Windows 8.1 Vs OSX 10.1 Versus ios Security

Transcription

1 Windows 8 Devices Deliver: Enterprise security rooted in trusted hardware Review infographic

2 Contents Executive Summary... 3 Introduction... 4 Overview... 4 Scenarios... 9 Virtual Smart Cards and Single Sign-On... 9 Authentication Browser and Antimalware Hardware Root of Trust Key Findings Securing the Boot Mechanism Operating System Key Findings Multiple User Profiles Security Updates Address Space Layout Randomization Encryption Key Findings Encryption Features Malware and Phishing Protection Key Findings Virus Susceptibility Antivirus and Antimalware Browser Security User Authentication Key Findings Multi-Factor Authentication User Account Management Identity Managing User Credentials App Security Key Findings Logic20/20, Inc. 2013, all rights r eserved. Page 1 of 30

3 App Certificate Signing and App Store Vetting Trusted Apps and Runtime Protection Sandboxing and AppContainer Conclusions Logic20/20, Inc. 2013, all rights r eserved. Page 2 of 30

4 Executive Summary This document is intended to explore the differences in the security implementations for Windows 8.1, OS X 10.8 Mountain Lion, and ios 7. The threat of malware attacks is a constant problem for enterprises, and so these businesses must improve their security to avoid attack and mitigate damage. Microsoft has been working to improve the security profile of Windows 8 devices by integrating boot protection and cryptographic hardware to provide a foundation of trust on which the platform can build. Apple has softened their security stance from It doesn t get PC viruses to It s built safe. This shift in language comes with a shift in strategy towards improving security with protection and prevention tools. However, of the solutions currently offered involve third-party vendors. These vendors provide tools and management options that the base ios and OS X platform is weaker on out-of-the-box, shoring up their defenses against malware, phishing, and other types of attacks. Using third-party vendors can increase the complexity of your deployment, and might include more costs based on managing multiple solutions and vendors. Microsoft has the advantage in the area of security, especially for enterprise devices. The Windows 8.1 platform and Internet Explorer have been engineered with security and the enterprise in mind, and win in most security scenarios compared to ios, OS X, and Safari. Most of all, Microsoft offers security solutions right out-of-the-box, providing a secure system built on a hardware root of trust and protected by technologies that come with Windows 8.1 by default. These tools make it easier for executives and IT administrators to manage and control enterprise security solutions. Logic20/20, Inc. 2013, all rights r eserved. Page 3 of 30

5 Introduction This paper compares the features of Windows 8 devices to similar features in ios 7 and OS X 10.8 Mountain Lion devices. The Apple products have been researched using publicly-available information. Similarly, the Microsoft information also primarily comes from the public domain. This document is intended to be a feature-level deep dive into comparing the key security features of three competing operating systems: Windows 8.1, ios 7 and OS X 10.8 Mountain Lion. The purpose of this comparison is to provide a view of the competitive landscape as it relates to security. The audience for this document is technical and business decision makers, as well as subject-matter experts. Overview Microsoft s stance on security is that it starts with a foundational root of trust based in secure hardware. Microsoft has been continuously improving the security features of Windows, with advanced features such as BitLocker drive encryption, Trusted Boot with Measured Boot, AppLocker, and other vulnerability mitigation tools such as Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR). Security researchers believe that Microsoft has made a giant leap forward in heap memory security with Windows 8.1. "I've written a lot of heap exploits in my day and I wouldn't want to be tasked with writing one for Windows 8 right now as there are a lot of hurdles you have to cross. It will take people a lot of time with a lot of skill to exploit." - Chris Valasek, senior security researcher at Coverity With cloud computing and bring-your-own-device (BYOD) policies seeing increasing adoption, Microsoft and Apple both are working to improve their security measures. However, the perception of Apple s walled-garden approach offering absolute security is changing 1. Apple has been seen to be taking what appears to be a softer stand on security, according to a CNET analyst: 1 Sources: Logic20/20, Inc. 2013, all rights r eserved. Page 4 of 30

6 [Apple has] changed its stance from OS X inherently keeping users safe without any effort on their part, to instead being an operating system that offers users tools to help them be as safe as possible. Apple s change in security marketing messaging from It doesn t get PC viruses to It s built to be safe is evidence of this change in stance. Apple has released a security guide for ios in a move that is believed to be a reaction to several enterprises expressing concern about using the ipad commercially. This document examines the security features of Windows 8.1 devices and how they compare to the security features used by ios and OS X devices. The following table summarizes the areas that will be examined, and how Windows 8.1 compares to the two Apple platforms: Security Areas Hardware Root of Trust Operating System Windows 8.1 versus OS X and ios The Windows 8.1 platform is built on hardware designed to secure the boot process and protect the user from malware from the time the user powers on the machine. This hardware-rooted trust comes from two key areas, the first of which is boot process protection, including UEFI s Secure Boot, Windows Trusted Boot, early-load anti-malware (ELAM), and Windows 8.1 s Provable PC Health feature. The second key root of trust is the trusted platform module (TPM), which is a cryptographic processor that provides tamperproof hardware solutions for protecting identities, secrets, and encryption. TPM and UEFI solutions come from the Trusted Computing Group (TCG), and provide a standards-based security solution. Apple s ios and OS X boot processes are secured using proprietary solutions. These security measures lock down the boot process, but rely on software solutions, and not built-in hardware. Apple s systems are also made vulnerable by jailbreaking, which can circumvent the security provided by their boot processes. Building a hardware-secured root of trust as the foundation for your systems helps IT administrators and executives deploy devices that are secure from the moment a user powers them on. Microsoft s tools in this area are standards-based and considered leading in the industry, while Apple uses proprietary technology that can be circumvented by jailbreaking. Windows 8.1 provides security tools such as Windows Defender and Action Center out-of-the-box, giving IT administrators and users a Logic20/20, Inc. 2013, all rights r eserved. Page 5 of 30

