I’ve just been sent some quotes from Mickey Boodaei, CEO of Trusteer, which caught my eye. It’s a response to the story that Google is directing employees not to use Windows because of security concerns.
Boodaei says that while switching from Windows may reduce the prevalence of common malware, it will not protect against “targeted attacks” – in other words, attempts to penetrate a specific network to steal data:
Enterprises that are considering shifting to an operating system like Mac or Linux should realize that although there are less malware programs available against these platforms, the shift will not solve the targeted attacks problem and may even make it worse. Mac and Linux are not more secure than Windows. They’re less targeted. There is a big difference. If you choose a less targeted platform then there is less of a chance of getting infected with standard viruses and Trojans that are not targeting you specifically. This could be an effective way of reducing infection rates for companies that suffer frequent infections.
In a targeted attack where criminals decide to target a specific enterprise because they’re interested in its data assets, they can very easily learn the type of platform used (for example Mac or Linux) and then build malware that attacks this platform and release it against the targeted enterprise.
The security community is years behind when it comes to security products for Mac and Linux. Therefore there is much less chance that any security product will be able to effectively detect and block this attack. By taking that action the enterprise increases its exposure to targeted attacks, not reducing it.
This sounds plausible, though there are a couple of counter-arguments. Windows has some flaws that are not present on Mac or Linux. It is still common for users to run with full local admin rights, even though user account control in Vista and Windows 7 mitigates this by requiring the user to approve certain actions. On Windows, it’s also more likely that you will have to give elevated rights to some application that wants to write to to a system location; there’s a specific “Run as administrator” option in the compatibility options.
Further, I’m always sceptical of statements from the Windows security industry. Are they simply trying to protect their business?
Still, I’m inclined to agree that switching OS is not a silver bullet that will fix security. Take a look at this recent report of malware-infected web sites offering tips for a current hit game, Read Dead Redemption.
The attack is essentially psychological. It plays on the common knowledge that Windows is vulnerable to malware, informing the user that malware has been detected and they must clean it up by running a utility. The utility, of course, is in fact the malware. The chances are good that the user will consent to giving it elevated permissions, once they have been taken in. In principle this kind of attack could work on other operating systems, except that the user might be more sceptical about the presence of malware because it is less common – a rather frail defence.