Should you swap out Windows for better security?

Brian Krebs at Security Fix does excellent research into breaches, but I cringed when I saw his advice to “business owners” about how to protect themselves from cybercriminals:

“The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.”

In my opinion, this is horrible advice, especially to small and midsized businesses. Here are some reasons why:

  1. “Don’t use Windows” is a half-hearted recommendation to begin with. Because it is oriented around the threat, any significant movement to follow the advice would increase the threat to the new platform in kind. So the only way for this advice to work is if nobody follows it.
  2. This move is unlikely to protect against the omnipresent phishing threats that are out there. While Brian asserts that his research shows mostly host-based rootkits/malware as culprits, there are a number of other ways to compromise an account and most business owners will not recognize this difference.
  3. While a move from Windows to Linux will save licensing fees, it is highly unlikely to save money in the long run. The total cost of ownership is much higher when you factor in support, training, cost of labor, etc.

So now the question is, what should you do? Aside from being a skeptical Web surfer, the biggest bang for your buck will come from taking away local administrator capabilities. Sure, there are ways around this, but this alone will solve 80% of the rootkit problem. there are a number of budding host intrusion prevention solutions out there that can address this problem well, too.

Update: In the comments, Kurt rightly pointed out that I did not read Brian’s full posting carefully enough (or jumped to conclusions). Another pertinent paragraph:

“Also known as “Live CDs,” these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom. The beauty of Live CD distributions is that they can be used to turn a Windows-based PC temporarily into a Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes – such as browsing history or other activity — are compeltely wiped away after the machine is shut down. To return to Windows, simply remove the Live CD from the drive and reboot.”

This advice is much more reasonable than I first thought, assuming that the banking application/site still works in read-only mode. There are other solutions that run virtual machines and isolation programs that may be as useful with less hassle, but this certainly isn’t “horrible” asĀ  I originally thought.

6 comments for “Should you swap out Windows for better security?

  1. Steve P.
    October 16, 2009 at 9:49 am

    I’m personally a big Linux fan and use it personally, but would have a hard time recommending an organization of any size switch at the moment.
    1) Active Directory is the crown jewel of MS at the moment in my opinion. Group policy is much more powerful then anything we have on the Unix side, and it’s well known by admins.
    Which brings us to:
    2)Your admins probably know Windows better. If not, you’re probably already using *nix, and don’t need my recommendation in the first place. You can secure what you know and have experience with better then some new system you’ve never seen. Yes, under administrated home or small business windows is crap, and in those situations Linux might in fact be better. The enterprise is a whole different kettle of fish. In defense of the original article, it seems targeted at the small enterprise set.

    So, to the article, if you want to fire up and alternative browser just for banking, go for it. If *you* want to run Linux, either as a live-cd (which is all the original article recommends) or as your main OS, go for it, but it’s probably not the time to be recommending that enterprises mass migrate to Linux desktops.

    For someone else’s ranting on the topic, see http://risky.biz/news_and_opinion/metlstorm/2009-04-02/i-heart-windows

  2. October 16, 2009 at 10:47 am

    I’m not sure of I can agree.. A few months ago I switched to a Mac and what a difference. This week I had a Windows Vista experience. I know my way around in various OS, but when you make the user experience that frustrating and the time needed to start things up so time consuming it will also negatively impact the willingness of users to invest time in security.

    By the way..I like the new design, big improvement.

  3. Pete
    October 16, 2009 at 10:48 am

    @Steve -

    Well said.

    Pete

  4. Pete
    October 16, 2009 at 11:01 am

    @Peter -

    I had a different experience with Vista, but more importantly are the Office apps. I do agree that Macs are viable alternatives, at least for smaller companies, but I suspect that they are not “cost effective”. I think people have a tendency to oversimplify costs and worry about the long-term viability of a switch like that described.

    Perhaps even more importantly – I am not convinced it is a particularly effective strategy.

    Thanks for the note about the design – I am still working on some details so look for more changes.

  5. October 16, 2009 at 12:10 pm

    sorry to rain on everyone’s parade, but this is a strawman.

    krebs’ advice was not to switch to linux. krebs’ advice was to boot from a livecd when you wanted to do your online banking.

    there’s virtually no training involved because browsers operate the same in that environment as they do on windows (the biggest change is that the OS’s GUI will look slightly different, but that’s only an issue up until you launch the browser).

    there’s no concomitant shift to attacks against the new platform because it’s on read-only memory and cannot be persistently compromised. and if it’s used only for online banking the chances of a non-persistent compromise prior to entering your credentials are next to nothing (the banking website itself would have to be serving malware in order for you to get compromised).

    phishing is a red-herring since no technological measure has any effect against a purely social engineering based attack. that said, technologically assisted phishing (being directed to a false banking page that loads credential stealing malware) is largely foiled AND if you ONLY do your online banking through the livecd it becomes very difficult follow banking related phishing links because the contents of your clipboard don’t survive a reboot.

  6. Pete
    October 16, 2009 at 12:55 pm

    @Kurt -

    Thanks for pointing out my mistake – I agree that the live CD option isn’t bad and have updated my post accordingly.

    Pete

Comments are closed.