7 Security Areas Encryption Malware and Phishing Protection Windows 8.1 versus OS X and ios secure system without the involvement of any third-party vendors. Apple s ios does not have a built-in antimalware solution, and focuses on app-related malware in their security design. However, malware embedded in images, documents, or other files are a threat that is not addressed except through third-party solutions, which can increase deployment cost and complexity. If an ios device infected with malicious software delivered through a document were to connect to a corporate network, the infection could propagate with the spread of that document to others on the network. Microsoft has a long track record of releasing frequent and timely automatic security updates using Windows Update. This feature works out-of-the-box and defaults to on, while OS X uses a notification system that can be ignored or circumvented by users, leaving their system unprotected. Both Microsoft and Apple use ASLR technology, which prevents attacks by ensuring memory addresses for application functions and data are randomly sequenced in memory, thus making it extremely difficult for an attacker to place malicious code in a location that will allow successful execution. Additionally, all three platforms use DEP tools that prevent applications from executing code from a non-executable memory region, which helps prevent exploits. Both Microsoft and Apple provide drive encryption, but Windows 8.1 provides IT management and recovery options that ios and OS X do not have. For example, Windows 8.1 s selective wipe feature keeps IT administrators in control of business data, while leaving users in control of their personal data in BYOD scenarios. Windows 8.1 protects the user from the moment the system is booted using early-load antimalware and Windows Defender. Most malware is delivered through social engineering, and Windows Internet Explorer is recognized as having superb end-to-end security right out-of-the-box. IE10 with SmartScreen blocks percent of malware right out-of-the-box, compared to percent for Safari 2, providing the strongest protection from phishing attacks. 2 Source: Logic20/20, Inc. 2013, all rights r eserved. Page 6 of 30

8 Security Areas User Authentication App Security Windows 8.1 versus OS X and ios While ios supports anti-malware third-party solutions, these can introduce additional cost and complexity to the deployment. Apple s Safari browser is less powerful in its mobile iteration, and does not have all of the security features that Windows IE10 has. Windows Defender is a strong anti-malware solution that comes right out-of-the-box. OS X supports third-party solutions for malware protection, which can increase the cost and complexity of managing them for IT administrators. Windows 8.1 supports multiple users, while ios does not. This allows for security especially in bring-your-own-device scenarios where a given device might have more than one user at home. Additionally, Windows 8.1 s single sign-on capabilities allow for access to a broad range of productivity software, while ios authentication only grants access to the device and users will need to sign-in with additional identities if they want to gain access to corporate resources. Single sign-on is a key convenience tool for users, and allows for secure authentication across many programs and services, including corporate networks and file shares. Apple s ios 7 has implemented a single sign-on feature, but it uses a separate set of credentials stored on the device, instead of using the same credentials used to sign in to the device. Windows 8.1 provides strong authentication protection with smart cards and virtual smart cards, which are services that OS X does not support out-of-the-box. Microsoft s platform is well-integrated with Active Directory, which together provides users authentication to an identity that can be used across devices and apps, providing strong management options that Apple does not have without introducing third-party software. Windows Credential Locker and OS X s Keychain with icloud Connect are comparable tools that manage user credentials. Microsoft and Apple both tightly control the apps that are sold in their app stores. However, while Apple also locks down the ios environment, the Windows 8.1 environment is more open and less restrictive than Apple s, and uses built-in security features to give IT administrators and users more flexibility in their apps, instead of locking the environment down. Additionally, Windows 8.1 supports desktop apps that take advantage of such new technologies as Logic20/20, Inc. 2013, all rights r eserved. Page 7 of 30

9 Security Areas Windows 8.1 versus OS X and ios ASLR and DEP, which makes running desktop device safer than ever before. While the levels of security for AppLocker and Gatekeeper are comparable, IT administrators of Windows 8 devices have more flexibility and control over what users can and cannot run using AppLocker by using whitelists for trusted apps, and blacklists for apps not wanted in the environment. Microsoft features strong support for enterprises developing lineof-business (LOB) apps. While ios has a Developer Enterprise Program (idep) that enterprises can use to release apps in the public App Store or publish apps within their enterprise, they have not made any similar program available for OS X. Logic20/20, Inc. 2013, all rights r eserved. Page 8 of 30

