Can an Apple a day keep security issues at bay?

*Akasha* · June 03, 2004, 11:14 PM

Is the Apple Macintosh and its OS X operating system an enterprise security contender -- or should it be?

"OS X is designed differently from the ground up -- applications and user programs don't get as 'involved' in the base OS as Windows," said author Richard Forno, the former chief security officer for Network Solutions.

Out of the box, only SSH is enabled on OS X and, upon starting, users must create an account and password. Root access for applications is discouraged. By comparison, Windows systems ship with most services enabled.

"Deploying a Mac environment means you're not running around with daily software updates or responding to incessant viruses and worms. That alone will save significant sums and staff headaches," said Forno, who noted the same goes for Linux and BSD boxes.

But OS X is far from headache free, judging from several security flaws announced by IT security firm Secunia in the past two weeks. No sooner had Apple released a patch to seal serious holes that allow execution of arbitrary code that a new vulnerability surfaced last week, this one allowing exploitation by malicious Web sites.

How much could companies save, though, using a Mac environment? A study conducted in the mid-1990s at NASA compared support costs. The number of support people needed for Macintosh computers averaged one for every 250 computers, whereas for Windows, it was closer to one for every 30.

On the flip side, Macintosh computers -- and support and security personnel -- tend to be more expensive than their Windows counterparts. Chalk it up to supply and demand.

Yet Macintosh has a legacy of creating easy-to-use software. With many security experts citing hard-to-use security software as a leading cause of misconfigurations, OS X -- built atop versions of the Berkeley Software Distribution (BSD), such as FreeBSD, NetBSD and OpenBSD -- could help. As one poster to Slashdot commented, "The GUI tools for OS X are awesome for administrators with limited command-line [savvy]."

Should security administrators consider Macintosh? "OS X makes the Mac a serious contender throughout the enterprise," said Forno. "It seamlessly integrates with existing Wintel [Windows] environments, but in a more reliable and secure manner."

Still, numbers comparing the two are difficult to come by. British firm mi2g, which many security researchers treat with extreme skepticism, recently studied breaches in British private and government Web sites, according to MacCentral. Of the attacks, 80% targeted Linux, 12% Windows and 3% OS X Server and BSD. When breaches occurred, half involved Linux machines and one-third Windows, while Macintosh OS X Server was unscathed.

So the question remains: Is OS X security better, just lucky or somewhere in between?

Determining that just isn't possible today. "We don't really measure apples to apples when it comes to security. Instead we count vulnerabilities, which is nothing more than an unpopularity contest at this point," said Pete Lindstrom, research director at Spire Security. Better would be feature-by-feature OS comparisons, he said. "Barebones OSes are tough to compare to full-featured ones. We also tend to neglect things like configuration weaknesses or errors."

Information Source : SearchSecurity.com

June 03, 2004, 11:14 PM	#1 (permalink)
Akasha	Can an Apple a day keep security issues at bay? Is the Apple Macintosh and its OS X operating system an enterprise security contender -- or should it be? "OS X is designed differently from the ground up -- applications and user programs don't get as 'involved' in the base OS as Windows," said author Richard Forno, the former chief security officer for Network Solutions. Out of the box, only SSH is enabled on OS X and, upon starting, users must create an account and password. Root access for applications is discouraged. By comparison, Windows systems ship with most services enabled. "Deploying a Mac environment means you're not running around with daily software updates or responding to incessant viruses and worms. That alone will save significant sums and staff headaches," said Forno, who noted the same goes for Linux and BSD boxes. But OS X is far from headache free, judging from several security flaws announced by IT security firm Secunia in the past two weeks. No sooner had Apple released a patch to seal serious holes that allow execution of arbitrary code that a new vulnerability surfaced last week, this one allowing exploitation by malicious Web sites. How much could companies save, though, using a Mac environment? A study conducted in the mid-1990s at NASA compared support costs. The number of support people needed for Macintosh computers averaged one for every 250 computers, whereas for Windows, it was closer to one for every 30. On the flip side, Macintosh computers -- and support and security personnel -- tend to be more expensive than their Windows counterparts. Chalk it up to supply and demand. Yet Macintosh has a legacy of creating easy-to-use software. With many security experts citing hard-to-use security software as a leading cause of misconfigurations, OS X -- built atop versions of the Berkeley Software Distribution (BSD), such as FreeBSD, NetBSD and OpenBSD -- could help. As one poster to Slashdot commented, "The GUI tools for OS X are awesome for administrators with limited command-line [savvy]." Should security administrators consider Macintosh? "OS X makes the Mac a serious contender throughout the enterprise," said Forno. "It seamlessly integrates with existing Wintel [Windows] environments, but in a more reliable and secure manner." Still, numbers comparing the two are difficult to come by. British firm mi2g, which many security researchers treat with extreme skepticism, recently studied breaches in British private and government Web sites, according to MacCentral. Of the attacks, 80% targeted Linux, 12% Windows and 3% OS X Server and BSD. When breaches occurred, half involved Linux machines and one-third Windows, while Macintosh OS X Server was unscathed. So the question remains: Is OS X security better, just lucky or somewhere in between? Determining that just isn't possible today. "We don't really measure apples to apples when it comes to security. Instead we count vulnerabilities, which is nothing more than an unpopularity contest at this point," said Pete Lindstrom, research director at Spire Security. Better would be feature-by-feature OS comparisons, he said. "Barebones OSes are tough to compare to full-featured ones. We also tend to neglect things like configuration weaknesses or errors." Information Source : SearchSecurity.com