The depth and complexity of the IT security landscape can be bewildering for the average user. So when it comes to choosing our computer platform, we want to feel like the supplier has our back - giving us a good, secure operating system that maintains itself, so we only have to concern ourselves with those nice features and aesthetics.
But this is a dangerous mentality says Steve Santorelli, security expert for Team Cymru and former Detective Sergeant at Scotland Yard’s Computer Crime Unit. In fact, it's the manufacturers' very appreciation that most consumers only want to focus on the look and usability of an OS that means tightening up every last hole in the software is shunned in favour of making it as slick and simple as possible. When we're comparing the security strengths of market favourites Windows and OS X, we must be mindful that security simply isn't the major priority if the creators are to please the vendors.
“The people who sell you operating systems, they’re not in the business of security, they’re in the business of business,” says Santorelli. Marketers don’t want their users spending half an hour configuring a browser, he says, “they want them to be able to click somewhere and open it instantly”, or else they’ll go to another company’s product.
This, Santorelli says, makes aspects of the Windows v OS X security debate flawed, but the Team Cymru researcher nevertheless praised the gradual security improvements of Microsoft's platform over the years, while citing concerns about Apple's OSes, shared by the likes of Charlie Miller – the computer scientist famed for his exploitation of Apple products.
“I know Charlie Miller and Charlie would argue until he’s blue in the face that there are certain aspects of the Mac operating system that have been very poorly designed and that have not been patched,” he said. “He told them years ago that there’s problems. But generally, it isn’t about what’s secure, it’s about where the attention from the criminals actually is.”
And the attention is driven by market share, says Santorelli. In the underground economy, those spreading malware and launching scams want the largest attack base possible so they can simply get the best value for money from their attack. Apple’s Macs may have been a desirable product for some time but they haven’t been the most commonly used, with Windows maintaining market dominance. This has brought the greater number of threats Microsoft's way, perhaps sparing some of those Mac OS/OS X frailties from being exposed.
“If you look at the [underground] market, the price for zero day exploits of Windows XP and Vista, I believe, is still higher than the price for a zero day exploit of Windows 7,” said Santorelli, highlighting how deeply Windows systems are embedded into computer ownership. “It’s all about supply and demand… you’re going to pay for an exploit that affects a larger group of victims.”
But with the tide turning and Apple eating up increasing market share in the OS space, Santorelli says there is a “massively renewed interest within the underground economy about compromising OSX and iOS. It’s really changing the game,” he adds.
So with users of both Windows PCs and Macs clearly at risk, and with security far from 'taken care of' by the manufacturers, Santorelli says users must take responsibility for safeguarding against cyber threats. How do we do this?
“Patch, patch, patch,” he says. “If you’re a regular person - just like there’s no excuse for not using a modern browser - there’s no excuse for not patching.” Santorelli acknowledged that large organisations had to be careful and test patches against their mission critical systems before going ahead with implementation, “but if you’re a regular person, you have zero sympathy from me if you get hit by not patching,” he said.
Understanding the basics of patching and updating systems, as well as the existing security threats for the average user, is a must. As is so often the case, good education is at the heart of good security said Santorelli, no matter what software you are using.
“If you have no idea what you’re doing from a security perspective, you’re going to become a victim, regardless of whether it’s a Mac or Windows machine. It’s all about taking responsibility for your own Internet safety and the hygiene of your desktop and mobile device. It’s about taking responsibility to protect your family and your corporation.”
Article researched in collaboration with Team Cymru - a specialised Internet security research firm formed by a dedicated group of technologists passionate about making the Internet more secure.