Software security is quite often a subjective measure, mainly because there is the risk of a security vulnerability being created with every line of programming code. Each vulnerability has a degree of severity which may or may not be important to the end user. The result is an infinite number of interpretations of security, especially in a complex application such as an operating system like Windows or Linux.
A more objective method of rating security is to track the number of bug fixes issued for a particular software suite. When compared to Linux, Windows appears to be more prone to flaws by this measure. Recent U.S. Computer Emergency Readiness Team (CERT) vulnerability metrics reported 250 episodes for Microsoft Windows, 39 of these having a severity rating of 40 or greater. With Red Hat Linux there were only 46 episodes, of which only with only 3 scored over 40. There are thousands of reports that compare the two operating systems but reports like this by an independent government body, on the relative number of critical flaws between them, should be given greatest consideration.
There are good reasons for this difference in security. For instance, Linux's open source methodology of software development helps to expose errors more easily. This is an advantage Windows doesn't possess. Another disadvantage with Windows is that many of its core applications rely on the use of remote procedure calls (RPC), a method of inter-computer communication that unpredictably and dynamically assigns communications channels. This forces firewall rules to be less rigid than they need to be in comparison with operating systems like Linux that limit the use of RPC.
There are security differences that are visible exclusively for end users, not just systems administrators. For example, Windows is certainly more prone to viruses with most end users having to invest in antivirus software to keep their systems safe. More recently, Windows has seen the intrusion of spyware that can surreptitiously obtain and/or distribute personal information about you to others after it has been unwittingly downloaded and activated during Web browsing. Microsoft has recently purchased antivirus and antispyware companies to help counter this threat.
It is possible to operate Windows and Linux with administrator and regular user accounts, but many third-party Windows applications don't strictly adhere to this distinction, and often need to be run by users with administrator privileges to operate correctly. Viral attacks initiated by these users therefore become more damaging. Linux applications usually respect this security requirement and are therefore less susceptible to such exploits.
Windows also suffers from its developers' desire to create a simple to use system which makes it very intuitive to use, but this has been achieved at the expense of comprehensive security. It also has the handicap of needing to be backwardly compatible with older less secure versions, a shortcoming that Linux hasn't faced yet.
Linux does have its security weaknesses; the most common one I see is its lack of reliable native support for some leading edge technologies. Manufacturers generally develop their hardware and associated driver software for use by the Windows majority. The Linux community usually has to reverse engineer these products to make them compatible with the open source operating system and this sometimes makes their first efforts unpredictable. In some cases, acceptable Linux hardware compatibility can lag that of Windows by months or even years. Fortunately this is becoming less problematic with the likes of IBM and Novell backing the open source standard to help streamline the compatibility process.
External to its GUI faÇade, the Linux command line is complex and often not very intuitive. This can deter administrators from securing their systems correctly due to the perceived difficulty. Linux is primarily used as a network enabled operating system and a default installation can unnecessarily activate many network enabled applications. This can create unknown areas of weakness that could be exploited. Fortunately these and other weaknesses have been improved upon by stricter default security and simpler command line utilities to make administration easier.
It is always best to know the relative strengths of both operating systems and choose them according to the overwhelming needs of your business while taking sufficient precautions to make each secure.
On the plus side for Linux, there are many types of Linux based tools available to improve security. The Nessus vulnerability scanner can check for networking related flaws on remote systems as well as missing software patches and other flaws on systems on which it is installed. Nessus should be used to test newly installed systems and also production servers during scheduled maintenance periods.
The nmap utility is another, though less comprehensive, network scanner that is installed by default in Linux. It can also be very useful for IT staff who are not yet comfortable with the configuration of Linux software.
Highly security conscious companies will connect Ethernet taps to the protected interfaces of firewalls to which they also attach special packet inspection servers that can then watch network traffic as it passes by. Tools, such as ACID, can then analyze this information and match it against known attacks that can pass through firewalls.
ACID can create e-mail alerts and through its Web GUI it can also display detailed information on packet streams that seem suspicious. I'd recommend this product for any company that can justify an employee with dedicated responsibility for IT security. ACID can create a great deal of false positive reports and needs to be tuned continuously.
Irrespective of the operating system used, implementing inappropriate practices can potentially compromise your business continuity. Inadequate backups, poor password policies, shared user accounts and security projects that don't include multi-disciplinary teams and infrequent audits -- to name a few -- should be avoided wherever possible.
Linux security is a holistic entity and businesses should not limit their precautions to only the characteristics of the operating system.
Peter Harrison is the author of The Linux Quick Fix Notebook, a new book from Prentice Hall PTR.