10 Scenarios The following scenarios demonstrate some of the key features compared in this document. Virtual Smart Cards and Single Sign-On Jennifer is an employee of a Chicago law firm with hundreds of employees. Her workplace allows its employees to bring their own devices to work, which Jennifer likes, since she can keep using her laptop running Windows 8.1. Her laptop has been configured with a virtual smartcard, so when she logs on to her computer, she is connected automatically to her company s network. Beth works at the same firm as Jennifer, and enjoys the same BYOD policy for her ios device. When she logs into her computer outside of the office, she needs to connect a smart card reader to her device, plug in her card, and use the device s third-party smart card reader software to connect to the network. While she winds up with the same connectivity that Jennifer does, the process takes a little more time, and the IT administrators have to handle involving the extra third-party vendor to support the card reader. The two-factor authentication works for more than just logging on to Jennifer s computer, however. Once signed into Windows 8.1, she is able to access SharePoint, file servers, Outlook, and even line-of-business apps on her corporate network such as Oracle Financials without authenticating a second time. She is able to access these programs automatically without entering her credentials again because of the robust single sign-on capability Windows 8.1 has. Beth s ios device does not have the same level of single sign-on capability that Jennifer s does. While Apple purports to have fully integrated single sign-on, she still needs to enter separate enterprise credentials after unlocking her device. Later in the day, Jennifer needs to do some purchasing for the firm. She has confirmed a contract with their new client, and needs to give consent to purchase new laptops. Without her Windows 8 laptop, she would need to print out the document, sign it, fax it, file the documents, and then mail the original copies. However, the smart card framework built into Windows 8.1 allows Jennifer to use her Virtual Smartcard to sign documents. As she goes to confirm the purchase, Jennifer sees a window appear that asks her to confirm her identity at which point she enters the PIN for her Virtual Smartcard. This automatically performs the filing and time-stamping digitally, and her secure confirmation is sent off with the purchase order. Because the credentials of her virtual smart card are is securely stored on her computer, she does not need to use the physical card to sign in, but still receives the full security benefits of using one. Logic20/20, Inc. 2013, all rights r eserved. Page 9 of 30

11 Beth also needs to make some company purchases, but her device does not have the comprehensive framework to securely pass credentials to the purchasing web site. She needs to use the third-party smart card reader software to authenticate her credentials. Windows 8.1 has a strong and built-in smart card framework that does not require thirdparty software, which makes life easier for professionals like Jennifer. Multi-factor authentication makes devices more secure, and tying that to single sign-on helps Jennifer to be more productive by reducing the need to log on to multiple applications. Authentication Brad works at a government office in Washington D.C. As a contractor, he shares space at a busy office, and sometimes works from coffee shops and other public spaces. Brad knows that there is always a risk of phishing or otherwise having your credentials compromised in such public environments, so he uses a multi-factor authentication on his tablet that runs Windows 8.1. In addition to normal password credentials, he uses a smart card, which provides a second layer of security. When his contract is up, Brad needs to clear his device of sensitive data, s, and other working files. Since he connected his own device to the company s network, he has both corporate and private data stored, in addition to the connections and credentials he used in his day-to-day work. Jeff is another employee working alongside Brad at the government office. He has brought in his ipad to work, but needs to use third-party software to run the smart card reader required by his employer. This provides him with the security of using multifactor authentication, but requires the IT department to involve another vendor with their deployment. Windows 8.1 provides a feature that helps Brad out. The IT department is able to perform a selective wipe on the device, which erases s, attachments, and other corporate data in WorkFolders. This leaves the device functional, but clean of any sensitive data. Instead of needing to wipe his device entirely, Brad is left with exactly what he started with in terms of files and data kept on his tablet, without having to back everything up and start from scratch. For Jeff to get the same functionality when he leaves the company, his IT department would have to implement a third-party mobile device management tool that also has the selective wipe feature. While Brad is covered under Microsoft System Center, getting the same functionality for Jeff costs the company more and introduces the complexity of adding another vendor to perform a similar role. Windows 8.1 builds on the security features introduced in Windows 8 and prior Windows versions. Strong, multi-factor authentication with a variety of devices gives devices running Windows 8.1 greater security than with competing devices that only use single-factor authentication. Additionally, the selective wipe feature new to Windows 8.1 provides peace of mind to employees as well as security for the enterprise. Logic20/20, Inc. 2013, all rights r eserved. Page 10 of 30

