Operating system choice does not equal security

Operating system choice does not equal security

Summary: Steve Manzuik: Your operating system choice does not equal security. I cannot put that any more simply than that. If your company employs experts in Linux then it makes sense to standardize on Linux. If your company employs expertise in Windows -- rolling out Linux, OSX, or any other operating system is asking for problems.


Guest editorial by Steve Manzuik

Yesterday while some of us in the USA were enjoying a day off Google made the news with this article in the Financial Times stating that they are moving away from Microsoft Windows due to security concerns.  My first reaction was to question why a company with as many smart brains as Google would make such a misguided decision.  That was, of course, before I actually read the entire article.

To steal from the FT.com article:

“We’re not doing any more Windows. It is a security effort,” said one Google employee.

“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.

follow Ryan Naraine on twitterI cannot comment directly on the China hacking incident because I was involved in various meetings with unnamed companies and unnamed forensics experts on the so-called “China hacking incident” but I can comment on the stupidity of this clearly knee jerk reaction.  Your operating system choice does not equal security.  I cannot put that any more simply than that.  If your company employs experts in Linux then it makes sense to standardize on Linux.  If your company employs expertise in Windows — rolling out Linux, OSX, or any other operating system is asking for problems.

[ SEE: Google ditching Windows over security makes little sense ]

Obviously in Google’s specific case one could argue that they have more expertise in Linux.  So the switch from Windows isn’t a security concern its common sense and makes me wonder why they would have had Windows boxes in the first place.  This quote from an unnamed employee says it best;

Employees said it was also an effort to run the company on Google’s own products, including its forthcoming Chrome OS, which will compete with Windows. “A lot of it is an effort to run things on Google product,” the employee said. “They want to run things on Chrome.”

I could care less what OS Google or any company standardised on.  The reason I felt the need to comment on this was not because I think Google is making a mistake but because the press is taking some comments from “anonymous employees” out of context and turning this in to something it’s not and helping perpetuate a huge Information Security Myth.

The myth I speak of: ”Switching to Mac OSX or Linux will make you more secure.”

Corporations get hacked, in fact they get hacked much more than we read in the press.  Sometimes those hacks come via a “zero day” type attack and others via a known issue that the corporation failed to patch for.  This is the reality of running a business in the Internet age.

[ SEE: Microsoft plays defense against Google Windows migration report ]

Let me paraphrase what was said by myself and other “experts” back in February 2010:

Every operating system has its advantages and disadvantages in security but no one is a silver bullet, more secure, option.  Some represent a higher risk than others but in reality you are only as secure as your ability to administer the chosen operating system.  This means that if your organization has IT expertise in Linux then you are probably more secure running Linux than you are an operating system that they do not have the same level of expertise in.  The same goes for companies that have Windows expertise, while I am sure that a good Windows Administrator can find his way around alternative operating systems, I would not want that Administrator to be responsible for securing an operating system that he is not proficient in.

So while one could argue that in general Windows has been the more riskier operating system to run I would actually counter that argument by saying that while correct in the past it is this level of exposure and risk that has caused great improvements in Windows security.  Not to mention the fact that if you are Google you have a very large target painted on you and no matter what operating system you decide to run you are and probably always will be a target of attackers.  Shift your operating system and attackers will shift their attack methods.

Based on available public information on the Aurora attack the compromise may have come via an unpatched Internet Explorer vulnerability and was a targeted attack.  The second part of that sentence is actually the more important one here.  TARGETED ATTACK.  This means that when, and not if, Aurora the sequel happens it will come via an unpatched vulnerability in whatever operating system happens to be in use at the target company.

It is really too bad that the press in this particular case did not reach out to real security experts and get actual facts around what your operating system choice means to your security.  In fact the Financial Times article is nothing more than FUD generated by “anonymous” quotes from “anonymous sources”.

The unfortunate part about FUD like this is that all week various executives at other companies will read this article and determine that because the great minds at Google have done this to be “more secure” that they should follow suit.  They will bring in some clueless IT Security Consultant (aka CISSP) who will back up this opinion for the sake of billable time and the poor IT guys will have to do their bidding and will ultimately make their company less secure than it was in the first place.

