Does your operating system introduce risk to your business: Operating System Security in 2016
Acceptable risk comes up in conversation when talking about Operating systems security as although it is a basic requirement, it is something which introduces potential security challenges as well. So unless your IT staff understand each section of code in an operating system’s complex software then it is unlikely you can guarantee that there is no security concerns associated with it.
Rather than focusing on security issues introduced after an operating system is installed such as Viruses, Trojans and Malware which are well understood security risks, we will instead look at operating system itself. There are two main areas of concern for security and they are weaknesses in the operating systems code which allows some type of exploitation and the other is purpose made security holes for data extraction and backdoors. It should be mentioned that operating system developers may introduce purpose made security holes for data extraction and backdoors for genuine purposes in line with local government laws and legislation.
Operating system weaknesses and bugs in the code
Weaknesses in the operating system could be bugs for example which can be used to open security holes, one such example would be Heartbleed (Source: https://en.wikipedia.org/wiki/Heartbleed). Heartbleed affected Linux which is what most in the IT sector consider a fairly safe option for an operating system. Interestingly organisations sometimes introduce Linux as they feel it is a safe option however through a lack of previous experience with the Linux operating system and limited understanding of its complexity they can fall victim to leaving security holes open. Another interesting consideration is that the most popular operating systems are often the most exploited, because they are widely used so selecting anything other than Linux doesn’t necessarily increase your security either. The best option is to select an operating system which your IT team understands well and that they know the security provisions which need to be in place. If you have to go with an operating system your IT team are not so competent with then make sure upskill your IT staff in the area of operating system security as one of your top priorities. In terms of trying to combat operating system weaknesses good antivirus, antimalware, intrusion detection and firewall will help improve security. Making sure your operating system is always up to date is also important as often security weaknesses are patched over time by developers, however also be aware that it is also entirely possible that updates also introduce new security issues.
Purpose built operating system security holes
It has become common place for operating systems to send information back to the company or organisation which developed it. Although you could argue there is a level of trust when selecting and using an operating system this is a concern as the information sent could include any operational data, including data which a company may not want to disclose to another business. In many cases the operating system will prompt the user to confirm this before it is send, but how can you guarantee the that user understands full what they are clicking on. The best way to deal with this is to do user training on the subject and try to turn off any data sending that isn’t required within the operating systems settings. There are of course positives with sending such data back to developers, which includes overcoming the problem on your computer which raised the request to send the data back in the first place. Another rising concern in recent years is that some operating system developers are now working with local governments to grant access not just upon request but at will (“Some of the world’s largest internet brands are claimed to be part of the information-sharing program” source: https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data). This means that issues of data security is really up in the air and the developers could potentially have introduced purpose built security holes and backdoors allowing government organisations access to computers inside and potentially outside of their jurisdictions. Given that most business are above board there is an argument that this is not a security issues, however when dealing with governments who are not necessarily in your company’s jurisdiction it does raise issues as to origination and client confidentially.
Operating system protection through effective networking
In terms of protecting your operating system from a networking perspective to address any security issues, consider introducing a trusted brand of firewall, intrusion detection and network monitoring system are a good way to go. Make sure your IT staff are trained at spotting suspicious activity and that they are checking regularly the systems in place.
Opening system decision
When considering security and which operating system you should select there are a number of options available such as mainstream operating system available from Microsoft and Apple, as well as Linux and UNIX based system. You may ask why do many companies stick with mainstream operating system like Microsoft Windows or Apple’s OS X, given that there may be potential more security pitfalls, in the end it comes down to staff efficiency and acceptable risk. Though security is incredibly important an organisation must always ensure its staff are efficient to maximize its profit. Using the example of Microsoft Windows or Apple’s OS X many staff will have used these operating systems for many years and will have owned a computer with the same opening system at home, where they gain extra experience and practice. So if you can train the staff in your business to use another operating system more efficiently and you think it is more secure then it may be viable option, though this task may be a hard which is why a lot of companies don’t go down this road. Also remember that well training competent IT staff go a long way to making sure any operating system is more secure.
- Keep your operating system up to date.
- Monitor traffic external to your OS for suspicious activity.
- Focus on the destinations of data to see if it is going to an unknown or untrusted location.
- Make sure IT team and other staff in the company understand the operating system well.
- Make sure your network is well protected from outside access.
- Don’t assume that choosing a big brand name of operating system will increase your security as often this is not the case.
- Turn off any data unrequired reporting features which will send information back to operating system developers to ensure nothing confidential leaves the organisation.
- Install security systems such as antivirus, antimalware, firewall, intrusion detection and network monitoring.
For help and advice on the above or any other IT topic please contact us.