12 Browser and Antimalware Eric is a temp working for a small San Diego firm with only a dozen or so employees. He logs into his employer-issued desktop computer which runs Windows 8.1, and launches Internet Explorer 10. Since he is using IE10, there is no need to install or use third-party antimalware or antivirus tools. Additionally, Windows 8.1 now includes the App Reputation feature, which helps users to identify malicious files. Later in the day, Eric is visited by a coworker, Kyle, who has a USB thumb-drive with files that Eric needs. Unfortunately, Kyle managed to pick up an infected file and move it to his thumb-drive unknowingly, due to using a browser that lacked App Reputation and other anti-phishing capabilities. When Eric tries to open the file, the SmartScreen feature pops up a warning, letting Eric know that the file is possibly malicious. He closes the file immediately, avoiding the threat of malware infection. Eric finds out that Kyle had clicked on a link from his personal that directed him to a malicious website. This form of socially-engineered phishing is the way that most infections occur, especially on enterprise networks. Windows 8.1 and IE10 have strong methods for preventing infection, which Eric was able to take advantage of when SmartScreen warned him about the malicious file. The other feature at their disposal is Windows Defender. Kyle runs a scan with Windows Defender, which locates the infected files on his device. When he connected to the corporate network, the malware sprang into action, but the security measures in place on the Windows 8.1 platform and the IE10 browser helped to make sure it did not spread very far, and once it was located, it was shut down quickly. Logic20/20, Inc. 2013, all rights r eserved. Page 11 of 30

13 Hardware Root of Trust Being able to trust the device hardware in use in your enterprise is the foundation of strong security. Of some concern to enterprises are the growing class of malware that include inserts and attacks before the operating system starts, which endanger critical boot processes before any antimalware solution begins to function. Boot sequence and root access protection methods are designed to protect against these types of attacks, and are implemented by using secure hardware such as TPM chips. Key Findings The following section compares Windows 8.1, ios 7, and OS X 10.8 Mountain Lion based on the security of their boot processes, including the following considerations: Securing the boot mechanism: Windows 8.1 secures the boot process using a standards-based technology, including Unified Extensible Firmware Interface s (UEFI) Secured Boot, Trusted Boot, and ELAM. These hardware-supported features provide powerful security measures for Windows 8 devices, while Apple devices use proprietary technology that can be circumvented by jailbreaking the platform. Securing the Boot Mechanism The Windows 8.1 boot process is protected by standards-based technologies that build on top of one another to provide end-to-end protection from the moment the user powers on their device. The process begins with Secured Boot, a direct implementation of a UEFI standard. UEFI is a modern update of the traditional BIOS, adding security features that facilitate a more secure startup of the operating system by using signature checks stored in the UEFI chip. Secured Boot does not require a TPM chip. Trusted Boot builds on top of UEFI Secured Boot, and picks up where Secured Boot leaves off during the boot process. It protects the Windows boot files, drivers, and also includes the antivirus program s Early-Launch Anti-Malware (ELAM) driver. ELAM loads approved antimalware drivers that protect the boot process from malware that performs inserts and attacks before the operating system starts. Measured Boot is another new feature for Windows 8.1 that performs measurements during the boot process that help to validate the boot process beyond the protection already afforded by Trusted Boot. The Measured Boot process begins by measuring all aspects of the boot process, signing them, and then protecting them with the systems TPM chip. This measured information can be further validated by a remote service before it is granted access to resources, in a process known as Remote Attestation. This can be useful in access control scenarios, such as an administrator setting access control policies for a file server, to keep infected devices from connecting to enterprise Logic20/20, Inc. 2013, all rights r eserved. Page 12 of 30

14 resources. In this scenario, Remote Attestation allows a trusted third-party to verify that the connecting computer has booted securely, and there were no signs of malicious or inappropriate activity in the process. ios uses a feature called Secure Boot Chain for boot loader unlock restrictions and early starting of antimalware solutions. Secure Boot Chain processes components such as boot loaders, kernels, kernel extensions, and baseband firmware that are cryptographically signed by Apple to validate integrity and verify the chain of trust before proceeding. These checks are all based on proprietary technology, as opposed to the publicly-available standards-based technology that the Windows 8.1 platform uses. The OS X platform uses its Firmware Password Utility to prevent access to its own boot process or the Extensible Firmware Interface (EFI). Apple computers launch EFI before booting, and if the user has already created an EFI password, prevents the user from accessing single-user mode. A user must enter the created EFI password from an alternate computer. While there are rumors in Apple discussion forums claiming that OS X uses a TPM chip to protect the boot process and prevent non-apple operating systems from being installed on its devices, Apple has not officially listed this procedure in any publicly available documentation. Similarly, while Apple platforms may claim to have features similar to Trusted Boot and Measured Boot, there is no public documentation that lists how this has been achieved or what standards have been adhered to. Windows 8.1 s UEFI and the TPM module are open standards from the TCG. Using open standards allows developers to understand and work with UEFI, and the TPM chip provides a hardware layer of security that Apple does not use. Microsoft is dedicated to using standards based hardware to secure the boot process and provide a root of trust that IT administrators and executives can rely on. Logic20/20, Inc. 2013, all rights r eserved. Page 13 of 30