Rinse, wash, repeat.. the cycle of Information Security Myths trumping actual progress continues...

* Steve Manzuik is currently an independent security consultant working as a Program Manager for Microsoft's Vulnerability Research program (MSVR).  With almost 20 years of IT and IT Security experience Steve managed the infamous eEye Research Team and has held positions at Juniper Networks, Ernst & Young and IBM Global Services.   When he isn't on the ice playing hockey, Steve is an occasional blogger at http://hellnbak.wordpress.com and has presented at major security conferences such as Blackhat, Defcon, AusCERT, and PacSec.

Topics: Software, Google, Linux, Open Source, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Operating system choice does not equal security

    This should be required reading for everyone here. If only a few people get it, it would be nice.

    I've used Windows since 3.1, and OS X since 10.3. I haven't had any problems with either. The last (and only) virus I got was from an infected disk - using DOS.
    • Clearly there is no problem then

      "I've used Windows since 3.1, and OS X since 10.3..."<br><br>Back in the real world we have millions of computers infested with malware, overwhelmingly windows PCs.<br><br>Manzuik is right, switching OS is no magic fix. Sophisticated, targeted attacks against a company are likely to be successful against any OS. It can reduce the effect of unsophisticated attacks.<br><br>Also his position ignores the advantages of a Linux distribution (package management system, total control over installed packages) by correctly stating all OSes will have vulnerabilities. NB windows is moving in this direction for future releases for the same reason.<br><br>Staff is not an issue. Get rid of the MCSEs and staff your company with real knowledgeable IT people. You'll find regardless of OS your IT operations will improve.
      Richard Flude
      • Hey Richard, come back when you have

        something of value or interset to say.

        [i]Staff is not an issue. Get rid of the MCSEs and staff your company with real knowledge IT people. You'll find regardless of OS you IT operations will improve[/i]

        If that's the best you can come up with as an insult to those trained in MS products, you're a bigger fool then many believed

        I would think that most people view you as someone on the outside looking in, in reference to IT, so please come back when you have a better understanding of things.
        John Zern
      • Yeah, I know, truth hurts

        @John Zern

        time has come to face the fact that your Microsoft certifications won't get you far. That must hurt.
        OS Reload
      • Funny...

        @Richard Flude

        I thought I was in the real world. I've used my computers on-line and off-line, I've swapped data with floppies (5 1/4 and 3 1/2), via USB drives and over networks, both wired and wireless. I've used these computers at work for mission-critical applications, and I've used them at home for fun.

        That's the real world on the planet on which I live.
      • @John Zern

        I assume when you say "better understanding of things" you mean demonstrably wrong information like your post yesterday:<br><br><a href="http://www.zdnet.com/tb/1-82509-1577947?tag=talkback-river;1_82509_1577947" target="_blank" rel="nofollow">http://www.zdnet.com/tb/1-82509-1577947?tag=talkback-river;1_82509_1577947</a><br><br>A tragic time for the MCSE. Beholden to a stagnant platform under assault, irrelevant to the next generation, and staffed with people so use to clicking their way out of trouble they're unable to move to alternatives.<br><br>So insecure in their future they find themselves clutching onto stories published by MS employees telling them everything is OK.<br><br>Back in the real world, those that publish under their real names are meeting with customers so frustrated with their existing windows infrastructure (on Monday it was a digital signage network, the week before retail cart platform on windows ce, ...) they're actively evaluating alternatives. But don't worry John, I'm on the "outside";-)
        Richard Flude
      • RE: Operating system choice does not equal security

        @Richard Flude

        Actually, it's quite simple. People who know what they're talking about accept that all the current main operating systems have their good and bad points. People who don't make up nonsense and rely on blogs for 'evidence'.

