Make your own free website on

Information System Security

I have just recently (Sept 2006) gained my CISSP and it has been my focus on IT system security that has led me up to this milestone.
.There is always a large debate about security and which system is secure or not.
Security is relative, this is for sure.

Neither Systems that we know and daily use (Mac OS X, Windows XP/2003, RedHat / Debian Linux) has a RedBook rating of higher than C. They cannot be compared to systems of B and A levels.

Yet, many professionals take the easy way out and proclaim that there is no one OS that is better or worse in security and I beg to disagree about that statement.

I have been a follower of the news for the last 10 years and there are some points that I think are important to remember:

1. Architecture
An OS should be designed with security in mind. It is hard and totally not seamless to add it on later. Through these seams, to use an anology, exploits can  be formed.
The Unixes and subsequently Linuxes, that stem from the same philosophy have been designed from start to finish with security and multiuser in a hostile environment in mind.
Mac OS X is similar, since it enjoyed a total redesign some years ago and is now (roughly) based on BSD.
Windows on the other hand has started out with no security whatsoever (Windows 3.11/95/98). Some redesign has taken place in NT, but when one looks at the NT vunerability list and the massive exploits (in form of really easy to program viruses) that resulted out of it, it becomes clear that the step was not far enough towards strong security.

Mind you:  An OS with a  strong security architecture usualy lacks in ease of use, while an easy to use all enabled OS is a security hazard. It comes with the package. The nasty password prompts in Linux for root access and previledged function like installing programs or changing network parameter will harras and deadlock an user the same as a virus, while an OS with "easy" security will never bother an user and in the same token enable also any virus to do as it pleases as Windows has done in the past.

2. Least priviledge and process and user separation
In Linux and Unix, process run with the least possible priviledge and so if a user is running a virus, all it will do is devastate his home directory. On the opposite is Windows, which often requires to run processes in administration mode or has loopholes for backward compatibility with programs that still run in the old regimen. Games a a favorite example, they won't run properly when not running with admin rights.
We all hope that this will change with Vista and the terrible delay that the OS has so far shown looks like they are finally taking security and quality assurance issues serious. In my view, they still have to prove themselfes.

2. Vendor Agenda
Microsoft stated once, that they don't did not think that customer would pay for security.
Judging from the news, it has always been a nuisance to vendors to have to take care of security issues and when ever possible, they prefer to sweep vunerabilities under the carpet.
It is interesting to note that proprietary vendors usually go the security through obscurity approach, while the Open Source community takes the "security through transparency" approach.
Microsoft as an expample has a long history of trying to hide and poopoo security flaws and only fix them when push came to shove, while the Open Source community will publish the vunerability ASAP on the web, so everybody can see it and be aware of it and fix it with speed.
I think that generally vendors just try to hide it because it will cost them extra money to fix vunerabilities. By being open about it and publishing them on their website, actively finding and showing them, they would put themselfes in a situation where the public would expect them to fix it and no corporation that is profit oriented is looking for extra unpayed work.

I think everybody needs to make up their mind themselves which approach the prefer. I for myself like the open approach better... When my lock has been compromised, I would like to know about, since in the "security through obscurity" model, the company from which I bought my software will deny all liabilty in their EULA anyway and therefore they put the responsibility in my hand anyway, which I have in the first place in the OSS model.

As an information technology professional, to know is always prefered than no to know. Ignorance is bliss?
You might work in the wrong profession if that is your maxim.

3. Proliferation of an Operating System
One thing that I hear over and over is that Windows, being so widespread in use attracts so much hacking and virus

For the ones interested in some objective discussion of facts in the comparision between windows and linux security wise, this here is an interesting read and an eye opener, especially on the differences between windows and linux architecture wise.

this document was created on:
5. Oct. 2006
updated on:
6. Nov. 2006