Choosing Your OS is NOT a Security Control

Wednesday, June 23, 2010

Brent Huston


Just a quick note on the recent Google announcement about dumping Windows for desktops in favor of Linux and Mac OS X. As you can see from the linked article, there is a lot of hype about this move in the press.

Unfortunately, dumping Windows as a risk reducer is just plain silly.

It’s not which OS your users use, but how safely they use it. If a user is going to make the same “bad computing hygiene” choices, they are going to get p0wned, regardless of their OS.

Malware, Trojans and a variety of attacks exist for most every, if not every, platform. Many similar brower-based attacks exist across Windows, Linux and OS X.

These are the attack patterns of today, not the Slammer and Code Red worm attack patterns of days gone by. I fail to see how changing OS will have any serious impact on organizational risk.

Perhaps it will decrease, a very small amount, the costs associated with old-school spyware and worms, but this, in my opinion is likely to be a decreasing return.

Over time, attackers are getting better at cross platform exploitation and users are likely to quickly feel a false sense of security from their OS choice and make even more bad decisions.

Combine these, and then multiply the costs of additional support calls to the help desk as users get comfortable and have configuration issues in the enterprise, and it seems to me to be a losing gambit.

Time will tell, but I think this was a pretty silly move and one that should be studied carefully before being mirrored by other firms.

Cross-posted from State of Security

Possibly Related Articles:
Operating Systems
Google Windows
Post Rating I Like this!
Terry Perkins With all due respect, at this time, it is a fact that there are more viruses, malware, etc on the Windows platform. That is just a fact. This is all because of the install base. When some of the others become more popular, so will the security issues.
Ray Tan The OS has a limited effect on security decrease, the stronger sense of being security does.
Rob Lewis You are quite right. On the surface, not much difference in switching from one low assurance system to another. Besides, even a fully patched system is not a secure system; it's only a less vulnerable system.

There might be some politics going on, or a little paranoia, since they were already hit once by a certain foreign nation state that has been given the source code for windows.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.