Security Advisor

Windows IT Pros Watching OS X Lion

New Apple OS playing catch-up to Microsoft's security practices. Plus: A huge 78 vulnerabilities fixed in newest Oracle update; Federal government focuses on security; Cloud insurance on the way?

• By Jabulani Leffall
• 07/26/2011

In the wake of the heralded release of Apple's new OS X Lion operating system, Windows IT pros who work with or in Mac environments are not only wondering how safe the new OS will be (security wise) but also have a new reason to ponder having interoperability with Windows apps.

Redmond confirmed in a company blog late last week that customers running Office for Mac can and will experience hiccups with the new Lion OS.

Particularly at issue are the instant messaging and communications app Office Communicator and the e-mail program Windows Outlook, which Microsoft contents "can't import mail from Apple Mail."

Pat Fox, senior director of product development with Microsoft's Mac group, said the issue would be rectified in the "near future" via an update for Communicator for Mac.

These are more cosmetic and operational issues. From a security standpoint, the Lion OS employs elements Windows IT pros may be familiar with including Address Space Layout Randomization (ASLR), which isolates critical applications in the form of sandboxing.

Charlie Miller, a security consultant at Accuvant and co-author of "The Mac Hacker's Handbook," has said publicly that Apple is playing catch-up with Microsoft in terms of security but the new Apple OS, more or less, has standardized its security architecture acceptably.

Windows Pros with Oracle in Stack Pull Double Duty
As far back as 2008, the security IT world was complaining that Oracle trailed Microsoft in effective patch management guidance. Such a reality has long been a head-scratching administrative issue for admins with Oracle ERP or database software in a Windows OS stack.

To this day, even amid improvements in Oracle patch updates, the three-month cycle creates double duty for Windows IT Pros who also deal with Oracle apps. This month is one such month. Security experts say it requires a keen eye with Oracle identifying 78 vulnerabilities, the most since October 2010 when there were 85 bugs to deal with.

Marcus Carey, security researcher at Rapid 7, tells Security Watch that since Oracle issues these advisories on a quarterly basis, Windows IT professionals should expect extra work when it comes to patching vulnerabilities during January, April, July and October,"

"Managing this increased workload makes it essential for Windows IT professionals to prioritize patching based on criticality. It is important to understand that all vulnerabilities are not equal, and focus on the ones that represent the greatest threat to your environment," Carey said.

Survey: IT Security a Greater Priority for Government Agencies
IT research outfit CDW IT Monitor recently released a report showing confidence among IT resource planning procurement managers is increasing, particularly in the public sector among decision-makers at the federal, state and local levels. And specifically with regards to shoring up information system security.

According to the study 71 percent of "IT decision-makers at the federal level report that security in their organization is a greater priority now than in the previous two years."

Thomas E. Richards, president and chief operating officer at CDW in a prepared statement for the survey's release, said that from a business perspective, CIOs are interested in enabling a more mobile workforce in order to enhance productivity and provide flexibility.

But there remains a challenge in "making the disparate pieces work together and ensuring data security. They will continue to think strategically about how they are moving forward."

This could be good news for security admins, vendors and consultants. But the bad news comes with greater scrutiny and pressure on the IT security function with increased threats abound.

Cloud Breach Insurance?
As if credit default insurance weren't enough, Dr. Alexander Pasik, CIO for IT innovation think-tank IEEE, thinks creating an insurance paradigm for cloud services in the form of possible compensation for data breaches from insurers is a good idea.

In his plan Cloud service providers would include insurance options in service-level agreements with clients and third-party resellers.

Pasik said in his June essay that the vast majority of Americans have bank accounts because they know their money is safe. He believes that the cloud insurance framework could be similar to the Federal Deposit Insurance Corporation (FDIC). Pasik wrote that he envisions "a similar type of guarantee, supported by private industry, being offered to users of cloud computing within the next 10 years."

Such a suggestion is not entirely off-base. Just last week Zurich American Insurance Company argued that Sony's insurance policy does not cover liabilities resulting from data breaches. Sony has already provisioned a special charge against earnings in an effort to determine a monetary damage of the breach and demonstrate that action's being taken. Specifically, the company's $171 million in losses will cover repair, enhanced security measures and identity theft protection architecture. Insurance won't be covering any of that, which makes Dr. Pasik's suggestion pertinent, raising the question what if insurance did cover that going forward?