The Truth about OS Security and Patches
If it were up to Hassan Michael, none of his customers would be running Windows. He is the IT project manager at Resilire Systems Computing, a Miami, Fla.- based IT services company that caters to small and mid-sized businesses. He deploys Windows to his customers only because, he says, "most people are accustomed to using" the dominant operating system (OS). But to him, the various brands of Linux are inherently more secure than anything that's coming out of Redmond, Wash.
Windows, Michael says, "has been scrutinized by 90 percent of the programmers out there in terms of vulnerability and loopholes." Conversely, he adds, "Linux isn't up to 20 or 30 percent of the market. That's how many fewer hackers and malicious software coders are scrutinizing Linux."
There is anecdotal evidence that IT managers have their biases about how inherently secure certain operating systems are. And that may affect how quickly they deploy security patches to servers with that particular OS.
Linux systems may be vulnerable
"It's something we noticed when clients asked us questions like, 'We protect our Windows systems. Should we be doing something about the Linux systems?'," says Jennifer Albornoz Mulligan, an analyst for Cambridge, Mass.-based Forrester Research. She'd get these questions as she'd survey IT managers at different sized companies about their security procedures. What she is seeing is that, in many cases, the adminstrators are more attuned to what's going on with their Windows servers, security-wise, than servers that run other operating systems.
In a recent report on how OS manufacturers need to help users more with server security, Forrester asked IT managers to list five general categories of operating systems from "more secure" to "less secure." The respondents listed mainframe OSes as the most secure, with UNIX, Mac OS, and Linux coming next -- but grouped closely together. Windows was deemed the least secure by a wide margin.
"Most of the attacks are on Windows," says Mulligan. "You read the news and you hear about the Windows attacks most of the time. You don't hear about them as much on Macs, Linux, and UNIX. And it's true that there aren't as many attacks on those operating systems. But what we're seeing more of is more targeted attacks over time," ones that leave servers of all kinds vulnerable.
Risks to closed versus open systems
Resilire's Michael believes that the reason Windows is the least secure is because it has the most hackers gunning for it. But that's not the only reason why he prefers Linux, security-wise.
"I think the biggest thing that creates fear when it comes to security issues is that Windows is a closed system and Linux is an open system," he says. With millions contributing code, it's easier to find and plug holes. "Microsoft may have 50,000 people looking at that code, making changes and corrections whereas with Linux, you have the one-fourth of the entire world looking and making code and challenging each other to make a safer more secure code."
While fewer people are scrutinizing Windows before production and more after production, Linux is on the flip side. "What Windows goes through before they release patches is what Linux goes through before going to production," Michael contends.
To be fair, though, not all IT managers agree; some deploy Windows patches more often because they come from Microsoft itself rather than a conglomeration of random programmers. Christian Jacobsen, the vice president of IT for PostcardMania, a direct marketing company based in Clearwater, Fla., thinks that "no company can afford to have downtime and using programs and updates that are not originating from and guaranteed by a single source to be free from faulty programming or malicious intent. It could have a disastrous affect on their ability to produce."
As far as Mulligan is concerned, IT managers' biases may be keeping them from seeing the entire security picture at their organizations. "People have a lot of different opinions when it comes down to the security of the different operating systems," she says. "People are really stuck in what they knew 10 years ago and aren't interested in change. Some people are really interested in seeing a shift of opinion. And other people are saying Microsoft just works."