Nowadays, Macs cannot be treated as a niche platform in companies. We meet Macs in all sized companies — from startups to big companies with thousands of employees. It’s not a big surprise that this fact was also noticed by attackers. During the security assessment, SecuRing team observed that usually Mac environments are in most cases quite immature and stand out from widely adopted Windows environments. This article will give you 5 tips that radically improve security of your MacOS infrastructure.
Tip #1: Enroll your Macs into MDM
We observed situations when even in big companies Macs were unmanaged. Users could perform actions whatever they wanted. At the same time, these computers were connected to internal companies’ resources. Such a situation shouldn’t ever take place. Make sure you can control all Macs in your infrastructure, enforce security policies, install and update new software, detect potential threats and monitor suspicious actions.
Tip #2: Allowlist executables
Modern MacOS versions have a lot of security improvements. Mechanisms like Notarization, Malware Removal Tool, and GateKeeper help users stay not infected. However, those features are not bulletproof. We have seen notarized malware that successfully bypassed all those enhancements. Implementing an allowlist of applications that can be launched can dramatically reduce the attack surface. Even if users somehow download a notarized by Apple malware, they won’t be able to launch it.
Tip #3: Implement multi-factor authentication
What about phishing campaigns that do not require any software to be installed? Stealing your users’ password that will allow accessing your Jira doesn’t sound good either. Research shows that hardware tokens (U2F) let Google keep out their over 85,000 employees not phished since 2017 (research ended in 2018). Implementing U2F is really rewarding. Consider requiring the U2F also during the users log in to their macOS machines.
Tip #4: Enforce security policies
We are all used to security policies enforced on Windows machines (Group Policies). Why don’t implement such requirements on Macs? A feature that you are looking for is called Profiles. It can help you enforce secure passwords, a maximum idle time before locking the screen, disallowing turning off the disk encryption, properly setting up the firewall, and many other useful things.
Tip #5: Make sure your Macs are up-to-date
This idea looks the most obvious, albeit it’s not. It’s widely known that updating machines is important and protects users from getting infected by malware or attackers that use known vulnerabilities. SecuRing team observed in macOS environments that users procrastinate with updates containing even critical security fixes. A solution for that may be enforcing the minimum OS version. If users don’t update their machines, they won’t be able to access the company’s resources.
To sum up
Keep in mind that every operating system in your organization must be treated with the same degree of trust. Attacks on macOS environments are no longer a legend. These 5 quick tips I gave you are a good start to improve your macOS infrastructure security. If you are interested in a bespoke analysis — feel free to reach out to me.
