So it appears Gartner has something to say about MAC security too. Here is an interesting article building on the MAC security issue. It’s just a matter of time before a major attack happens that hits the MAC platform. Another interesting tidbit is that the article points out that “Mac’s generally have to be patched one at a time”. Don’t get me wrong using both Macs and PCs can be good if the overall strategy supports security, but the key here is not to have a false sense of security.
An article was recently published about the Army adding Macs to improve security. Although diversifying vendors will usually make you more secure if used to support a defense-in-depth strategy, the context of the article supports a lack of knowledge or evidence to support the statements made on the Army’s part.
Article in Full:
There is one particular statement that is worrisome whereas the Army security spokesperson has been quoted “Apple’s version of Unix is inherently more secure than Windows”. Now I don’t claim to know all the facts but if you look at the links provided below the Mac OSx falls behind in 2007 and in the year 2004 has less advisories, but remains equally comparative percentage wise in regards to the number of critical vulnerabilities.
Fortunately the article has a counter argument by Charlie Miller at the end supporting the fact that the Army needs to step it up with more than Macs when it comes to security strategy. He comments about Mac being “behind the curve in security”. Also has a great reference stating “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house.” On the other hand diversifying is good if you use one product to back up the function of another project in the event one fails. So even though the pigs straw house was destroyed if that third pig could get to the brick house it would still survive.
On strategic risk assessments not testing the anti-virus signatures before being deployed should be considered a vulnerability. Many of my customers believe this is ridiculous and not practical, however I report it anyway. Whatever the case, the organization has the decision to accept the risk, as I am only there to point it out. There is a great example published where a routine update caused serious problems forcing customers to have to re-install the operating system.
So you decide. Should Anti-virus software be tested before deployment.
I could not help reading the Security 2.0 posts by Mark Curphey and I especially liked the Business Activity Monitoring discussion. However, I see 2 major enemies that cause us pain every day and put organizations at great risk. In my mind neither of these has been addressed properly.
Enemy #1: Many internal penetration tests obtain the admin or root access by guessing passwords.
Enemy #2: What do I say? Unpatched systems are an initial point of entry for many attacks both internally and externally. Tools like Metasploit make it even easier.
Of course I’m not throwing out statistics, but I see first hand the results weekly. One can only hope that the Security 2.0 solution addresses the problems with passwords and patches.