There is nothing sadder than witnessing reality give millions of people a wakeup call, shattering their sense of invulnerability. Mac users got to experience a taste of what their PC counterparts have had to live with for years, with a little bit of malware called Mac Defender. Apple Mac users have enjoyed a bit of obscurity over the years as most of the malware variants were targeted at the 98% market share juggernaut that was Microsoft. Back then, If you were going to write some nasty software why would you write it for a little used operating system? Fast forward to 2011 and Apple has dramatically changed its place on the firing line. With millions of Ipods, Iphones, Ipads, and the Mac OS all running versions of the same operating system, and a market capitalization larger than the GDP of most countries, hackers find this half eaten piece of fruit irresistible .
This little scareware package, which is nothing new to PC users, has served to highlight what many security researches have known for a long time. Yes Virginia the Mac is hackable. This is just the first time its been done on a relatively large scale. The malware is not the scary part of this tragedy; it's the fact that people actually believed that no one could do this on the Mac. Did they buy into those Mac vs PC commercials a bit too much? I hate using fear as a motivator. Fear doesn't permanently change behavior; it just causes knee jerk reactions that will result in people reverting back to their risky behaviors as soon as enough time has passed without anything happening. If fear is bad, the opposite, blind confidence is just as bad. Thinking it can't happen to you is setting yourself up for failure, cause there is this dude named Murphy, and he has this law that guarantees that it will.
Security is a balancing act, where we do the best we can to mitigate risk while trying to stay out of the way of productivity. Makes you feel like a circus performer at times, but that the type of job we have. Vigilance is key here, and making sure that we don't have unfounded assumptions about the level of security we think we have achieved. Threats change, resulting in a shifting of the risk landscape. A vector of attack that has traditionally not been a concern may be the area that bites you in the end (pun intended).
The best way to ensure your security controls are sufficient for current threats is through a strong assessment program that measures risk as it pertains to people, process, and technology. These three areas mesh together, providing the engine that drives security. Don't just focus on the technology, because most security breaches have a root cause that points at a failure in people or process. It all comes down to making assumptions that are not founded in reality about risk. Test these assumptions on a regular basis by analyzing your security posture. It's the only way to be confident in your organizations ability to fend off the next attack. Without proper testing you might as well stick your head in the sand with the rest of the blissfully unaware.
Chris Jackson, CCIE (Security, Routing, Switching), CISA, CISSP, ITIL, SANS, Technical Solutions Architect in the Cisco Architectures and Verticals Partner Organization, has focused for the past six years on developing security practices with the Cisco partner community. During a 15-year career in internetworking, he has built secure networks that map to strong security policies for organizations, including UPS, GE, and Sprint. Chris is an active speaker on security for Cisco through TechwiseTV, conferences, and webcasts. He has authored a number of whitepapers and is responsible for numerous Cisco initiatives to help build stronger security partners. He holds dual CCIEs in security and routing and switching, CISA, CISSP, ITIL, seven SANS certifications, and a bachelor's degree in business administration.
Residing in Bradenton, Florida, Chris enjoys tinkering with his home automation system and playing with his ever-growing collection of electronic gadgets. His wife Barbara and three children Caleb, Sydney, and Savannah are the joy of his life and proof that not everything has to plug into a wall outlet to be fun.
Chris's latest book, Network Security Auditing, has been selected as the August, 2010, book giveaway on Cisco Subnet.
Read a chapter excerpt of Network Security Auditing hosted by Cisco Subnet.
Buy a copy of Network Security Auditing now.
Enter this month's book giveaways from Cisco Subnet, Microsoft Subnet and Open Source Subnet.