15 Operating System To protect the entire hardware and software ecosystem supported by the operating system, platform-level security measures are required. The central management features of a platform help administrators maintain control over the security architecture of the enterprise. To support this, Windows 8 devices are designed from the ground up to be secure. Key Findings The sections below compare Windows 8.1, ios 7, and OS X 10.8 Mountain Lion based on the strength of their platform security, including considerations such as: Multiple user profiles: Windows 8.1 and OS X both support multiple profiles, offering better security to users and IT administrators. Multiple user profiles works with single sign-on to provide convenience for users, as they don t need to sign in to multiple applications in addition to the device. Security updates: Microsoft has a long track record of releasing frequent and timely automatic security updates, while Apple uses a notification system that can be ignored and circumvented by users, leaving their system unprotected. Address Space Layout Randomization: Microsoft and Apple both use methods to randomize their address space layout, which provides increased protection to boot processes and protects from malware. Given the information available at this time, the two companies are on equal footing in this area. Multiple User Profiles While both Windows 8.1 and OS X both support creating multiple user profiles, ios does not have that functionality. Windows 8.1 allows multiple profiles on tablets, which is a key differentiator for Microsoft s platform. Allowing for multiple user profiles provides greater security for multiple users in a shared device environment or in a BYOD environment. Security Updates Microsoft releases security and software updates on a regular schedule via Windows Update and Windows Server Update Services. This automatic update process defaults to on, and is widely considered to be a leader in the industry. ios relies on update notifications, which allow users to install security patches wirelessly or with a cable connection to a Mac PC running itunes. OS X uses Apple Downloads on Apple s support site for updates, but also checks for security updates daily. Users can configure or disable updates in Software Update Preferences on the operating system menu, based on organizational policy. Apple has increased the security of connections between OS X platforms and update servers, as well. However, Apple s security update Logic20/20, Inc. 2013, all rights r eserved. Page 14 of 30

16 release schedule is known to be unpredictable, and there can be long periods before patches are released. These changes make Apple more comparable to Microsoft in terms of bringing software updates to users, but they are currently not at the same level as Microsoft. Microsoft s security update delivery is faster and considered to be a leader in this area. Long times in between security updates can lead to vulnerabilities lasting longer, leaving users unprotected until the patch goes out. Address Space Layout Randomization Windows 8.1, OS X, and ios allow integrity checks and randomization through the ASLR feature. This feature randomizes all memory regions on launch, and randomizes systemshared library locations on each device startup. Microsoft has disclosed all information regarding their ASLR feature, as well as the improved functionality for Windows 8.1, all of which will be used by IE10. These include: Predictable memory regions such as VirtualAlloc and MapViewOfFile have been reduced, as all bottom-up and top-down allocations are now randomized using 8bits of entropy and up to 32bits in some cases. IE10 runs in 64-bit mode on 64-bit computers by default, providing a much larger address space and a more random memory layout. High Entropy Address Space Layout Randomization (HEASLR) takes advantage of this 64-bit address space and assigns more bits of entropy. ForceASLR, a new loader option used by IE10, is used to randomize the location of all modules loaded. Apple has improved their version of ASLR, and with Mountain Lion, protection is provided to both 32-bit and 64-bit processes. However, Apple has not disclosed much information about their ASLR functionality, or to what degree this applies to their systems. Given the limited information available on Apple s systems, a comparison at this stage puts Apple and Microsoft about even with each other on this feature. Logic20/20, Inc. 2013, all rights r eserved. Page 15 of 30

17 Encryption The most effective method for securing information is encryption, the translation of data into a secret code. Encryption is spread across many layers of the device and platform, including hardware, operating system, applications, user data, and external devices. Key Findings The following sections compare some key aspects of encryption on Windows 8.1 and Apple platforms, including: Encryption features: Both Windows BitLocker drive encryption and Apple s FileVault 2 on OS X have robust drive encryption features. Windows 8.1 s selective wipe feature provides IT administrators security and control while facilitating convenience for users in BYOD scenarios. ios does not have a compelling feature set in this area. Windows BitLocker is highly manageable, and provides enterprise reporting and recovery capabilities that ios lacks. Encryption Features Microsoft s BitLocker helps protect data theft from lost, stolen, or inappropriately decommissioned computers. The version of BitLocker for Windows 8.1 supports encrypted drives, which are hard drives that are encrypted by the manufacturer before shipping. BitLocker can increase cryptographic performance by offloading operations to cryptographic hardware and encrypting only used space on a disk instead of the entire disk, which reduces the time it takes to provision a drive. As space on the disk is used, it is then encrypted dynamically in a way that does not impact user productivity. Windows 8.1 introduced Remote Data Removal, which allows IT administrators to selectively wipe corporate data such as s, attachments, and data that comes from WorkFolders off of a BYOD device. The wipe is considered selective since the corporate data is all that is removed. The cryptographic key for these files is thrown away, rendering that specific data inaccessible, but the operating system and personal files on the device are left unaffected. This is a big improvement over the standard method of wiping the entire device, as in BYOD scenarios there might be important personal data, pictures, or other files that are not replaceable. Some other features offered by Microsoft for encryption are: BitLocker To Go, which encrypts removable hard drives. Network Protector, which is unique to the platform. It allows desktops and servers on the secured network to link to the network protector server, automatically authenticate, and boot without the user having to enter the password. ios s encryption is based on a dedicated AES 256 crypto engine paired with SHA-1, both built into the device hardware to reduce cryptographic operation overhead. Each device Logic20/20, Inc. 2013, all rights r eserved. Page 16 of 30

