There's an interesting article by Lauro DiDio over on NewsFactor about the Linux vs. Windows Total Cost of Ownership (TCO) argument. The article has some really interesting comments (for the popular media, that is), specifically, that there is no one-size-fits-all, silver bullet solution.
Wow. This harkens back to the "which is more secure" argument...I think the best response to that one is that the operating system is irrelevant in the face of poor administration.
Something that really jumped out at me from the article was the following: "If you do not know what is on your network...then you cannot truly evaluate whether Linux, Windows or Unix is right for your business."
How true is that? I've seen it with large as well as small networks...folks just have no idea what's out there. The same holds true with incident response...
How does an exploit, such as the current PnP mess, effect the whole Windows versus Linux TCO argument? As much as I hate to agree with your (her) statement -- "...the operating system is irrelevant in the face of poor administration." -- one cannot _completely_ blame Microsoft for this one. Do you think any admins at CNN or ABC were fired recently? Do incidents such as the current PnP mess cause businesses to seriously consider non-Microsoft alternatives? Or, do they just pick up the pieces and move on -- waiting patiently for the next exploit to hit?
ReplyDeleteHow does an exploit, such as the current PnP mess, effect the whole Windows versus Linux TCO argument?
ReplyDeleteI'm not sure what you mean...are you referring to the cost of clean-up?
And it doesn't take much research to answer your question. For example, incidents.org lists two PnP worms over the past week. The Symantec write-up on the Zotob.E worm shows that when a system is infected, the worm opens up UDP port 69 for TFTP, a backdoor on 8594, and tries to infect other computers by initiating connections to TCP port 445.
Therefore, if port 445 is blocked, this exploit won't be successful, even if you are patched. It seems that unprotected laptops are at fault with regards to the media outlets...systems get infected (A/V is useless at this point) and are brought into the infrastructure. So what can/could have been done? Well, for one...don't allow users to write to the HKLM\..\Run key. The system may have been infected while they were away from a protected infrastructure, but the worm would not have been persistent across reboots.
Also, a personal firewall (Zone Alarm??) or the use of the XP SP2 firewall might have been beneficial.
Oddly enough, this worm also has IRC capabilities, connecting to an IP address on IRC running on port 8080, according to Symantec.
I have a response for cshanahan-
ReplyDeleteWithout getting into the whole debate over which is the better OS, yes. Security incidents do cause company decision makers to at least idly consider moving off Windows. Some will do more and actually order some sort of feasibility study - as IBM did a couple years ago.
Yet IBM is still using Windows for most of their corporate desktops and some of their servers, despite having some extremely strong business motivators to do otherwise. Why? Because in the end one realizes that business is about profits, and ideological choices which overly damage the bottom line will meet swift punishment from shareholders.
So, if the cost of transition from Windows to {whatever else} is too great, the other alternative is to run Windows or {whatever} /better/. As Keydet89 notes, this isn't actually that hard.
That it doesn't get done isn't an indictment of the technology or the vendor. It's an indictment of the operators and their management. Exploits with just as much damage are possible on /any/ OS if it has a network connection.
And yes, some companies do exactly what you said: pick up the peices and move on. Infuriating but true! It's an implicit decision by management at those places: a decision that an occasional IT scramble to clean up after some outbreak is 'just the cost of doing business'.
Personally I would not want to work in such an environment, but if it floats their boat, that's okay with me.
I first saw DiDio's article quoted in a recent eWeek article. Soon thereafter I saw the same article quoted here, by Harlan. I just found the timing interesting -- with the recent PnP exploits hitting _unpatched_ Windows machines hard. It seems as though people talk a great deal about Windows versus Linux whenever there is a _perceived_ threat, such as what is currently underway.
ReplyDeleteAs much as I do not like Windows (the OS), I _think_ I understand a lot of the reasons why companies continue to use Windows. I am not a sysadmin either, so I have never found myself in that situation -- having to explain to management why x-number of machines were shut down by an exploit for which there was a patch available. Does a situation such as this add to the Windows versus Linux debate? Or is it seen by sysadmins for what it really is? Hype!
I found another interesting take on the Zotob mess on Dominic White's blog.
Security incidents do cause company decision makers to at least idly consider moving off Windows.
ReplyDeleteIn some cases, perhaps. In cases I've personally been involved with, this hasn't happened. Most of these cases have involved users clicking on something they knew (I say "they knew..." b/c after the incident, they did, in fact, state that they knew better...) they shouldn't have.
In cases in which some sort of IT audit followed, there was never any consideration of whether or not Windows should be dropped. Sure, someone can say that, but one has to look at all of the very real costs involved...user and administrator training, etc.
Looking at these costs side-by-side with getting your IT staff trained...well, the cost-benefit is a no-brainer. I have, however, seen cases in which there has been no follow-though...this is getting a little bit off topic, but if you provide your IT staff with training in order to increase their skill sets, and then you raise their level of responsibility, but do not promote them, or give them a bonus, or give them a salary increase, you end up with disgruntled IT staff who either pose a greater security risk to your infrastructure...or they leave.
With regards to cshanahan's latest comment about having to explain why x-number of machines went down...I've never seen anyone have to do that. Seriously. Neither as a consultant, nor in an FTE position, I've never seen anyone get called on the carpet for this and really have to justify or explain what happened. I am familiar with several instances in which the situation was explained to the VP, Tech. and the CIO, who spun the situation for an angry CFO and CEO...but the root cause of the issue was never addressed - at least not in the two years I was there.
Is this the case with all companies? No...probably not. This is just my experience. I'm sure others have seen different things take place. However, I do know that across the board, there are a lot of things within many infrastructures that aren't being done, simply b/c the IT staff doesn't know how...or doesn't know that they need to be done.