Tuesday, February 02, 2010

Security vs Safety

In quite a decent article on CNET News, Elinor Mills interviewed 32 experts in security and came up with the content for her article.  She also quotes ESET (the makers of NOD32), who released the results of a recent survey in which they found (not surprisingly) that Mac users were not only victims of cybercrime just as frequently as PC users, but that they perceived that they were less likely to be a cybercrime victim.

I call this the "ostrich defence" (or, more correctly, the "Ravenous Bugblatter Beast of Traal Defence") where people mistakenly thought that ostriches buried their heads in the sand when they were in danger, thinking that if they can't see their attacker that their attacker can't see them.  Obviously, when it comes to ostriches this is a fallacy (there are still ostriches alive today), however when it comes to Apple users, well, this looks to be the way they are treating security.  Look at their response to Elinor's request for comment as a good example of the emphasis Apple places on open discussion about their security.

My take is that security and safety are two very different things.  When you look at the two current OSes - Apple's OS-X Snow Leopard and Microsoft's Windows 7 - generally the experts all tend to agree that there's very little between them, with Windows 7 being the more secure OS and Snow Leopard being the safer one to use.  The reason that Snow Leopard is safer is not because it is more secure (it isn't) but because there is a smaller installed base and therefore a lower financial reward for malware authors to target this platform.

Apple's market share rose dramatically as the result of Windows Vista.  Even now it is around 5-7% of market share depending what sources you read.  That's not a lot.  It took just 4-5 weeks for Windows 7 to reach this market share, showing how small a player Apple's Mac OS-X really is.  That clearly explains why it is such a small target for malware authors, regardless of its lower security than Windows 7.

Windows XP is still the largest shareholder and the biggest target for malware.  As Windows XP, released in 2001 and patched three major times since, is now 9 years old, you can understand why it has security issues in 2010.  As users move towards Windows 7, I can honestly see the number of successful attacks dropping and malware authors starting to look more seriously at OS-X.

Another issue - the biggest issue - is the wetware, not the hardware nor software.  Wetware is sometimes referred to as "PEBKAC".  Yes, I'm talking about the user themselves.  It doesn't matter how secure an operating environment is, if a user is determined to enter their password to download a browser plugin to watch the cute dancing pig, then they have made this secure environment unsafe.

This is why we strongly recommend against regular users having Administrator rights - users are users (ie, they use the system) and administrators are administrators (ie they administer the system) and even an administrator's regular daily account shouldn't have administrator rights as far as I'm concerned.

Windows Vista, the slothlike behemoth of an OS that it was, introduced some good security concepts, however they were very poorly implemented, making the slothlike OS even more unbearable to use.  Many of these were fixed in SP1, but Microsoft had done their dough by then.  Fortunately Microsoft learned from their legion mistakes with Vista and Windows 7 is a much, much nicer OS to use that retains and actually enhances the security introduced in Vista.

It is quite often the applications running on the computer that contain the vulnerabilities that are being exploited.  A classic example is Adobe Reader - one of the applications with huge amounts of security issues.  It TRULY is in need of a complete rewrite.  If you don't keep your operating system *and* applications updated, then you're neither safe nor secure.

So, safe behavior is more important than a secure OS - this isn't really news, but with decently secure OSes now available, safe usage practices become more important as social engineering attacks become more prevalent.

Regards,

The Outspoken Wookie

No comments: