Google Dropping Windows Over Security? Good Luck With That
By Tony Bradley
Sources from within Google are claiming that the online search and advertising giant is implementing an official transition away from the Microsoft Windows operating system. According to the reports, the culture shift is intended to reduce security concerns. That makes a compelling headline–especially for a Microsoft rival developing its own operating system–but it doesn’t make a very good security strategy.
On one level, it makes perfect sense for Google to abandon Windows. Google has always been a bitter rival of Microsoft, and Google’s Android mobile operating system and upcoming Chrome operating system are built on Linux. Of course Google should avoid generating additional revenue for Microsoft and rely on the platform that forms the foundation of what Google expects its customers to use.
Another area where Google should eat its own proverbial dog food is with Web browsers. The Chrome Web browser has been gaining market share since its launch, but it was a zero-day flaw in Microsoft’s Internet Explorer Web browser that was exploited to compromise systems and steal data from Google earlier this year. With the exception of key developers that might need to see how things render in IE, users at Google should ostensibly not be using the competing browser.
That brings us to the claim that security concerns are behind the move to abandon Windows. The reports suggest that Google has banned the use of Windows in response to the Operation Aurora attacks which Google alleged were state-sponsored attacks from the Chinese government.
The flaw in that logic is that it assumes the attacker would be unable to compromise alternative platforms like Linux or Mac OS X. Microsoft Windows–by virtue of its dominant market share–is the target of the vast majority of general malware attacks, so switching from Windows may reduce the daily operational risks. But, when it comes to precision, targeted attacks, alternative OS platforms don’t provide any better defense so dropping Windows would not have prevented the Operation Aurora attacks.
In fact, alternative platforms may arguably make a precision attack that much easier. The Mac OS X platform has an illusion of superior security because malware developers don’t care to invest time and resources developing exploits that only work on five percent of the possible targets. However, year after year Mac OS X is compromised in a matter of minutes–or even seconds–in the annual Pwn2Own contest.
Before Google decides to base its security strategy on which operating system platform it relies on, the Google management and IT administrators should read the venerable information security classic Hacking Exposed–currently in its sixth edition. The first step to an attack is gathering details of the intended target–or footprinting.
Hacking Exposed explains that “The systematic and methodical footprinting of an organization enables attackers to create a near complete profile of an organization’s security posture.” The bottom line is that Google can use whatever operating system, Web browser, or other applications it chooses, but a professional attack will learn what those are during reconnaissance and design the attack accordingly to exploit whatever software Google is using.
I asked George Kurtz, Worldwide CTO for McAfee, his thoughts. Kurtz explains “Just moving operating systems doesn’t always mean an organization will realize greater protection against TARGETED attacks. It certainly could make a difference in reducing the amount of day to day malware that impacts a windows environment. One point that might be worth mentioning is that while targeted attacks can be launched against any OS, there is a tremendous amount of expertise gained over the past five to seven years against the Windows environment. It will take a similar maturation period to develop tools that are just as sophisticated as the Windows environment for say OS X. Things like rootkits and their associated functionality are incredibly sophisticated and relatively mature in the Windows world.”
Randy Abrams, Director of Technical Education for ESET, says “The Google response is a marketing / public relations response to attempt to show Google is doing something about security by blaming Microsoft for Google’s own patch management and security problems. What were they thinking by running an outdated version of IE 6?”
Abrams agrees “In a targeted attack, the OS is no longer a significant issue. Not only is the OS an attack vector, but installed third-party apps are another attack vector. If an attacker knows your OS and goes after an Adobe flaw, the game still ends up with you on the losing end.”
Kurtz added “Layer 8 is generally the biggest security challenge we have. The same people who fall victim to social engineering will do so via e-mail or IM, no matter what browser or OS they are using.”
ESET’s Abrams sums up with “Google would do much more to improve its security by using current versions of browsers and ensuring greater patch management practices.”
Every organization should abandon IE6 and be seriously exploring a transition from Windows XP. Each has inherent security concerns, and the combination of the two almost begs to be hacked. And, Google in particular has valid reasons to abandon Windows and Internet Explorer that go well beyond security.
But, Google needs to remember that it’s Google. It is a jackpot of sensitive data and information for a successful attacker. Google needs to understand the nature of targeted attacks and have a better security policy than simply a knee-jerk reaction to ban Microsoft software.