Friday, June 04, 2010

Microsoft has good security, but it's not enough

Google(reportedly) says that because of security, it is replacing Windows desktops with Macintoshes and Linux computers. Microsoft replies, claiming that Windows is the most secure operating system. Both are right.

Microsoft does a great job with cybersecurity. They have the largest and best team of security experts in the world. They employ more security experts than the next 100 top companies combined. If you combined all the experts from the anti-virus companies with all the experts from the military and NSA, you would still only have a small percentage of the expertise at Microsoft's command.

Windows 7 is probably the most secure operating system available, and Internet Explorer 8 (IE8) is probably the most secure web browser. Microsoft has done a great job of not only securing their products, but in ways that encourage people to make good security choices.

The problem is that none of this is enough. Microsoft is the biggest target. Hackers largely ignore Linux and Macintosh desktops - they focus on Windows. It doesn't matter how secure Windows is, or how insecure Linux/Macintosh are: as a practical matter, you are still more at risk running Windows.

Changing the desktop operating system is a practical solution. But I'm not claiming it's a smart move. If everybody did it, then hackers would just change tactics. I can never recommend it as a good national cybersecurity strategy, or even a good strategy for government desktops. It's just a good temporary strategy for individuals, for the near future.

Microsoft cannot fix stupid. The biggest security problems aren't in the operating system but in people's heads. People routinely misjudge risk and make poor decisions that get themselves hacked. People download and install software with reckless abandon. You can break into somebody's computer by forging an e-mail from their IT department claiming they need to install an urgent patch. Enough people will do this, installing the Trojan virus, that it becomes nearly impossible to secure a Windows desktop. Windows is the operating system "most vulnerable to viruses" not because of any feature in the operating system, but because its users are most like to stupidly infect themselves.

Security is a trade-off. There are not a lot of solutions to these problems that don't cause more problems. For example, you can stop users from infecting themselves with viruses by preventing them from installing any software at all. However, this means that they can't install software they need - so they end up working on their personal laptops, which are probably infected with multiple viruses already.

The question is quickly becoming moot anyway. More and more activity is moving to the cloud and mobile devices. In a couple of years, the majority of cybersecurity threats you will face will not depend on your choice of desktop operating system. Then, of course, everyone will be hating monopolies like Google and Apple instead of hating Microsoft.

APPENDIX: People are most likely to dispute my glowing description of Microsoft. This is based on my personal dealings with Microsoft, as well as hacking Windows. It's not based on third hand information.

7 comments:

Oldami said...

As much as I hate MS bloatware and their monopolistic practices, I have to agree with your assessment of MS. The push into the cloud will make the next few years very interesting for IA professionals.

Thibaud said...

"They have the largest and best team of security experts in the world. They employ more security experts than the next 100 top companies combined. If you combined all the experts from the anti-virus companies with all the experts from the military and NSA, you would still only have a small percentage of the expertise at Microsoft's command."

Would it be possible to know where you got theses numbers?

Jesse said...

It would be nice if you balanced your first-hand hyperbole with some objective fact. A citation for your comment about Microsoft's security team being larger than the next 100 combined would also be nice (unless it's just hyperbole too.) There's no question that Microsoft has improved its posture from the 90s, but not even Microsoft PR would try and get away with these assertions.

StopthisNonesene said...

Interesting claims. If that is true then why every month there are critical patches after almost a decade of attempting to 'secure windows'. Also, today patch tuesday Microsoft is releasing a 'boatload', as several new sources claim, of security patches. Does not add up to well. I switched to Mac in the family and there is much much more than just security in using a MAC.

avatar139 said...

I'm not sure what I find more ludicrous, the fact you're seriously trying to push Windows 7 as the most secure operating system or IE as the most secure browser.

Personally, I've never bought into the idea that Windows can be secured in any way after XP was released.

I think what most people tend to forget is that XP was supposed to be the end of the road until .NET took hold and several Microsoft VPs were pushing the idea of cloud and sever based platform leveraged by the .NET initiative but it never materialized.

As a result all the released Windows OS revisions, including 7 (and 8 which is still slated for release in 2011, so have your 128-bit systems standing by ;) are still anchored in the Frankensteinian mess that the NT kernel and Windows system architecture has now become.

As for the social engineering issue being the most crucial security problem that's a moot point if you have to invent so many rules and policies to try to restrict your users in the name of perserving their security, that expecting users to remember them all, let alone abide by all the rules, is completely unrealistic.

