Ken Munro, partner at Pen Test Partners
Ken Munro, partner at Pen Test Partners

Pay attention to the Macs in your office, especially if they are used by people unaware of the risks they present.

Have you got any Apple Macs on your network? Are you sure? Have you been to your marketing department to double check?

There is often limited understanding in corporate IT departments of security around Apple systems, leading to excessive privilege and very limited local lockdown. This lack of knowledge is usually worst where only a small number of Apple machines are used in a wider Windows environment, often in marketing departments where creative types need to use them for design work.

So what does that lack of lockdown mean? How about anti-virus and endpoint protection? Does your vendor actually produce a client for Apple machines? Is it actually installed, and how would you know if not? Is it up to date, and does it actually do anything more than just anti-virus?

Do you have any control over devices that can connect to these Macs? USB port control is common in a Windows environment to make data theft and introduction of malware harder. However, do you have any control over Apple desktops? Can you stop the users syncing corporate data to the iCloud? Maybe you allow use of personal mobiles through mobile device management – so what's to stop the user backing up their device to the Mac desktop via iTunes? That's more corporate data on a potentially unsecured system.

How effective is the full disk encryption, particularly if it's a MacBook that leaves the office with the user? You might tolerate a Windows laptop being stolen, as you have confidence in your corporate encryption product preventing exposure of corporate data. What about a stolen MacBook, where you have no idea what OS X version it's running, as you have little control over the deployment of updates? Recent OS X and FileVault versions are much better, but older versions (pre-Lion 10.7.2) are more vulnerable to the Firewire/Thunderbolt DMA encryption bypass attack using tools such as Inception.

I'll bet that if you're not actively managing the security of the Mac, the user probably has root permissions. So they might have rights to turn off automatic updates, if they're even enabled in the first place. Group Policy does work reasonably well for Macs, but does take a bit of implementing.

What's more, creative types are often very active on social networks, so could have profiles from which useful information can be lifted. It wouldn't be a massive leap for a hacker to conclude that they use a Mac at work, then deliver an exploit to them.

Probably the biggest worry is that many Apple users have a perception that their systems are much more secure than Windows devices by default. There may be a little truth in that, but having a blazé attitude to security doesn't help anyone.

What should you do? It really depends how many Apple systems you have on your network. If it's only a few devices in one department (marketing, say) then I would audit the devices by hand. Check what OS version they are using, see how up to date the patches are, etc and come up with a simple policy for use and maintenance.

Give the task to someone in your IT department who has an interest in Apple – maybe they use a Mac at home?

If you have rather more than a few Apple machines, then hopefully you have already got a policy and software in place to mitigate the risks. In my experience, it's organisations with a large Windows estate, but a tiny Apple estate, that have the biggest problem. If I were to target an attack, a desktop OS that is poorly supported by the business is likely to be easier to compromise.

However, one could argue that any non-Windows system that's not actively managed by policy presents a risk. What's unusual about Macs is that they are often implemented in departments that don't really understand security.