Deploying Apple in Your SMB? Be Mindful of Its Lackluster Security Posture

Paul Mah
Slide Show

10 Business Uses for Your Apple iPad

Uses for your iPad that your boss will approve of.

Thinking of deploying Apple products in your small and mid-sized business? As an iPad user, I've written in the past about how Apple products like the iPad can be deployed in SMBs to meet various business needs. I am certainly all for using the right tools for the job, yet I would be remiss if I do not highlight a drawback to adopting Apple in the SMB: Apple is known for its slow reaction time in responding or acknowledging security problems and software bugs.

 

If anything, Apple's response to the recent DigiNotar breach underscores my observations about the security posture of the company to date. DigiNotar, if you recall, is the Dutch certificate authority that was breached, resulting in 531 certificates being fraudulently issued for a wide range of highly popular sites such as those belonging to Google, Yahoo and Mozilla.

 

An article on Security Curve chronicles the timeline behind Apple's response to the recent DigiNotar breach, and how long Apple took to respond:

September 9, when Apple responded, is 14 days (two weeks) after the bogus google.com cert was posted on pastebin (September 27). It is 12 days after it appeared in the mainstream security news (for example we're not in the "breaking the story" business and we covered it on the 29th)

In contrast, Microsoft issued a security advisory on Aug. 29, and has continually updated it to reflect new information as it becomes available. Makers of other top browsers such as Mozilla and Google have also moved quickly to block the DigiNotar digital certificates, leaving Apple as the odd vendor that did nothing for two full weeks before finally releasing a security update on Sept. 9.


 

To make matters worse, initial advice given by external parties to help Apple users mitigate the problem failed to offer complete protection due to a flaw in how the MAC OS X handles Extended Validation (EV) certificates. And mind you, all the discussions and blogs took place without any statement or acknowledgement from Apple. This naturally resulted in criticism being leveled on Apple for its tardiness to a serious security problem.

 

Says the same Security Curve article:

I don't agree that 12 days is an acceptable amount of time to respond; I'm not saying it's too slow to patch the software. I'm saying they had options. A viable workaround existed (disable trust in KeyManager) - give instructions to users or acknowledge the unofficial workaround. Or patch. Or do something else.

Well-known security and forensic analyst Paul Henry has this to say in a post on Computerworld:

We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet.

Apple has a habit of keeping silent about security flaws or vulnerabilities, which extends to bugs in its operating system. While the problems do get fixed eventually, it is not unusual for Apple to wait for a new feature release or update with which to roll out any outstanding security or bug fixes.

 

Deploying Apple in your SMB? You should consider Apple's lackluster security posture first.



Add Comment      Leave a comment on this blog post
Sep 23, 2011 2:42 AM Chris Chris  says:

Thanks Paul for sharing your insights. Here at Symantec, we recommend that sensitive data on all mobile devices should be encrypted. It isn't enough to depend on the operating system to defend from attacks anymore, SMBs should educate and protect themselves. Here are a few tips on mobile device security that I think might be helpful to your readers: http://bit.ly/ptGhXZ

Chris Halcon

Symantec

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.