The issue as to which operating system is the most secure is one of the most contentious in the security profession. Many people have lined up to take sides for and against different operating systems with Microsoft clearly being at the center of the controversy. The argument can have many dimensions to include Windows vs. Unix, open source vs. proprietary software, etc. What if I told you that none of these issues mattered? What if I said that YOU were the biggest factor in the security of your operating system?
There are many aspects to security. Clearly some are more relevant than others. If you look at the issue as to what makes a system secure, the functions of confidentiality, integrity and availability come to the forefront. This loosely translates to ensuring that computers limit users to doing what they should be doing and that the computer is not otherwise hacked or rendered unavailable. Looking at this from a basic issue, there are only two broad ways to break into a computer: exploit bugs built into the software, or take advantage of the way an administrator or user configures and maintains the system.
All software has bugs and some of those bugs are security related. Also, the more complicated software is, the more difficult it is to securely configure and maintain the software. Both of these situations indicate a correlation between the number of lines of code and overall security: The more lines of code there are, the more security
MORE INFORMATION ON OPERATING SYSTEM SECURITY:
- Find out if the Apple Macintosh and its OS X operating system should be an enterprise security contender in this article, Can an Apple a day keep security issues at bay?
- An Information Security magazine editor argues that Microsoft users share the security blame in this Guest Commentary.
- SearchSecurity expert Ed Yakabovicz outlines the advantages of running Linux on the mainframe.
Several years ago, I heard that there were more than 40,000,000 lines of code in some version of the Windows operating system. This figure has clearly not gone down and is significantly more than the lines of code in competing operating systems. For example, Red Hat Linux reportedly had 30,000,000 lines of code and a very basic BSD operating system can have less than 5,000,000.
Functionality vs. security
With those 40,000,000+ lines of code comes significantly more functionality than other operating systems might provide. I honestly doubt that most people need all that functionality; however, it clearly has a benefit.
I know one very security-aware company that switched from a Sun Solaris environment to Windows. While they were aware of the potential security concerns, the CIO stated that they would save over $1,500,000 per year because the .NET functionality would prevent the company from having to license a different software product. Even though they knew the potential security issues, they had to make the switch and feel confident that they could make the Windows environment secure. I can state that the company has not had any significant security issues since they implemented the new software, at least of this writing.
With extremely rare exception, computers are hacked due to patches not applied or improper configurations and maintenance. All operating systems have these security issues. There is no operating system that is free of them, even though there have been several efforts to design an operating system that is completely free of security vulnerabilities. Statistically, Windows with all of its lines of code should have the most security related issues. However that doesn't mean that Windows will be the least secure operating system in practice.
Choosing an OS based on security
Let's first assume that any computer can satisfy an organization's functional needs. From that point, the issue of security can be the driving factor. If security is the driving factor, the reality is that the most secure operating system is that one that your administrators and users know how to secure best.
You should not switch from Windows to Unix because it is theoretically more secure. The fact is that if your administrators know how to secure Windows the best, your organization's Windows systems will be infinitely more secure than any Unix implementation they come up with. They can know the general concepts of security, but they will not be familiar with the intricacies of Unix security. This creates more vulnerabilities. Even when Windows was theoretically at its worst with regards to security, there were many skilled Windows administrators who maintained their systems more securely than most Unix systems.
In the case I mentioned above, the CIO reasonably determined that the cost savings in moving to Windows outweighed the security concerns. He therefore ensured that he hired several Windows security experts and sent the rest of the administrators to the best training he could find. In other cases, it may be more reasonable to move from Windows to Unix. Either way, the concept that one operating system is universally more secure than another is just not true in practice.
So, the real answer to which operating system is the most secure? It depends. In ideal circumstances, it is true that some operating systems might be more fundamentally secure. In the real world though, the most secure operating system is the one that people know how to best secure.
About the author
Ira Winkler, CISSP, CISM has 20 years or so of experience in the security and intelligence fields. Ira consults many of the largest companies in the world, assisting them in cost effectively and realistically securing themselves. He is author of several books, including the forthcoming book Spies Among Us. As always, Ira's opinions are his own and do not necessarily represent those of any organization he is associated with.
This was first published in June 2004