As time goes on, more and more crap starts running in the background which slows Windows down to a crawl despite the fact that at least a (really minor) few of those processes are valid, but with no real to determine what a process is or how it was installed.

Hence, the biggest solution to security is to do what Apple has done with Mac OS X, which is to use a *NIX based operating system but further lock it down by prohibiting root access to any user (and really limiting access to it by Administrators as well) and restricting third party services that can run in the background, which is one of the larger problems with Windows security.

*NIX flavored systems are generally modular and by locking down certain parts of the platform from interacting with each other (and the public) Apple makes it way more difficult to compromise the OS.

I troubleshoot computers for a living and aside from a few proof of concept pieces of malware (which I have yet to see in any setting outside of a press demo or lab environment) I have yet to see ANY malware on a Mac during the course of my job.

I'm not saying that it's impossible but the whole "hardly anybody uses it so crackers don't target it" argument is complete fabrication and here's why:
Way more people use OS X now then the "Classic" environment which has hundreds of viruses and yet OS 10.6 which is in use by a WHOLE LOT more people has yet to be majorly compromised AT ALL, let alone on the nearly regular basis that Windows systems are compromised.

Don't try to blame what you seem to think is crackers targeting practices for what is actually Microsoft's complete unwillingness to alienate their remaining users by biting the bullet and trying build a new operating system from scratch thereby killing one of their biggest advantages over people switching to other platforms which is support for legacy software for previous versions of Windows.

Ultimately until Microsoft finally decides that they can't avoid redoing their OS from scratch any more all the patches they write for Windows will remain the same old security equivalent of trying to dam a dyke made of swiss cheese with your fingers...

Scarlet Pimpernel said...

Disclaimer: I'm not saying Windows is secure than Linux/OSX or vice-versa, it's only a matter of time before some thing fails.

Okay this is going to sound like a cliche, but what about web based bugs, drive by malware installations with iframe in the background ?

Everybody from doubleclick.net to other ad-spreading/ad-based websites use the same thing...

A web user can be infected in any OS, forget windows or linux, and to the Mac troubleshooting guy. Some people may argue browser exploitation does not result in operating system - root access, but it's just a couple of locals before you know it that can make life just as easy (if you know what i'm talkin about)

"You better type carefully my friend..." OSX isn't very secure, and people don't write an entire book on hacking an operating system that's supposedly secure. Did you see the mac hacker's handbook? I guess not ;))

Cheers!

avatar139 said...

"Disclaimer: I'm not saying Windows is secure than Linux/OSX or vice-versa, it's only a matter of time before some thing fails."

If that's the case then why haven't I seen any everyday real world examples of viruses and malware on Macs?

"Okay this is going to sound like a cliche, but what about web based bugs, drive by malware installations with iframe in the background ?

Everybody from doubleclick.net to other ad-spreading/ad-based websites use the same thing...

A web user can be infected in any OS, forget windows or linux, and to the Mac troubleshooting guy. Some people may argue browser exploitation does not result in operating system - root access, but it's just a couple of locals before you know it that can make life just as easy (if you know what i'm talkin about)."

Sorry, I have only a vague idea about what you are actually saying in your post but I'll do my best to answer you.

You said that some people would argue that browser exploitation doesn't result in operating system access and they'd be right.

The integration of IE into Windows is one of the main points that makes it very easy to compromise the OS remotely but as I stated previously because Apple restricts root access and the UNIX roots of OS X allow for a extremely modular design (for the most part) prevents that practice.

Again my view on security is that unless you can show me some sort of real world example of Mac users being compromised through web use (not including a lab or proof of concept theory) then again I would say that given the plethora of malware that Windows computers are regularly infected with that I have to clean out for clients to me is the proof that OS X is clearly more secure than Windows.

"You better type carefully my friend..." OSX isn't very secure, and people don't write an entire book on hacking an operating system that's supposedly secure. Did you see the mac hacker's handbook? I guess not ;))"

Yeah, I have seen that book around, and if you had actually bothered to READ the book (or even glanced at the description on the back) you might know that it's written by two White Hats as a best usage and practices guide for Sysadmins who are deploying Macs in corporate and SMB environments.

So while I would recommend The Mac Hacker's Handbook for Sysadmins using OS X servers and client deployments, for the average consumer Apple does a good enough job locking down their OS where I really don't think they have to worry too much about it, which was kind of my previous post's point.