There is nothing sadder than witnessing reality give millions of people a wakeup call, shattering their sense of invulnerability. Mac users got to experience a taste of what their PC counterparts have had to live with for years, with a little bit of malware called Mac Defender. Apple Mac users have enjoyed a bit of obscurity over the years as most of the malware variants were targeted at the 98% market share juggernaut that was Microsoft. Back then, If you were going to write some nasty software why would you write it for a little used operating system? Fast forward to 2011 and Apple has dramatically changed its place on the firing line. With millions of Ipods, Iphones, Ipads, and the Mac OS all running versions of the same operating system, and a market capitalization larger than the GDP of most countries, hackers find this half eaten piece of fruit irresistible .
This little scareware package, which is nothing new to PC users, has served to highlight what many security researches have known for a long time. Yes Virginia the Mac is hackable. This is just the first time its been done on a relatively large scale. The malware is not the scary part of this tragedy; it's the fact that people actually believed that no one could do this on the Mac. Did they buy into those Mac vs PC commercials a bit too much? I hate using fear as a motivator. Fear doesn't permanently change behavior; it just causes knee jerk reactions that will result in people reverting back to their risky behaviors as soon as enough time has passed without anything happening. If fear is bad, the opposite, blind confidence is just as bad. Thinking it can't happen to you is setting yourself up for failure, cause there is this dude named Murphy, and he has this law that guarantees that it will.
Security is a balancing act, where we do the best we can to mitigate risk while trying to stay out of the way of productivity. Makes you feel like a circus performer at times, but that the type of job we have. Vigilance is key here, and making sure that we don't have unfounded assumptions about the level of security we think we have achieved. Threats change, resulting in a shifting of the risk landscape. A vector of attack that has traditionally not been a concern may be the area that bites you in the end (pun intended).
The best way to ensure your security controls are sufficient for current threats is through a strong assessment program that measures risk as it pertains to people, process, and technology. These three areas mesh together, providing the engine that drives security. Don't just focus on the technology, because most security breaches have a root cause that points at a failure in people or process. It all comes down to making assumptions that are not founded in reality about risk. Test these assumptions on a regular basis by analyzing your security posture. It's the only way to be confident in your organizations ability to fend off the next attack. Without proper testing you might as well stick your head in the sand with the rest of the blissfully unaware.