18 has a unique identifier (UID) and device group identifier (GID), which are AES 256-bit keys designed directly into the application processor during manufacturing. Other cryptographic keys are created using a Yarrow-based algorithm and the device s random number generator (RNG). Apple s Effaceable Storage feature is designed to securely erase data from ios devices. It uses underlying storage technology (such as NAND) to erase a small number of data blocks at a low level, either directly or remotely using a mobile device management tool such as Exchange or icloud. This process can be performed by users or administrators. Instant remote erasure is done by discarding the block storage encryption key from Effaceable Storage, which will render the data unreadable. Effaceable Storage is held in a dedicated section of NAND storage that is used to store cryptographic keys that can be addressed directly and erased securely. This does not provide protection if an attacker physically possesses the device, but the keys held in Effaceable Storage can facilitate fast erasure and forward security as part of a key hierarchy. All files in an ios device s file system are encrypted with a random key that was created when the operating system was first installed, or the last time the device was wiped by a user. This key is stored in Effaceable Storage. The file system key is not used for confidentiality of data, but to be erased on demand directly by the user (with the Erase all content and settings option), or remotely by the user or administrator issuing a remote erasure command from a Mobile Device Management Server, Exchange ActiveSync, or icloud. When this key is erased, all files become cryptographically inaccessible. This means the user would then have to wipe the device entirely to regain functionality, clearing out any personal data that might also be on the device. OS X Mountain Lion uses FileVault 2 for XTS-AES 128 full-disk encryption. FileVault 2 allows a user to encrypt their device s entire drive and log in through an EFI that will unlock the drive and begin normal boot processes. Note that hard drives containing migrated folders that were encrypted with FileVault 1 will not work with FileVault 2. Apple also has a backup key unlock method, allowing the user to store a key with Apple that is recoverable from another computer. Despite the advances Apple has made with FileVault 2, BitLocker s advanced used disk space only and encrypted hard drive support, in addition to the unique selective wipe feature, give Microsoft the edge in the field of encryption. Logic20/20, Inc. 2013, all rights r eserved. Page 17 of 30

19 Malware and Phishing Protection Malware, or software designed to harm a user s computer, server, or network, are constantly evolving, and enterprises need to evolve as well to protect their users from threats. According to the Internet Security Report by Symantec, there has been a 42 percent increase in targeted malware attacks in Per the Microsoft Security Intelligence Report H2 2012, almost 40 million malware infections were detected on computers worldwide in Key Findings The following sections will discuss key malware protection elements for Microsoft and Apple platforms: Virus susceptibility: Microsoft has continuously improved its antivirus and antimalware features, while Apple is only beginning to change its security stance from Macs don t get PC viruses to It s built safe. Windows 8.1 uses a host of built-in security tools to defend systems, while Apple relies on third-party antivirus and antimalware solutions, which can cost more and be more complex to operate for IT administrators. Antivirus and antimalware: Windows platforms use Windows Defender to provide superior enterprise security and management right out-of-the-box. Apple does not have a built-in antimalware solution, instead supporting thirdparty antivirus programs, which can increase the cost and complexity of an Apple platform deployment for IT administrators. Browsers: Windows IE10 is more secure than the browser included on OS X and ios, Safari, by a dramatic margin: In a comparative test by NSS labs, IE10 blocked percent of socially-engineered malware, compared to Safari s percent. Virus Susceptibility Apple has long held a stance that the Mac platform doesn t get PC viruses. Apple users must depend on third-party tools to prevent malware attacks, which does address the security issue, but raises the level of complexity and cost by requiring business decision makers and IT administrators handle multiple vendors for their needs. However, Apple has changed their marketing language regarding security to It s built to be safe, claiming now that built-in defenses in OS X keep you safe from unknowingly downloading malicious software on your Mac. This change in stance comes after malware attacks on OS X in which users were either tricked into installing 3 Source: 4 Source: Logic20/20, Inc. 2013, all rights r eserved. Page 18 of 30

