No Contest: Mac vs. Windows Security

For nearly two decades now, security experts have debated whether Microsoft or Apple offers superior security. The battle heated up again in the wake of news out of Black Hat about a newfound weakness in the Mac platform. However, the question of whether Microsoft or Apple is more secure is no longer even relevant: Security threats of today and tomorrow aren't as tied to specific desktop platforms as they once were.

Macs have far more theoretical vulnerabilities than Windows machines, as I wrote last week. (I am a full-time principal security analyst at Microsoft.) It's been that way for a long time. However, Macs are attacked far less because they are used less than machines running Windows. Call it security through obscurity. Now that Macs are increasing in popularity in the enterprise and beyond, though, they're no doubt on the cusp of being targeted by hackers. However, I predict that Apple will rise to the occasion and fill the vulnerability gaps. It has to, or growth will slow.

[ Also on InfoWorld.com: Roger Grimes presents a controversial take on Mac security in "Apple security under attack: The view from Windows" | Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

Still, the question of whether Mac or Windows is more secure is no longer relevant. The computer security paradigm is shifting at this very moment. Cloud computing, Web 2.0, and mobile technologies are exploding, and with those changes, traditional attacks are making way for a new crop that ignore platforms. Think ANSI bombs, boot sector infectors, macro viruses -- seen any of those lately?

I worry about the risks associated with cloud compromises more and more. For example, if someone compromises a public cloud product and takes over one customer's instance, how easy would it be for that person to get to all the cloud's data? I know hackers have a far easier time taking over multiple websites hosted on a single Web server than they would taking over sites hosted in separate machines. Whether you're a Mac or a Windows shop doesn't factor into the equation.

Default data syncing, too, is becoming a fact of life, and it opens new potential security holes, regardless of platform. The mere act of opening a document on any computer or device could automatically send a copy of that document into the cloud, regardless of your intention. Is it well protected in the cloud? If you then open a document on your least secure device, can that machine access all your synced cloud documents? Who else in the cloud can see my documents?

How does IT manage security when it can manage only a few of the devices connecting to the most valuable data? How long until we have our first XML-written virus or worm? If someone compromises my worldwide, biometric ID, how do I repudiate everywhere it might be used and how can I use something else? For example, if my logon is my fingerprint or face, and the attackers steal my authentication token and fake being me, how can I get it back? What will I use instead?

Users, too, remain a huge security threat, regardless of what OS they're running. People remain susceptible to sophisticated phishing and social engineering attacks that dupe them into giving up their credentials, for example. They continue to install programs they shouldn't on their machines, allowing hackers an opportunity to pounce.

Heck, my own kids have a verifiable computer security expert in their house, yet they couldn't care less about computer security in their daily lives. They haven't changed their Facebook or online banking passwords since they set them -- again, they're leaving themselves susceptible to attacks regardless of what platform they might be using.

So when I'm asked if Microsoft or Apple's security is better than the other, it's not a question even worth answering. Overall, computer security is pretty bad. Nearly any company can be hacked, with just a little research and know-how. Fake malicious programs still abound. Antivirus software is struggling like never before. Most people have had their identity and credit card information compromised several times over the last few years. Most people have had their computers infected over the same period.

Our computer security paradigm is shifting in a huge way before our eyes and we're not using our best defenses while we argue over the relative minutiae of the competing platforms' relative security. Meanwhile, we're taking casualties with more to come -- all the while wondering why our current strategy doesn't work.

It reminds me of the English redcoat soldiers sent to the United States to take it back under control from the treasonous terrorists (we now call them the founding fathers and patriots). The redcoats kept lining up in the same parallel lines that had been successful for a millennium, and they kept that strategy until the bitter end. The war changed around them and they didn't notice in time. Will we?

This story, "No contest: Mac vs. Windows security," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Subscribe to the Security Watch Newsletter

Comments