Common wisdom has held for years that Linux is superior to Windows when it comes to security issues. But now that open source is growing in popularity both on the consumer side (think Android phones) and the enterprise side (Linux runs the 10 fastest supercomputers in the world, for example, according to Wikipedia), it’s time to push past the adage and look again at the whole “which is safer” issue.
“Linux has been more widely deployed, which has certainly made it a bigger target to hackers in general,” said Charlie Belmer founder and CEO of security vendor Golem Technologies. “But in terms of overall security it is still far superior to Windows.”
Which is not to say that Linux is entirely safe nor that it will necessarily hold its championship title forever.
Here is how the two stack up against current and foreseeable security threats:
Windows has dramatically improved with the advent of Windows 7 and Server 2008 but security issues still remain.
“Using AppLocker, the Windows 7 endpoint security application, as the only protection against malware attacks and viruses, still leaves enterprises open to the same issues,” said Toney Jennings, CEO of CoreTrace, an application whitelisting security company. Jennings is also a former officer at the Air Force Information Warfare Center (AFIWC), where he conducted penetration testing and vulnerability assessments of operational DoD networks.
The issues, said Jennings, are:
- Time-intensive and ongoing tuning of whitelists;
- Unprotected endpoints vulnerable to malicious programs and variants;
- Inefficiencies in handling complicated software updates and changes;
- Inconsistencies between the configurations on your various corporate endpoints;
- Poor end user experience with the addition or update of applications; and
Windows users also experience a higher threat problem due in part to the popularity of the operating system.
“The way malware writers operate is very much like any legitimate business: there are ROI concerns, R&D and risk vs. reward considerations,” explained Steve Santorelli, director of Global Outreach at Chicago-based, nonprofit Internet security research group Team Cymru and a former Scotland Yard detective. Santorelli was also employed by Microsoft at one time and was the lead investigator for the Zotob PnP worm case.“If you overlay sensible business considerations onto the criminal decision making process, it’s clear that Windows malware will get you more ROI.”
There is also the problem with user capabilities to consider.
Simply put, open source users tend to possess more computer skills. Windows users, at least those on the lower end of computer knowledge scale, are less likely to apply patches and deploy security tools.
“As long as Windows remains the dominant operating system with most consumers remaining unaware of security issues, it will remain the favorite punching bag for hackers,” concluded Belmer.
Windows does have a better way of segregating administrator actions from normal user actions now, which helps considerably, especially on the enterprise front. Such a move is an important security step, albeit one away from Windows’ roots.
“From day one, the development of the Unix operating system (upon which Linux is based) was premised on the idea that the user should have minimal interaction with the operating system kernel,” explained Bob Williams, a security consultant at The Binary Guys. “That is to say that the operating system does not regard the user as a god.”
The OS regards every interaction of the user with suspicion. Any flavor of Linux is basically operating on the same idea.
“The development of the Microsoft OS from the earliest DOS system to the present Windows 7 is just the opposite,” said Williams. “Even a guest account in Windows is tightly connected to kernel at a very fundamental level. If the guest account is given access to a printer function, for example, the account is given escalated privileges to the kernel.”
The biggest security problem with Windows, however, still lies in too few eyes watching for threats — and way too long a lag in fixing the issues. It can literally take months for Microsoft to address a security issue adequately.
“It cannot be said any more that Windows is a closed source system. It seems as if the folks that investigate and exploit Windows know more about how the code works than Microsoft does,” said Williams.
One of the biggest advantages in terms of security for Linux lies in its huge, highly-skilled and diligent community.
“The open source nature of Linux allows for more peer review of the code to find and fix the code before zero day hacks can be done,” said Williams. “It is a labor of love, not license.”
That is not to say, however, that Linux is invulnerable. It is indeed facing an increase in threats as it gains popularity. Yet, there is a limited set of security solutions available. The number of vulnerabilities requiring patches is growing, too.
“Administrators are facing a growing need to proactively control configurations and prevent unauthorized applications from executing,” warned Jennings. “And, most organizations have limited visibility into all the applications running on Linux desktops and servers.”
Working blind against determined criminals is a dangerous situation for a company to find itself in.
Social engineering and poorly configured systems present the greatest threats in Linux. Passwords too are a serious liability, as they are on Windows. “SQL injections and the like due to sloppy Web programming, such as happened in the HBGary incident a few weeks ago, are the other major threat to Linux,” said Tracy Reed, co-founder of Copilotco, a managed hosting service.
“Note that none of these are really Linux design issues,” added Reed.
At the end of the day, the question of which is more secure depends a great deal on who is using it and how they’re using it.
“It really isn’t a question of Window or Linux being ‘superior’ in terms of security. It is more a question of management of the network and operating systems within the environment,” said Brian Dykstra, senior partner of Jones Dykstra and Associates, a consulting firm specializing in eDiscovery, incident response, computer forensics and computer security training services. “I always list a lack of resources, people and funding, as the top security threat to anyIT infrastructure.”
A prolific and versatile writer, Pam Baker’s published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).