20 malware, or third-party program security holes were taken advantage of to install malware. For example, in 2011, the trojan MacDefender reportedly clogged Apple s tech support lines 5. Again, in April 2012, as many as 650,000 Mac computers worldwide were hit by the Flashback trojan, which used Java vulnerabilities and infected web pages to attack users 6. While these are only two examples, they show that Macs indeed do get viruses, and would be well served by a more robust antivirus suite. Some analysts and security vendors believe that the Apple platforms are vulnerable to attack. For example, Kaspersky Lab believes that Apple s resistance to integrating antivirus defenses on ios leave the platform vulnerable if an attack manages to get through 7. Apple has frequently been seen as slow to respond to these types of threats, such as the authentication bypass vulnerability that allows an attacker with user-level access to also gain root-level access 8. Microsoft, on the other hand, has made platform improvements that help Windows 8.1 to stand out with its protections from viruses and spyware. These improvements include enhancing Windows Defender to act as a robust antimalware solution, much like Microsoft Security Essentials. Action Center gives users a dashboard for all of their security features and toggles for them, rounding out the features that make Microsoft devices stronger on platform security out-of-the-box than Apple devices. These platform improvements provide higher security and protection from attacks for users, and more robust tools for IT administrators to use. Antivirus and Antimalware Microsoft comes out on top in virus protection with Windows Defender, which comes pre-installed on all Windows 8 devices. Windows Defender includes both traditional antivirus functions as well as spyware protection and other security features. It is a robust solution, designed to compete with products by security specialists such as Symantec and McAfee. Malware attacks on OS X in recent years have made it clear that users on the Apple platform cannot do without antivirus and antimalware protection. However, Apple still encourages the use of third-party tools to protect users from malware and viruses, as opposed to developing a built-in solution. Additionally, as Apple security is geared 5 Source: 6 Source: 7 Source: 8 Source: Logic20/20, Inc. 2013, all rights r eserved. Page 19 of 30

21 towards preventing malicious app from infecting systems, documents that bear infection are a possible vulnerability. A document embedded with malicious software could circumvent the platform s app security. Apple has promised automatic checks for security updates when they are released, but this will only bring them on par with Microsoft s level of malware protection, not surpass it. At this time, needing to use third-party solutions to match Microsoft s level of protection can increase the cost and complexity of the deployment for executives and IT administrators. Browser Security There are many tools used in breaching browser security, but phishing is one of the more effective methods. According to APWG s report, there have been 74,127 attacks 9 reported between January and March of 2013, and while this represents a downward trend from 2012, the danger of phishing as an effective attack vector is not diminished. Phishing sites are frequently hosted on free hosting sites and compromised web servers, and merely visiting such a site with a vulnerable system can lead to malware infection, even if the user downloads nothing. Attackers drive traffic to these sites using and social media. Microsoft s SmartScreen URL Reputation is a feature built directly into IE10, and is known to be efficient at detecting and blocking malware directed at the user by social engineering. The SmartScreen feature is comprised of two parts: App Reputation is a scanning mechanism for binaries that have been downloaded to the operating system by using a heuristic algorithm to create a black-list of malicious programs, and a white-list of appropriate programs. URL Reputation is a similar heuristic algorithm to App Reputation, and scans websites to create its black-list and white-list. URL Reputation is a feature of IE10 only. SmartScreen presents warnings to the user when a malicious app or URL is accessed, or when IE10 finds an app or URL to be suspicious. All of the settings related to SmartScreen, plus another 1500 settings for IE10, such as employee download restrictions, can be configured on client computers using group policy objects (GPO). This makes Windows 8.1 a compelling choice for enterprises, as Apple platforms rely on third-party tools for such customization, and exact features are not always available. NSS Labs conducted testing in 2013 of five browsers against 754 samples of real-world malware. While Safari only managed to block percent of malware with its built-in protection, IE10 blocked percent 10. The combination of URL and application 9 Source: 10 Source: Logic20/20, Inc. 2013, all rights r eserved. Page 20 of 30

22 reputation in IE10 s SmartScreen technology has put Microsoft at the top of browser security by a wide margin. Google s Safe Browsing List is the backbone of the Safari browser s security features, which helps users avoid malicious URLs. IE10 uses Microsoft s SmartScreen URL Reputation to perform a similar function. Research shows, however, that IE10 s SmartScreen outperforms Google s Safe Browsing List 11. The Safari browser on ios and OS X use a Fraud Warning feature to help users avoid phishing. This feature relies on Google s Safe Browsing List, a constantly updated list of suspected phishing and malware pages that browsers and applications can check URLs against. 11 Source: Logic20/20, Inc. 2013, all rights r eserved. Page 21 of 30

