[PLUG] Dealing with security

Ed Sawicki ed at alcpress.com
Mon Feb 3 12:20:02 UTC 2003 

I was asked by two people recently about Linux virus
scanning. One asked why there doesn't seem to be many
or any virus scanning software for Linux that a business
can use. The other wondered why Linux was less susceptible
than Windows.

The first was referring to Linux viruses - not a Linux box
scanning email for Windows clients. I explained that
most Linux deployments in business are as servers
presently and a Linux server managed by an administrator
reasonably well-versed in security is not going to fall
victim to viruses or other form of attack easily.

I explained to both the concepts of daemons running as
root versus a lesser privileged user, not having daemons
running as the same user, restricting a daemon to a
portion of a file system by chrooting it, choosing to
use daemons that don't have a history of security issues,
etc. I said that by using common sense security
precautions, virus attacks are unlikely to succeed and,
if they do, cleanup would be relatively simple.

This was the wrong answer. The first fellow insists that
Linux is equally as vulnerable to virus attack as
Windows. He dismissed my explanation as the rantings
of a "rabid Linux user" - his words. I suspect he thinks
that Linux is not as secure as Windows because there are
no virus scanners available - no other facts matter. I
wonder what he'll think when he finds out that there is no
disk defragger for Linux.

The other didn't accept my explanation because "there are
more security alerts for Linux that there are for Windows.'
and "if Linux was as popular as Windows it would have just
as many security problems" and "wasn't there a Linux
slammer attack?".

Clearly, there's a lot of people out there who don't get it
and technical explanations are lost on them. As Linux is
deployed by more and more people who don't have the
necessary skills and security awareness, Linux is going to
be perceived as a platform just as problematic as Windows.
These people need simpler concepts they can grasp.

I'm thinking that the solution is to shift the emphasis
away from Linux as a secure operating system to the
administrator. It's the administrator who makes a system
secure - not an operating system. When security problems
occur, we should not complain about Windows, we should
complain about administration. If company management puts
the pressure on their administrators to solve security
problems, more secure solutions, like Linux, should
eventually bubble to the top.
 

-- 
Ed Sawicki <ed at alcpress.com>
ALC

More information about the PLUG mailing list