"Look, we know ms isn't secure. And hey, we thank you, that's what keeps us employed."

No NOS product is secure in absolute terms. In relative terms, Windows 2003 "looks" to be more secure then Windows 2000 - I say "looks" because it hasn't been cracker tested yet -. In turn, Windows is clearly more secure than Windows NT. Windows NT is clearly less secure than UNIX/Linux. On the other hand, I haven't kept up with Windows 2000 specifically but I do recall from my penetration testing work that many of Windows 2000's vulnerabilities seem to originate from services and features that are activated right out of the box. Despite its PR bluster, Microsoft is clearly responsive to criticism, although the criticism on security has been so widespread and so firm that it would have been suicidal to ignore.

"If the whole world ran on Unix boxes, the information security industry would have never come about."

We would still have an IT security industry for two reasons:

(1) NOS security is only one aspect of network security. Network security comprises the defense in depth offered by firewalls, VPN-enabled switches, VPN-protected dialups, proxy servers, DNS registration policies, NATing, etc. It comprises the defense in layers which is accomplished by turning off un-needed services and features, unecessary dialups, etc. It comprises risk mitigation, which is accomplished by building in redundancy and load balancing for critical equipment and services such as routers, firewalls, and e-commerce servers. It comprises security-oriented application coding practices to make sure that say CGI scripts are not used to break into web and RDBMS servers. It includes the establishment of a comprehensive, detailed security policy so that user and management requests that violate existing security policy standards can be swiftly identified and either rejected outright or worked around in a way that does not compromise these standards. In other words, security professionals would have their hands full no matter what. If you as a security professional reallly understand your job, then you will have your hands full. Otherwise, your understanding of your job and its responsibilities is limited. I am saying this as a big time Linux and BSD fan;

(2) UNIX has evolved to the point where it is because it has accrued the benefits of enduring 40 years of cracker attacks - it wasn't a "benefit" at a time that they took place, and responding to them - We are still in that arms race, and no end is in sight. Microsoft has paid homage to UNIX by moving its Windows server design closer and closer to UNIX. When Microsoft first designed Windows NT 3.1, it hired off the entire graduate student body of the Computer Science Department of Carnegie-Mellon. Being a first-rate UNIX systems programmer will certainly not hurt your case with Microsoft, if you want to be huired by them. Microsoft has decided rightly that the future of its server NOS depends heavily upon strong compliance with existing standards, which are either UNIX inspired or TCP/IP inspired.


As an aside, I am repeating my point that it is the height of folly for corporate America to rely solely on grossly overworked and understaffed net and sys admins and engineers to keep its networks secure, talented as these people may be - and a few are really talented. This responsibility needs to be focused on dedicated security professionals, who have to keep track of a vulnerability environment which changes day by day. Vigilance is the price of liberty. Vigilance is also the price of security. But no amount of vigilance will help if the ability is not there to act proactively or failing that, react decisively in a timely fashion.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/157/19736#19736