Feature Article - Mac OS X Server Safest, But OS Diversity Key To Stopping Hackers, New Study Reveals

by , 10:00 AM EST, February 26th, 2004

Apple's Mac OS X Server and Berkeley Software Distribution (BSD)-based, Open Source operating systems are the most secure online server OSes, according to a new study by the British cyber security firm mi2g. The study also advises organizations to use more than one OS as a way to combat hacking and viruses, regardless of the increased cost.

The study conducted by mi2g's Intelligence Unit looked at the total number of attacks against government and private sector online servers, as well as the number of successful attacks, for the month of January. The most attacked OS for online servers was Linux at 80 percent, followed by Windows at 12 percent and then BSD and Mac OS X at three percent.  Within the government environment, the most successfully attacked Operating System was also Linux at 57 percent, followed by Windows at 35 percent and BSD and Mac OS X at 0 percent, which the company notes is a first for that category.

"No matter how you calculate it, the numbers for Mac OS X and BSD are very small in comparison to the market share we know BSD has, which is about 10 percent at present from three percent in the last year." - DK Matai
In January, there were 17,074 successful digital attacks against online servers and networks, with Linux accounting for 13,654 breaches, Windows with 2,005 breaches, and BSD and Mac OS X with 555 breaches.

The results were in stark contrast to the situation six months ago, when in August, 2003 Microsoft Windows was significantly higher in terms of recorded government server breaches at 51 percent, compared to Linux at 14 percent. Attacks against Microsoft Windows based servers have fallen consistently for the last ten months.

"In the case of BSD and Mac OS X, for some strange reason, the developers and the OS people appear to be doing a better job of dealing with vulnerabilities and applying the patches," said DK Matai, Executive Chairman of mi2g in an exclusive interview with The Mac Observer. "In addition, system administrators are doing a better job on these platforms in making sure default configurations are switched off so they have the maximum level of security.

"No matter how you calculate it, the numbers for Mac OS X and BSD are very small in comparison to the market share we know BSD has, which is about 10 percent at present from three percent in the last year."

The company estimated that the overall economic damage from server attacks worldwide during January was between US$2.34 and $2.86 billion. 54.3 percent of all attacks were against micro businesses and home-based computers with always-on Internet access. 41 percent of the attacks were against small businesses with sales below $7 million, 3.5 percent were against companies with sales between $7 and $40 million, and 1.3 percent were against firms with sales in excess of $40 million.

The study is based upon the analysis of over 1,000 organizations worldwide, with 30 percent related to government organizations, including those in the US.

"We have three main sources for our data," Mr. Matai said. "The main one is our personal relationships under non-disclosure agreements with a range of clients and other third parties, ranging from government to banking and insurance companies. They give us access to evaluate their computer systems and find attacks as long as we don't attribute their names to our reports." In addition, mi2g sponsors and monitors hacker bulletin boards completely unbeknownst to the hackers. "We also operate a large number of anonymous communication channels with hacking groups," he said.

The figures exclude malware attacks using viruses, worms and Trojan Horses.

What makes an OS vulnerable?

Mr. Matai said what makes an OS vulnerable to hacker attacks has little to do with the increasing market share of a particular operating system and more to do with how well organizations and their system administrators do in shutting open doors to prying eyes.

"Viruses are much more prevalent on Windows than Mac, and number two, PCs running Windows in an open 24/7 environment can be used to spread viruses even more, basically treating a PC as a server It's not the same on Mac OS X Server. Much of the credit has to go to the developers and administrators of BSD and Mac OS X for maintaining such an excellent track record of the lowest number of breaches." - DK Matai

"The biggest problem is that the system administrators of Linux-based systems have assumed rather complacently that just because they're running Linux, nothing will happen," Mr. Matai commented. "Often it's not the OS which is vulnerable, but it's a the third-party applications that run on top of that OS. Any type of operating system on its own can be made secure, but when you start putting applications on that OS and servers, you make vulnerable. Microsoft and Windows administrators deserve some credit for having consistently reduced the proportion of successful online hacker attacks perpetrated against their servers."

Mr. Matai was highly critical of the Linux operating system as adoption of the Open Source OS grows.

"The capabilities of Windows system administrators to be frightened enough to cover up vulnerabilities by applying the patches immediately is strong enough at present to cause a month-by-month deterioration in the number of Windows servers that are successfully attacked," he said. "Not so for Linux. It is more open and there is less of a system in place for administrators of Linux servers to learn from attacks and do something about them. The kind of experience in organizations to run and maintain Windows is far deeper than for running Linux. Most companies don't have Linux-trained administrators, and training is very much a missing component at present. There is no structured approach to bringing Linux-trained administrators up to a certain level of competency."

Why is BSD and OS X not hacked as much? "I think the majority of hackers do not have the skills to break them, "said Mr. Matai. "In addition, I think system administrators for BSD go above and beyond to harden it once they install it."

Mac OS X and BSD are winning the war over hacking because of two things, said Mr. Matai. "Viruses are much more prevalent on Windows than Mac, and number two, PCs running Windows in an open 24/7 environment can be used to spread viruses even more, basically treating a PC as a server It's not the same on Mac OS X Server. Much of the credit has to go to the developers and administrators of BSD and Mac OS X for maintaining such an excellent track record of the lowest number of breaches."

Biodiversity of OSes is key

Mr. Matai believes biodiversity - or the use of multiple operating systems in one company or organization - is critical to curbing hackers and viruses, no matter what the financial costs are to using multiple OSes.

"Today we have an environment where 90 percent or more of the worlds computers run on Windows only, which creates a global vulnerability," Mr. Matai commented. "Separate from hacking, a good example would be the speed at which viruses are spreading around the globe. The MyDoom virus spread to over 215 countries in just a couple of days. We could cut down the speed at which viruses grow if there was greater diversity of operating systems within each and every organization. So more embracing of Mac OS X and others operating systems is key."