environments less vulnerable.
For some, this has reignited discussions about how the security of Apple’s Mac OS X stacks up against Microsoft Windows. Mac computers have, after all, traditionally been relatively free of malware when compared to Windows-based PCs. But a presentation today at the Black Hat security conference in Las Vegas made it clear the answer to the question is not clear cut.
Network privilege escalation is at the heart of APT, Stamos said, particularly because any organization with thousands of people has at least one employee “dumb enough” to be duped into running malware. As recent the breach at EMC’s RSA security division showed, all it takes is a piece of malicious software and the right amount of social engineering to successfully execute an attack.
The step – where attackers on the network seek to obtain higher privileges – is the step that “you can monitor; the step you can harden,” Stamos said. “But unfortunately on Mac, it’s also the step that’s pretty much trivial for attackers.”
Apple did not respond to a request for comment about the presentation. However, Stamos and fellow iSEC presenters Paul Youn and William “B.J.” Orvis pointed out that Apple has made some efforts to bolster protections for its operating system in recent years. Among them, the introduction of data execution prevention (DEP) in 2006 as well as the improved implementation of address space layout randomization (ASLR) in Mac OS X 10.7. When it comes to these features, as well as technologies meant to prevent local privilege escalation, Mac OS X 10.7 is on par with Windows 7 in the fight against APTs, Stamos contended.
Some of the challenges facing Mac users however may be less technical and more psychological. For example, Apple users have been conditioned to think of themselves as safe, and are therefore less likely to run antivirus and more likely to run applications that are unsigned, argued Youn, senior security consultant with iSEC.
In addition, attackers in an APT scenario are “looking for a user who doesn’t have the strongest appreciation for security,” Youn said.
The trio’s presentations comes on the heels of a new report from RSA, contending APTs are now targeting a broad range of private sector organizations to steal intellectual property and other proprietary data.
“Cyber criminals have aggressively shifted their targets and tactics,” said Art Coviello, executive chairman of RSA, in a statement announcing the release of the report earlier this week. “In the never-ending war for control of the network, the battle must be fought on many different fronts. All organizations are part of the greater ecosystem of information exchange and it is everyone’s responsibility to build and protect that exchange.”