Table of Contents
Every sysadmin has a preferred type of box. While most businesses nowadays have a variety of operating systems in their fleet, organizational considerations will usually favor one platform over another. As a result, comparisons between operating systems in terms of security are inevitable, with some administrators believing one platform is inherently more secure than the other. Who are you to think if one administrator claims macOS is more secure than Microsoft Windows and another claims SELinux beats them all?
In this post, we’ll go over some of the technology and justifications that lead some individuals to believe one platform is more secure than another. Finally, we'll argue that these statements are based on a fundamental misunderstanding of "enterprise security" and what it entails.
Features of Security
The OSs differ significantly when it comes to significant security features like built-in anti-malware tools, sandboxing, system protection, and codesigning. Is one operating system superior to the others? Let's have a look at how they compare.
What security measures do Ubuntu, Windows, MacOS, and UNIX have?
Anti-Malware
Windows 10 includes a free built-in antivirus package that competes with the most costly legacy antivirus solutions. It's reasonably good at detecting commodity malware using signatures, YARA rules, and reputation checks. Still, it won't defend the company from more complex attacks, and it's vulnerable to different PowerShell bypasses. Despite this, it's far superior to Apple's primitive Gatekeeper, XProtect, and Malware Removal Tool application security features. Linux doesn't come with any built-in antivirus software, although there are free alternatives such as ClamAV for it, just as there are for other systems. Then it's round one to Windows.
Sandboxing
A process is operated in a sandbox, which is a closed or caged environment. Sandboxes are helpful because they safeguard the rest of your computer from untrustworthy methods by preventing them from reading and writing to other files, communicating with other methods, or modifying system settings. This is particularly critical for web browsers that support JavaScript. If a malicious script on a website manages to escape the browser's sandbox, it can potentially infect the entire machine.
By default, Windows and macOS sandbox apps are downloaded from their respective App Stores, but there's nothing stopping apps downloaded from other sources from running uncontained. So long as you're a power user, Linux has many options for sandboxing any process. For Linux systems, there is one point on the scoresheet.
Codesigning
Codesigning is a technology that verifies that an application or process came from the source it claims to have come from. Codesigning also guarantees that the executable, package, or bundle has not been altered since it was digitally signed.
Codesigning is used in Windows, Linux, and macOS; however, all platforms ship with some unsigned code. Bad actors can replace a binary with their own or inject malicious code directly into an unsigned operating process, which is the problem with unsigned code.
Codesigning tests are performed on Macs and Windows devices upon installation and during the first use of the application. On Linux machines, this extra security isn't available. There is no prominent champion, but Linux appears to be lagging behind the other two in this category.
System Security
You want an operating system that protects you from rootkits and malware that tries to change or replace the essential system programs, and macOS is the best in this category. Apple's System Integrity Protection (SIP) is a built-in security feature that is entirely invisible to the user. As a result, even root cannot change certain things — a condition that many Linux power users would find unbearable, but which is an excellent defense against certain malware behaviors. Secure boot and trusted boot are built into Windows to protect the system before any antivirus software kicks in. Still, they’re nowhere near as safe as Apple's SIP, and the other secure enclave found on touch bar-equipped Macs.
The Common (and False) Arguments
As can be observed, each OS has certain differences in terms of the primary security aspects it offers, but there is no clear winner or loser when it comes to features. Regardless, supporters of one platform or another have a favourite argument or two to support their perspective. Let's have a look at these and see whether they're any good.
- Because of its installed base, Windows is the least secure.
Windows is without a doubt the most targeted of all operating systems, simply because of its large installed base, which makes it the most efficient to attack. You're significantly more likely to achieve a breach if you write malware that can execute on 88 percent of the machines in the company. While statistically correct, this does not imply that Windows is intrinsically less secure than other operating systems.
One may also claim that because Windows is so widespread, Microsoft has the best experience protecting against malware threats. The actual issue here is that more malware is targeted at Windows, which means you'll need a robust endpoint security solution regardless of whatever OS you're using.
- Linux is the safest operating system since it is open source.
This is something we see people debating all the time. The security theory of many eyes is demonstrably faulty. Linux includes a little-known privilege escalation vulnerability, as SentinelOne researcher Dor Dankner has demonstrated. The vulnerability was introduced to the Linux kernel in 2004. Despite the fact that the code had been inspected, nothing was done to improve it. Similarly, openssl kept the Heartbleed flaw hidden for over two years until it was identified.
- Linux is the most secure operating system. Because it's extremely customizable
True, SELinux provides more options to 'harden' the system than macOS or Windows, but very few businesses will be able to deploy a locked down SELinux installation as the desktop OS of choice for their employees, at least not if they want to get any work done. It's akin to claiming that the safest vault money can purchase is one without a door. It is, without a doubt, but it is also practically useless. Users will typically make less secure judgments if they have to fight the operating system just to get their task done.
Your operating system doesn't have any security features.
What is the best method to answer the issue given that there is neither an overall mix of technology nor a knock-down argument that establishes one OS as "more secure" than the others?
Security is not a feature you can integrate into an operating system, despite what some OS suppliers claim, because security isn't a commodity you can "add" or "take away." While technologies such as codesigning, sandboxing, and system protection are all important components of a strong security posture, enterprise security is ultimately a discipline or set of practises that must be ingrained in your company's DNA.
Businesses require not only secure operating systems, but also integrated security software and staff that adhere to security best practises. It's pointless to have a system policy prohibiting the execution of untrusted software if a local user may be persuaded otherwise.
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn