How secure is your Mac? According to computer-security training organization SANS Institute, Apple’s highly touted Mac OS X ranks in the Top 20 vulnerabilities.
Not just a hole here and there that may need a quick patch, the whole Mac OS is identified as a security flaw for network administrators.
Wait a minute. Can that be correct? Everything you and I have read over the past few years (five years of OS X) says exactly the opposite.
Mac OS X is considered to be the most secure desktop platform available, and a very secure server platform. So what are the folks at the SANS Institute smoking?
I don’t know. If they’re not smoking something illegal, then whoever made up the list may be related by genes to Moe, Larry, and Curly Joe.
Computer security firms are always between a rock and a hard spot when it comes to Mac OS X. The Mac’s reputation for security, when compared to any version of Windows, is stellar.
No viruses, no spyware, no trojan horses, no Sony rookits. Windows, on the other hand, is a denizen of theivery and mischief, when it comes to security.
For the first time ever, SANS Institute listed a whole operating system as a major threat. It’s Mac OS X and not Windows.
That’s a typo, right? That can’t be. Is it a joke? Did Microsoft fund the Top 20 Selection Committe?
Outside of a desire to scare the crapola out of Mac users, stir up controversy and call plenty of attention to SANS Institute, I can’t find anything in their report that’s worthy of the headline “Major Threat.”
So, what’s going on? Are these people to be believed? Is there more to this seeming idiocy than meets the eye?
Yes. Define ‘major threat.’ Define ‘worst flaws.’ Define ‘security issue.’
Ah, that’s the problem. Definitions. One man’s hamburger is another man’s steak. You and I apparently don’t fully understand or appreciate real ‘security’ issues as well as the experts.
Granted, the Top 20 List of Major Security Threats is aimed at network administrators, and not at average users like you and me and your kids and other real people (not that network administrators are not ‘real people’). There should be a definition for ‘security threat’ that we can agree on.
Apparently not. According to what SANS Institute implies, having a computer that uses electricity constitutes a security threat.
SANS Institute’s Top-20 2005 includes Windows and UNIX categories (including OS X) and Cross-Platform Applications and Networking Products.
They also admit that the evolving threat landscape is dynamic in nature, so their response is to change the shape of their list. Instead of ‘cumulative’ security issues over time, they list only critical vulnerabilies since about mid-2004.
Then they tell network administrators that SANS recommends they patch security vulnerabilities listed in the last Top-20 2004 list.
Well, duh. Shame on any network administrator who hasn’t patched security holes from 18 months ago.
Where does SANS Institute get data for a list of security threats?
“… the Top-20 2005 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute.”
OK, so Mac OS X is on the list of ‘major security threats.’ What does the SANS Institute list do for me?
“It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical vulnerabilities and more current or convenient methods of protection are identified…”
Ah ha. Step-by-step instructions and pointers to help me close the ‘major threat’ security holes in Mac OS X. Great.
SANS goes on to list five of the Top Vulnerabilities in Windows Systems. These include, Internet Explorer (duh), Windows Services (all those spyware folks will be unhappy), Windows Libraries, Microsoft Office and Outlook (ooooh, virus makers beware), and Windows Configuration Weaknesses.
That’s 25-percent of the Top 20 Major Threats, right? They also list PHP-based applications, database software, media players, Mozilla and Firefox browsers, and on and on and ad nauseum.
For Top Vulnerabilities in UNIX Systems, SANS lists ‘Mac OS X.’ Not QuickTime, or Fast User Switching, or whatever. Just Mac OS X.
There’s even a handy guide: “How To Determine If You Are Vulnerable.” What doe they say?
“Any default or unpatched Mac OS X installations should be presumed to be vulnerable.” That’s it? In a nutshell, yes, that’s it. By definition, if my Mac is up to date and the firewall is on, it should NOT be vulnerable, right?
Here’s another Gem of Wisdom™ from SANS Institute for all Mac users: “Be sure to stay current and have all security updates for Apple products applied by turning on the Software Update System to automatically check for software updates released by Apple.”
You’re kidding, right? That’s it?
If my Mac is listed as a ‘major threat’ then I want to know what those threats are and what I can do to fix them.
What I get is a list of what’s known as ‘common vulnerabilities and exposures’ (CVE) which is a catch-all list of current and potential issues of security concern for developers, administrators, and so on.
It’s a good way to categorize potential and real security threats from the computer and networking community. Apple releases security updates which are often based on such CVE documents.
Under the heading “How to protect against Mac OS X Vulnerabilities” all SANS Institute can come up with is:
“To avoid unauthorized access to your machine, turn on the built-in personal firewall. If you have authorized services running in your machine that need external access, be sure to explicitly permit them.”
Then a list of security guide books, web sites which sell security, and a few white papers. Did I mention “that’s it?” already?
The problem here is the headline. “Mac OS X poses major security risk.” Or, something like, “Mac OS X Major Security Threat.”
Without digging into the fine print, a typical reader might assume that Mac OS X and Windows have about the same level of ‘security’ (add your definition to the list) and nothing could be further from the truth, regardless of which definitions you use.
Shame on SANS Institute for not making a definitive list with true value, and shame on media outlets that push threatening headlines on an unsuspecting reader.
SANS has been doing security for many years and they have a good reputation in the community, but this is one area that needs an experienced management touch. Intentional or not, SANS created fear, uncertainty, and doubt without providing much evidence other than the standard security issues all OS’s face.
Worse, they provided no ‘relativity’ to the so-called ‘threats.’ SANS reputation is harmed when they can’t differentiate a true ‘threat’ and standard practices.
Click Here for one of a number of crazy headlines about this bogus threat.
Secure your Mac according to guidelines from Apple, reputable publications and sites. Consider the source. Then sleep better at night. You’re using a Mac.
Jack D. Miller
I thought I would barf when I saw that ‘news’. How much more of what’s shoved down our throats is plain wrong?
Carol Mary Miller
I’ll remember that question the next time you buy a new toy for your office. I’ve never had spyware, a virus, a trojan horse, or a security hole anywhere on any Mac. Ever.
Much ado over not much, despite the glaring headline. Windows users love that kind of ammunition, though it’s baseless compared to what they put up with daily.
What was it Jack said the other day about his Windows PC? He only boots it up on Sundays to run the anti-virus and anti-spyware software.