macOS Security Basics: The one about Macs (not) being the safest OS

Welcome back to another edition in the macOS Security Basics series!

In this blog, we cover yet another Mac misconception and one that to some degree still exists in the minds of some Apple users, going back as far as several decades. The misconception in question, you ask? That macOS is inherently the safest operating system.

Before we dive in, this misconception is a bit of a misnomer in the sense that while macOS has many built-in technologies to safeguard data and privacy – arguably more than most other OS’s – the key takeaway is that despite any native security tools present in modern operating systems, the modern threat landscape that exists today is so dynamic that many threats used by bad actors can bypass these protections directly.

If not, bad actors rely on combining multiple threats together, chaining them in a concerted effort to effectively abuse native security technologies to get around and even exploit the protections themselves to make them a part of the attack chain.

Security through obscurity

The title is not just a made-up grouping of words, but an actual saying in the infosec world. It refers to the misguided belief that something is secure simply by virtue of bad actors not being aware of it or as aware of it as a competitor’s product. Simply put: the belief hinges on a device, app or service being secure so long as threat actors don’t know about it – not relying on strong security principles to prevent compromise.

Since the early to mid-nineties, when Microsoft gathered up large swaths of market share with its Windows OS, macOS(then known as System OS and later Mac OS X) held a much smaller percentage of the market based on use. While Apple has always designed its products exceptionally well, the veil of “security through obscurity” helped catapult the belief that Macs were more secure than Windows – after all, it seemed like there was no end to the number of malware that impacted Windows users and admins with a regular cadence.

And while we’re not claiming Apple was the more or less secure product, we are stating that bad actors are known to target the largest and number of users possible to increase the number of potential victims. Still true to this day: they simply hedge their bets by attacking the dominant or growing market share, based on analysis of security threat trends.

After years of threats mostly not aimed at macOS, Apple users benefited from this false sense of perception, that Apple devices were inherently more secure…that is until the explosive growth of Apple products – in particular macOS – proved to malware authors and threat actors that Apple users are a large (and growing) target to focus on.

Some might argue the misconception that macOS was the safer OS served to hurt users in the long term, since this belief contributed to a false sense of security, causing users to feel that security bulletins and calls for best security practices didn’t apply to them as Mac users.

This mentality only serves to:

• Weaken hardware and software security compressively
• Leave macOS open to risk due to unpatched vulnerabilities
• Limit data and privacy safeguards – putting both further at risk
• Introduce threats to other devices/networks, leading to data breaches

Safety baked in

There’s no doubt that Apple works tirelessly to incorporate security and privacy protections into all of the products in their ecosystem. macOS is no different, having received the lion's share of security-focus tools that work to safeguard devices and users against threats that would otherwise compromise personal and company data.

Some of the technologies that are lovingly baked into macOS to protect security while preserving privacy are:

• XProtect: Antivirus software that detects known malware.
• Malware Removal Toolkit (MRT): Works in conjunction with XProtect to eliminate identified malware.
• Gatekeeper: Tool that checks for app legitimacy, allowing trusted software to run while blocking untrusted apps from executing.
• Firewall: Application-based tool that blocks incoming network connections from potentially unwanted locations.
• Transparency, Consent and Control (TCC): A system of controls that provides end-user visibility into which resources are used by apps and services and requires consent to authorize their use upon the first launch.
• Read-only System Volume: Dedicated, read-only system volume that prevents overwriting or critical OS files.
• FileVault: Full disk encryption scheme that protects data through powerful encryption linked only to authorized users of that device.

Combined with the security and privacy frameworks, alongside countless other native technologies, Apple has spared no expense when it comes to ensuring the security of macOS and user privacy.

But is it enough? That’s the real question. There are, after all, certain threats that may unfortunately still affect your Mac. Threats that, as a user, you may not be aware of or really concerned with, but that doesn’t make them any less dangerous.

Take for example data exfiltration. The topic of Data Loss Prevention (DLP), typically, doesn’t rank high among concerns for the average user. However, at the enterprise level, IT and Security professionals are often required to implement controls to ensure that data stored within your Mac or accessed through the corporate network remain on authorized devices – never to be copied to USB Flash Drives or elsewhere. Preventing the loss of sensitive data may not only be a concern for your organization but in regulated environments, may even be required by law to remain compliant with regulatory and/or industry practices.

Another example is filtering Internet access to prevent access to inappropriate, risky or even illegal content. Though perhaps not exactly a feature all personal users need, it is certainly one that may be required in certain industries, such as keeping K-12 education students safe from online-based threats. Another example where it is certainly beneficial (and perhaps also required) is enterprises with mobile device deployments, like laptops in regulated environments.

Filtering content also allows for IT and Security teams to block network-based threats, such as zero-day phishing threats, keeping end users safe and productive while mitigating risk from new and evolving network threats.

Threats squashed, or are they?

Common threats, like known malware or executing potentially unwanted programs (PuPs) are usually detected by the security tooling included by Apple within macOS. These threats range from low to high on the criticality scale – with many of them registering as really annoying for end-users to deal with on their own.

Out-of-the-box, Apple devices are inherently safe, doing an admirable job of keeping threats affecting hardware, software, users and data to a minimum.

But what about other threats? New and evolving threats? Those that are given rise by bad actors looking to cash in on the opportunity, such as organizations migrating to remote or hybrid work environments. This transformation has seen threats evolve as well, with threat actors upgrading their toolsets to account for devices that are:

• No longer protected by the appliances guarding network perimeter
• Leveraging new apps and services, such as collaboration tools to communicate
• Accessing cloud services to store critical/sensitive data instead of on-premises
• Connecting to different networks over multiple different connections

In each of the notable instances, built-in tools offer little to some protection against modern threats – but it is far from the comprehensive support required by Mac computers used as business tools to keep data and users safe in this ever-changing threat landscape.

Holistic security tools, building upon the solid foundation established by Apple, are the order of the day. By providing purpose-built protection against Apple-focused threats, users, administrators and organizations alike can ensure that their macOS fleet is safeguarded against:

• The full gamut of current and emerging threats
• with support for all the latest security and privacy
• features from the first day. Furthermore, real-time
• visibility into endpoint health, with constant monitoring,
• identification and remediation of risk, including app and
• patch management. Also, unparalleled threat intelligence
• provides insight with granular reporting functionality and integrates
• with your MDM solution to provide seamless streaming
• of data to create policy-driven enforcement profiles,
• ensuring devices remain compliant.