The fairy tale is over folks. The belief (and at times, the stated position) that Apple’s Macs were immune to attacks and therefore did not need anti-virus or other defenses has finally been shattered. Those of us in the security industry have been preaching this for years. The steady increase in the adoption of Apple computers and mobile devices within companies only meant that the attention and focus of attackers would follow. Unfortunately, it looks like it has taken a Tsunami of compromises of the Mac platform before people have decided to close the barn door (or even buy a barn door).
It is a sad but true fact that the tall poppy syndrome applies to computers as well as to people. People don’t attack computers for fun, they attack for profit. The floor mats for sale at Wal-Mart are for Fords, not Ferraris as there are undoubtedly more Fords on the road. This is the same with online attackers. They have gone for the type of computers their victims are most likely to be using. Mac has hit the tipping point whereby there are enough of them available for attackers to cost-justify the time it takes to develop exploits against them. The fact that Mac sales have been increasing while those of those PC manufactures have been steady at best only tells me this is the beginning of attacks against Mac devices. Consider this good news for Apple as it means they’ve done a good job at selling technology that’s being used within the enterprise. Now they simply have to change their thinking and acknowledge this means they are a big target. Three weeks is a long time to wait for a patch for a vulnerability that is known to be actively exploited in the wild.
What should we take away from this? With the steady increase of iPads and other tablets making their way into the work place we should see this as simply the first wave of many. This leads to a strong demand for businesses to allow the latest new device to be used in the enterprise – but there is a reason why they say early adopters are the bleeding edge. For those of us tasked with managing an acceptable level of risk to our environments we need to think long and hard about our adoption of new technology – time and time again we see that the demand for defensive technology is only created after the technology has been compromised. This is why here at Core we have been focused on predictive security intelligence, not reactive.