23 User Authentication Access to devices, user accounts, and platform-related services are granted with the use of authentication. Biometrics, smart cards, over-the-air password enforcement, and parental account controls are some of the methods used as authentication control. Key Findings The following sections will discuss the strengths and weaknesses of Windows 8.1, ios 7, and OS X 10.8 Mountain Lion across several features, including: Multi-factor authentication: Windows 8.1 uses multi-factor authentication, or the use of more than one type of credential to log in (including passwords, smart cards and virtual smart cards, or pictures). ios and OS X only use one method at a given time, which leaves them relatively vulnerable in case this single method is compromised. User account control: Both OS X and Windows 8.1 include user account controls, but the Apple tools are less robust, which can be a hassle for IT administrators. Identity: The Windows 8.1 platform allows users to sign in with single sign-on, which uses their credentials to also sign them in to their productivity software, DirectAccess connections, and other apps that require credentials. Apple s ios 7 has implemented a single sign-on feature, but it uses a separate set of credentials stored on the device, instead of using the same credentials used to sign in to the device. Similarly, OS X has a single sign-on feature, implemented with Kerberos authentication. Managing user credentials: Windows Credential Locker and Apple s Keychain are comparable tools that manage user credentials. However, Microsoft Connected Accounts gives the Windows 8.1 platform the edge by allowing users to keep and manage their settings across multiple devices, while Keychain has a limited version of that function. Multi-Factor Authentication Windows 8.1 provides a superior sign-on experience using multi-factor authentication (MFA) features that are built directly into the operating system and available on all device types. The Windows Biometric Framework is a developer-friendly system that supports multiple biometric solutions within a single framework, including fingerprint authentication. Windows Modern Authenticators uses smart cards utilizing public-key infrastructure (PKI) and tokens as a preferred method of two-factor authentication, and virtual smart cards are also supported. By way of comparison, OS X supports third-party authentication methods such as smart cards and virtual smart cards through vendors such as GoldKey and GT Security. Apple s ios platform does not have any options at this time that support multi-factor authentication. Logic20/20, Inc. 2013, all rights r eserved. Page 22 of 30

24 Multi-factor authentication with smart cards and virtual smart cards provide a strong layer of security for users and IT administrators on Windows 8 devices. OS X provides support for third-party multi-factor authentication tools, but these will not be as tightly integrated with the platform as an out-of-the-box solution, and can also increase the cost and complexity of your deployment. ios does not support multi-factor authentication at this time, which leaves users in the enterprise no option for the more secure multi-factor method of authentication. User Account Management Windows 8.1 includes the User Account Control (UAC) feature, which allows IT administrators to control how users access files and folders by deploying the operating system without giving users access to administrator-level privileges. While OS X has used user account control prompts in all of its versions to date, for most users this has been more intrusive than Windows UAC, because the OS X prompt always requires the user to enter their password. Mountain Lion includes a similar functionality with the Gatekeeper feature. UAC features do not apply to ios devices, as they only allow a single user profile. All of the apps used on ios are sandboxed, meaning they do not have a need for such a service. Including strong account control and multiple profiles provides key convenience to users, especially in BYOD scenarios. Identity Windows 8.1 provides support for single sign-on functionality. A user that enters their credentials when signing into Windows 8.1 now has SSO access to corporate network resources, etc. This provides convenience for the user, as they do not need to sign in to individual productivity apps such as mail, corporate networks, and others. OS X uses Kerberos single sign-on authentication, for example. This gives OS X users a similar level of functionality, but using multiple vendors can increase the cost and complexity of your deployment. On the other hand, signing into an Apple device only grants the user access to the device, and any extra functionality must be granted with separate sign-ins unless integrated with third-party tools. ios 7 has a single sign-on feature built in, which allows the user to store enterprise credentials much like they would store Facebook or other app credentials on the phone. This gives a similar single sign-on functionality, but may require a similar Kerberos setup for secure domain control. Managing User Credentials Logic20/20, Inc. 2013, all rights r eserved. Page 23 of 30

25 Windows Credential Locker stores user names and passwords for websites and other computers on a network. This feature allows Windows 8.1 to log the user in to websites and other computers, making roaming possible with Microsoft Connected Accounts. The user s credentials are saved in special folders on the user s computer called vaults. Windows 8.1 and other authorized programs can securely give the credentials stored in vaults to other computers and websites. The Windows Connected Accounts feature allows users to link their Windows 8.1 account to a corporate domain account, which provides a great experience for users by syncing most user settings to a cloud. Windows 8 s Connected Accounts service allows settings and data to roam securely between Windows 8 devices, and allows users to seamless sign in to Windows Live services and apps from any of their devices. Connected Accounts includes settings that improve the user experience, such as screen contrast, wallpaper, app settings, and the favorites and passwords stored by IE10. If a user were to log in to a new device and sign in with Connected Accounts, all of this setting information would sync to the new device. Additionally, Windows 8.1 allows administrators to disable this feature, while Mac administrators do not have the ability to prevent icloud from being used on managed Mac computers. Apple s icloud allows for syncing data and some settings between an ios device and a computer running OS X, but there are no options for roaming between devices. The Keychain Services API works with Apple icloud Connect to provide Apple s feature similar to Connected Accounts. These are commonly used to store passwords, keys, certificates, and other important data in an encrypted file called a keychain. This feature is generally used to store passwords and keys, but it can also store small amounts of arbitrary data. OS X includes the Keychain Access utility, which allows users to store and read data in the keychain. Windows Credential Locker and Connected Accounts provide a better experience for users by allowing them to store safely store credentials on their device, and securely roam data and settings between devices. While Apple s icloud Connect for Keychain provides syncing between an OS X computer and an ios 7 device, it does not allow for roaming between devices. Roaming provides users ease of use, as they can switch devices, or even replace lost or outdated devices with new ones without worrying about updating their settings. Logic20/20, Inc. 2013, all rights r eserved. Page 24 of 30