        People like you, Richard.
        Sleeper Service
      • Ehhh

        @Richard Flude <br>Richard, you are right in some of your points but there is a problem. you are approaching this from a home user perspective, and this is really an Enterprise conversation. Yes Linux has less of a target profile, so there are less prebuilt malware for it, but it still exists. Heck jsut look back through this blog's history you don't have to go back but a few months to see articles about Linux worms. As for package management, any enterprise worth it's salt has solutions and processes for this. Whether it's a Lumension, BigFix, or just SCCM and some dedicated staff. Patches have to be tested before put into production in an Enterprise environment, and then deployed in a controlled manner across the entire enterprise, not just individual machines. The fact is, when you get to an Enterprise level Windows and certain Distros of linux are pretty equal.<br><br>Just to play the devil's advocate (I am a big Debian supporter actually) I would suggest that Linux works against you a bit in enterprise Security for a few reasons. One is the smaller pool of expertise. Another is the availability of compatible security products(getting better all the time though), and finally is the obscurity factor. It's pretty easy to keep up on the latest MS vulns. You have to work for it a bit more with a Linux distros.<br><br>I also have to say the generalisation about MCSEs is also pretty cheap. sure it's fun to take the piss out of them, but there are plenty of MCSEs out there who are incredibly smart people. You will always have the poseurs, but we have plenty of those in Linux land too.

        P.S. I primarily work in AppSec and the average time from discovery of a vuln to pwn is waaaaaaay faster on LAMP than up-to-date IIS running .NET . I attribute this to the very thing that makes Linux so attractive: the power and choice it gives it's users/admins. Sometimes giving admins that much choice isn't the right thing to do.
    • FUD!!!!!

      @msalzberg , don't you want to join in on the fun? WINDOWS SUCKS!!!!!!!!!! DUMP WINDOWS AND WE CAN REMOVE THE WORD SECURITY FROM THE DICTIONARY! Right? ;)

      All nonsense aside, I do applaud your honesty. Securing a Windows network is a non hassle, and I'm surprised the "Geniuses" over at Google made such a boneheaded move to continue using IE6 and Windows XP in the wild.
      The one and only, Cylon Centurion
      • RE: Operating system choice does not equal security


        Although I prefer OS X, I'm a big fan of Windows 7, and have stated so publicly here on ZDNet. We use XP on our Windows computers at work, but we don't change OSs in the middle of a project on mission critical computers.
      • RE: Operating system choice does not equal security


        Somehow, I don't think you are using IE6 though. Using XP with a modern browser such as Firefox (With Adblock and NoScript) can go a long way security wise. But IE6 is just asking for it. Using IE6 in 2010 says a lot about your security practices.
        The one and only, Cylon Centurion
      • RE: Operating system choice does not equal security


        Once our mission critical computers are set up and running, they are taken off-line. Isolation provides pretty good security. Until then, no ActiveX, no Flash, trusted sites only. These machines are for work, not fun.
  • And the damage control operation goes on

    Amazing how ZDNet keeps on pumping out articles aimed at laundering the reputation of Windows.
    OS Reload
    • RE: Operating system choice does not equal security

      @OS Reload Amazing that you continue to read and response to ZDNet articles.
    • Almost as amazing as the number of times

      these ABMer idiots keep coming back to post their ususal drivel and insults against MS's products and users.

      Someone said "security starts with OS Choice" which I guess I respond to by saying "which is why we don't use Linux or Apple products here"

      John Zern
      • RE: Operating system choice does not equal security

        @John Zern

        Funny, this is the reason I dumped windows years ago and continue to install more linux systems than windows systems. Eventually, most of the few windows systems eventually get converted to linux, so in a sense I paid double for those.

        When you learn more about computers, please come back to the discussion with something meaningful. Sheesh......
        linux for me
  • Amazing. You pose as security expert but promote unsafe computing pratices.

    So to you, Ubuntu's method of applying digitally signed installs and keeping a trusted well curated software repository is irrelevant to improve security.

    You are completely wrong my friend. <b>Security starts with OS choice.</b>

    With 'good guys' such as yourself advocating such lousy security practices who needs the bad guys?
    OS Reload
    • Repositories aren't the panacea you make them out to be.

      @OS Reload: You can champion them all day long but in the end people will continue to download software outside of repositories. As such they'll continue to be subject to trojan infections.
      • An OS has a culture associated with it, not just tech


        In the case of Linux not only it the tech on offer top notch but the culture is also top notch and has ALWAYS been aware of security issues.
        OS Reload
      • And this has what to do with obtaining software outside of repositories?

        @OS Reload: nt