Trying to Rely on the Right Platform Provides the Wrong Protection
There has been a considerable amount of news activity purporting that Google is looking to do a full-scale migration away from using Microsoft products, citing security as the primary impetus. While I can’t say whether or not these reports are indeed true, the story does raise a couple of important issues when it comes to reasoning about how effective your IT security policies are.
The first misconception is that the main security risks are rooted in the underlying platform, whether it is Windows, Mac OS, Linux, etc. That might have been true five to seven years ago. The reality today, however, is that much of the attack activity we see is aimed “higher up in the stack.” The targets include applications that run on top of platforms (e.g., Web browsers), third-party add-ons that run on top of applications (e.g., browser extensions or plug-ins), and ultimately the human beings who operate the platform—who, unbeknownst even to themselves, make numerous critical security decisions.
Of the malicious software samples that Symantec analyzes, only a small percentage actually exploit a technical vulnerability. The remainder either piggyback on these samples or instead try to get onto the system via a human vulnerability. For example, we’ve seen cases where an attacker will send email to a company’s Chief Financial Officer, posing as the Internal Revenue Service. The CFO is threatened with a substantial fine unless he or she opens the attachment and fills out their details. We’ve also seen similar scams targeting CEOs, in which the attackers posed as the Better Business Bureau. The ruse was similar. A complaint had allegedly been filed against the company, the details of which could be found by opening the attachment accompanying the email message.
The second misconception is that some platforms are less vulnerable than others. The reality is that many commercial software platforms and applications are highly complex. They contain many millions of lines of code, and they can often be augmented with a host of extensions and plug-ins. Furthermore, applications can often interact with each other in a myriad of ways. The result is that it’s rarely a matter of whether an application is vulnerable, but rather a matter of whether someone will expend the energy to find the vulnerabilities. For the most part, more vulnerabilities tend to be found in popular applications because they represent the most profitable target for attackers. Attackers are usually not blindly motivated; instead, they are often interested in maximizing their own profits. Finding technical vulnerabilities in widely used platforms yields far more bang for the buck than trying to tease apart issues in obscure ones.
One thing we’ve learned over the years is that if it leads to some meaningful means to achieving a payoff, then attackers will gladly crank up the volume. That could mean finding a custom vulnerability or writing a custom piece of malware as needed. At the same time, a lot of an attacker’s energy will be spent trying to come up with a custom social engineering attack that will be effective against a critical person in an organization.
Whether Google is indeed vying to rid itself of all vestiges of Microsoft products remains to be seen, but I can tell you that ultimately trying to improve your security posture by getting rid of a particular platform is tantamount to efficiently chopping down trees, only to find out that you are most likely in the wrong forest.