Observations on Operating System Security

Recently, I observed after someone asked on QuoraHow did Microsoft computers go from needing a lot of third party anti-virus software for full protection, to Windows Defender being the only one you need?

My sense was too opine that one might observe a problem with all this talk of a single operating system or application being more secure than another. Why? That in my experience is not how security economics work.

Software hackers seek errors in code, while software vendors try to improve software security and quality and to reduce design and coding errors. A software error causes a program to behave differently from its specifications, creating a vulnerability an attacker can exploit. Now here’s the core problem all software applications of any meaningful size have bugs. Just ask Alan Turing, who proved in 1936 that a general algorithm to solve all possible program-input pairs could not exist[1].

There’s more to the story. For the bad actors, the real incentive is that a single vulnerability applies to all instances of a particular version of a piece of software. Why? All software today is distributed as a replica of a master image instance (Clones). The attacker gains a massive economic incentive since the resources they expend to find a single cyber exploit can be applied to millions of potential targets for fun and illicit profit.

Consider a simple example, a password management system. Humans are a herd animal: by nature, we flock to the most successful product.

Due to the nature of current replicant software manufacturing processes, the most successful password management system is a prime target for attack. Why? The linear effort to crack it will yield exponential reward to the attacker: every instance of the password application will be open to exploitation.

The same scenario applies to computer operating systems. Attackers target Microsoft Windows for this reason. It is the most popular operating system by deployment, so its exploitation garners the most significant economic reward. Many consider Linux to be more secure, yet this may not be for the perceived reason. It may only be due to the diversity of versions.

As momentum grows within the Enterprise market for Linux, we see attacker interest growing; attackers focus on the leading candidate by usage. Why? Such action maximizes their return versus effort.

My sense is that the various Linus variations are not more secure, it is simply that they are less of a target at this point in time. Why? The focus is on Windows for the simple reason it is the most popular operating system – thus gives the highest return on attack investment.

This triggered quite a lot of opinionated responses – chuckle.

Thus, in my defense I would add that it was not my intent to say anyone is better or worse. Rather, my point was to highlight that the attack profile of a product is driven by usage and potential for reward for the attacker.

If you look at the CVE data you can see that as usage increases so does attack….

Top 50 products having highest number of cve security vulnerabilities

Microsoft in terms of market share has a huge market footprint thus have a correlated high attack footprint. Note that Microsoft is depicted as an aggregate of all Microsoft products. Thus, we see that hackers follow natural human reward incentive profiles. Now, look at the Redhat, Ubuntu, and Suse. You’ll note that as their market share grew so to did their attack profile. You can see this in the “Vulnerabilities by Type and Year” graph for each product. Success doth have its rewards.

Redhat: Products and vulnerabilities
Canonical: Products and vulnerabilities
Suse: Products and vulnerabilities
Microsoft: Products and vulnerabilities

nb. It is interesting to aggregate the Linux, and BSD counts to compare to the Windows aggregate count.

The Original Question:
OK. let step back and consider the original question “Why did Microsoft go from having multiple anti-virus solutions to only having Windows Defender?

In my personal opinion, Microsoft had to own the problem of security.

Microsoft could not let other people manage the defense of its core product. Why? Security became a key focus of the company. Why? Microsoft had to take ownership of the problem to defend its market position.

Today, many security solutions exist but the key point is that Microsoft had to own the problem to be responsive to the problem. Thus, they have driven to develop a security framework that they own to better advantage their market position and to maintain customer success, and frankly to be more responsive to a big problem.

Bill Gates wrote an email (in late 2001) that said:

“… if we don’t do this, people simply won’t be willing — or able — to take advantage of all the other great work we do. Trustworthy Computing is the highest priority.”

Not long after the memo, in February 2002, the entire Windows division shut down and diverted all of its developers to security. Everyone was given training that detailed expectations and priorities — threat modeling, code reviews, available tools, penetration testing — all designed to modify the default behavior of the system to make it more secure.

I am a user of Linux [Redhat, Canonical and Suse, Debian], FreeBSD, Mac OSX and Windows. My sense of things is that Microsoft fundamentally changed the view of security for the industry- it was after that email and the actions that were taken a thing to be owned. Microsoft strangely enough trained a huge swath of developers in reference to security by the actions taken.

Most of the people at Amazon, Google, Apple, Facebook, Intel, F5, Cisco, IBM, Redhat, Suse, and Ubuntu came from or have interacted with people from Microsoft.

Personally, I do not see that as a bad thing. My sense is that the problem is defined by a fundamental economic problem.

Market popularity drives attacker incentives.

The discussion of who is more secure is irrelevant. Why? Security is not driven by code quality rather it is driven by attacker interest and reward capability.

Today, as an attacker I only have to be lucky once to take all your system. You have to be right always to defend the systems. This is driven by the fact that systems are the replicant.

My point is that no one system is better or worse. Usage and reward drive attacker behavior.

Leave a Reply

Your email address will not be published.