By Tony Bradley | PC World
Published June 1, 2010
Sources from within Google are claiming that the online search and advertising giant is implementing an official transition away from the Microsoft Windows operating system. According to the reports, the culture shift is intended to reduce security concerns. That makes a compelling headline--especially for a Microsoft rival developing its own operating system--but it doesn't make a very good security strategy.
Google has valid reasons to abandon Windows, but it better have a better security strategy than that alone.On one level, it makes perfect sense for Google to abandon Windows. Google has always been a bitter rival of Microsoft, and Google's Android mobile operating system and upcoming Chrome operating system are built on Linux. Of course Google should avoid generating additional revenue for Microsoft and rely on the platform that forms the foundation of what Google expects its customers to use.
Another area where Google should eat its own proverbial dog food is with Web browsers. The Chrome Web browser has been gaining market share since its launch, but it was a zero-day flaw in Microsoft's Internet Explorer Web browser that was exploited to compromise systems and steal data from Google earlier this year. With the exception of key developers that might need to see how things render in IE, users at Google should ostensibly not be using the competing browser.
That brings us to the claim that security concerns are behind the move to abandon Windows. The reports suggest that Google has banned the use of Windows in response to the Operation Aurora attacks which Google alleged were state-sponsored attacks from the Chinese government.
The flaw in that logic is that it assumes the attacker would be unable to compromise alternative platforms like Linux or Mac OS X. Microsoft Windows--by virtue of its dominant market share--is the target of the vast majority of general malware attacks, so switching from Windows may reduce the daily operational risks. But, when it comes to precision, targeted attacks, alternative OS platforms don't provide any better defense so dropping Windows would not have prevented the Operation Aurora attacks.
In fact, alternative platforms may arguably make a precision attack that much easier. The Mac OS X platform has an illusion of superior security because malware developers don't care to invest time and resources developing exploits that only work on five percent of the possible targets. However, year after year Mac OS X is compromised in a matter of minutes--or even seconds--in the annual Pwn2Own contest.
Before Google decides to base its security strategy on which operating system platform it relies on, the Google management and IT administrators should read the venerable information security classic Hacking Exposed--currently in its sixth edition. The first step to an attack is gathering details of the intended target--or footprinting.
Hacking Exposed explains that "The systematic and methodical footprinting of an organization enables attackers to create a near complete profile of an organization's security posture." The bottom line is that Google can use whatever operating system, Web browser, or other applications it chooses, but a professional attack will learn what those are during reconnaissance and design the attack accordingly to exploit whatever software Google is using.
I asked George Kurtz, Worldwide CTO for McAfee, his thoughts. Kurtz explains "Just moving operating systems doesn't always mean an organization will realize greater protection against TARGETED attacks. It certainly could make a difference in reducing the amount of day to day malware that impacts a windows environment. One point that might be worth mentioning is that while targeted attacks can be launched against any OS, there is a tremendous amount of expertise gained over the past five to seven years against the Windows environment. It will take a similar maturation period to develop tools that are just as sophisticated as the Windows environment for say OS X. Things like rootkits and their associated functionality are incredibly sophisticated and relatively mature in the Windows world."
Randy Abrams, Director of Technical Education for ESET, says "The Google response is a marketing / public relations response to attempt to show Google is doing something about security by blaming Microsoft for Google's own patch management and security problems. What were they thinking by running an outdated version of IE 6?"
Abrams agrees "In a targeted attack, the OS is no longer a significant issue. Not only is the OS an attack vector, but installed third-party apps are another attack vector. If an attacker knows your OS and goes after an Adobe flaw, the game still ends up with you on the losing end."
Kurtz added "Layer 8 is generally the biggest security challenge we have. The same people who fall victim to social engineering will do so via e-mail or IM, no matter what browser or OS they are using."
ESET's Abrams sums up with "Google would do much more to improve its security by using current versions of browsers and ensuring greater patch management practices."
Every organization should abandon IE6 and be seriously exploring a transition from Windows XP. Each has inherent security concerns, and the combination of the two almost begs to be hacked. And, Google in particular has valid reasons to abandon Windows and Internet Explorer that go well beyond security.
But, Google needs to remember that it's Google. It is a jackpot of sensitive data and information for a successful attacker. Google needs to understand the nature of targeted attacks and have a better security policy than simply a knee-jerk reaction to ban Microsoft software.
Learn more about Search Engine Optimization, the most effective form of online advertising.
Search Engine Marketing is the fastest growing advertising medium in the world, projected to become 10x more powerful and influential than traditional media outlets such as: network television, cable television, local television, network radio, local radio, satellite radio, national newspapers, local newspapers, magazines, billboards, direct mail, telemarketing and more.
Discover the most powerful and effective form of advertising, Search Engine Optimization.
An aside for consideration are the segments of Search Engine Optimization. Clarification is required in terms of paid search marketing, sponsored search advertising, pay per click, email marketing (spam), and the foundation of strategic internet marketing: Organic Search Engine Optimization - Organic SEO in some circles also referred to as Natural Search Engine Optimization - Natural SEO.
Key Organic Search Engine Optimization Facts:
- Keyword search is the 2nd most popular online activity, rapidly approaching the popularity of email retrieval.
- 90% of all new website visitors are delivered by a major search engine and/or directory.
- 98% of all keyword search activity results are powered by the big 4 search engines: Google, Yahoo, MSN and AOL.
- Keyword search results on Google, Yahoo, MSN and AOL are all determined by a search engine spider and/or robot crawler.
- Recent internet marketing studies confirm that keyword searchers prefer the organic results at a 6 to 1 ratio vs. pay-per-click sponsored search advertising listings.
Is your corporate website being found early and often on the keywords and keyword phrases that best describe your products, services and industry?
Harness the power that our proven organic search engine optimization technologies can provide...
Contact the Peak Positions Organic SEO consulting specialists today.
Learn more about our client roster, one of the strongest in the SEO industry, and more importantly discover why our client-focused Organic Search Engine Optimization company maintains the highest client retention rate in the SEO industry.
"Our year over year order anniversary flowers revenues are climbing rapidly in a timid economy. If you are looking for an excellent SEO Company, we suggest Peak Positions" ...
SEO Case Study