Does OS matter anymore for security?
Whenever I've touched on the sensitive topic of Linux vs. Windows or Apache vs. Microsoft IIS security, I expected the usual flame treatment and nasty name calling to fly. It's usually taken as gospel in many IT circles to assume that Windows Security is an oxymoron; anyone who dares to suggest using Microsoft IIS 6.0 for a public web server faces serious ridicule. To see if there was any truth to this presumption that Windows Server is fundamentally insecure, I looked up these hacking statistics from www.zone-h.org for 2003 to 2004. Not only did it not show that Windows was hacked more often, but just the opposite. The Linux servers were actually getting hacked and defaced far more often than the Windows server and Apache was also being hacked and defaced more than Microsoft IIS.
While most security research comparing various operating systems and applications focus on statistics for the number of vulnerabilities and their criticality, zone-h takes a completely different approach by looking at actual server compromises. Even more significant is that these are not theoretical hacks in the laboratory but actual website defacements that were confirmed by the public. Zone-h is essentially a centralized "score board" for hackers who want bragging rights for their handy work. While the source of the data is highly despicable, there is no denying the value of such data being collected regardless of the source because of its accuracy. When a website is hacked and defaced, there is little room for interpretation for what has transpired because the proof is in the humiliating public defacement. While these particular defacements are often the work of recreational hackers who hack for sport and not the work of a professional criminal who hacks for financial gain, the techniques uses to compromise the servers are usually identical. Zone-h accurately portrays itself as the pulse of the Internet because they accurately sample server compromises based on recreational hackers using the standard tools of the trade. Why is this significant? It is very difficult to obtain this information through other means because most companies are not eager to report server compromises. Zone-h brings these attacks in to the light so that they're not just swept under the rug, and forces companies to take vulnerabilities seriously.
At the end of the zone-h report for 2003-2004, the author concludes (accurately, in my experience) that the argument about which OS is more secure is totally irrelevant since most modern exploits are against applications and not the operating system hosting them. This is true because servers are rarely deployed wide open on the Internet without a firewall. A properly configured firewall minimizes the vulnerability footprint to only permit the ports necessary for a specific application to work, which means the application is the only thing exposed to the hacker. The zone-h report doesn't actually prove which OS is more secure, only that the OS is mostly irrelevant and the Windows server security jokes are more myth than fact.