Last week Gizmodo had a nice article on the myth of Mac security fueled by Apple’s announcement of Gatekeeper in Mountain Lion. They discuss all the relevant pros and cons in comparing Windows and Mac security. The author concludes “To stay secure, Mac users need to follow the same fundamental steps as Windows users…”. I agree … however … I think they (and many others) are arguing the wrong point. We should instead be talking about things in terms of Risk. And on that front I’d pick Macs any day of the week and twice on Sunday.
Proving one OS is more or less secure than another OS is almost impossible because of one recurring phrase I hear a lot of in infosec – “it depends”. Well, what does it depend on? It could depend on the number of people attacking an OS. You could have the most horribly secure OS in the world but if no one is attacking it, does it really matter?
I think a more efficient discussion would be something Risk-based. There are numerous formulas for risk and I’m sure the risk gurus will hammer me here. Anyway, based on our “6 Quick Steps for N00bs Understanding Risk Assessments” post one simple formula is:
Risk = Vulnerability X Threat X Impact
The difference in the values for Vulnerability is probably insignificant compared to the other variables. So let’s just assume both Windows and Mac have the same vulnerability score. I am a bit uncomfortable with this assumption though. It looks as if I may be equating Vulnerabilities and Security. In certain aspects this may not be true however I am just ignoring that for now.
On the Windows side Threat is probably a lot higher compared to Macs just simply because of their market share or the availability of tools to attack them. Additionally, Windows are more likely to hold more sensitive information (e.g., corporate trade secrets or cost proposals versus an individual’s taxes or WoW credentials). Impact would also most likely be a lot higher for Windows since a loss of sensitive information could affect the viability of a business employing thousands instead of just one person.
Given this analysis, Risk for Windows is probably A LOT higher for Windows over Macs.
So in conclusion can we please stop trying to compare Security and use something Risk-based instead?
Apple has long touted security as a selling point for Mac OS X. While it’s the case that there are far more viruses for Windows than Mac, but the notion that Mac users don’t need to have any concerns about security is a myth that deserves to be well and truly busted.
It’s widely acknowledged that the number of active, in-the-wild viruses, trojans and other nasties aimed specifically at Mac platforms is much lower than for Windows. In part, that’s because the Unix roots of Mac OS X make it harder to devise that code. In greater part, it’s because Mac simply isn’t as popular a platform. Apple’s large market share in smart phones and dominance in tablets hasn’t yet made a serious dent in the popularity of Windows.
Windows security is much better than it once was — options like User Access Control cut off many obvious problems — but it still remains more vulnerable by virtue of sheer scale and a large pool of often ignorant users. But one platform being more targeted does not equate to its rival being completely safe.
When comparing products should we start talking “Risk” instead of “Security?” Today’s post pic is from SANS.org.