Is Linux Next Security Target?

Unexploited vulnerabilities in the core Linux kernel are on the rise. And despite lots of debate over just how vulnerable Linux is, now's the time for businesses to ensure that their open-source software is secure. Waiting could be dangerous.

A recent study sparked controversy when it tallied 2,328 vulnerabilities in Linux and Unix combined, compared with 812 in Microsoft Windows. The Computer Emergency Readiness Team stats were criticized for possible double counting and including problems not related to the core Linux operating system (see story, "Linux Backers Question CERT Vulnerability Stats"). But CERT isn't alone in concluding that the threat level is rising for Linux.

The National Vulnerability Database maintained by the National Institute of Standards and Technology also shows signs of potential problems with Linux. Last year, 119 vulnerabilities were reported in the core Linux kernel, the one used by all versions of the operating system, compared with 61 published vulnerabilities for Windows XP, says Peter Mell, the database's administrator. Moreover, the trend isn't encouraging. There were 47 vulnerabilities in 2004 and 11 in 2002, Mell says.

The numbers can be confusing, because there are different ways of counting vulnerabilities in the open-source community compared with how Microsoft or other vendors keep tabs on them, and security problems are defined differently from one group to the next. Still, the numbers point to a trend that IT managers need to be aware of.

Keep Problems At Bay
Most businesses pay to have versions of Linux and related applications developed and supported by established vendors such as Red Hat and Novell. They ensure that their products are free of problems and quickly patch any that appear. Red Hat even ensures the security of, and provides patches for, the third-party Linux apps it sells, says Michael Ferris, director of security products.

Even that doesn't mean a business is completely out of the woods regarding Linux security. Customers could be using an unpatched Linux-based network-connected multifunction printer or have on their network an obscure tool that a programmer found on a Web site and is using unbeknownst to anyone, leaving the door open to problems. "All it takes is one mistake to open the entire enterprise up," warns Alan Paller, research director at the SANS Institute.

Another problem is that operating systems, including many Linux distributions, are shipped with key security features turned off to ensure that applications can run without incompatibilities, security consultant Jamie Haughom says. IT managers must ensure that their staff are experts in setting encryption levels, creating VPNs to send and receive files, and using tools to audit for adequate Linux security.

The good news is that "Linux comes with everything you need to be secure," Haughom says. And there's a wealth of information on the Internet to help. But it's up to users to educate themselves.

Safe For the moment
Linux has been spared most of the serious worms, viruses, and denial-of-service attacks that have plagued other products, especially Windows. Security experts say that's because it's largely installed on servers, and server administrators are savvier than most users about security. Malware most often enters corporate systems via the desktop, and most desktops run Windows.

But as Linux gets more popular, it becomes attractive to hackers, says Michael Goulde, a Forrester Research analyst. Linux is more frequently used for CRM and ERP applications, particularly in midsize companies, and financial-services and health-care firms are entrenched Linux users, Goulde says.Linux for users is growing very slowly in the United States, where it runs less than 1% of all desktops, Gartner analyst Michael Silver says. It's used more elsewhere, especially in Eastern Europe. "They need less-expensive alternatives, and they don't have the legacy and compatibility issues we have," Silver says.

As Linux's popularity increases, some question whether the open-source development model will be able to keep it secure.

David Humphrey, a senior technology adviser at consulting firm Ekaru, says kernel security enhancements make Linux one of the most secure operating systems.

Others raise concerns. "To a large extent, [security] could be a failure with open source," says Ira Winkler, president of the Internet Security Advisors Group, and author of Spies Among Us (Wiley, 2005). The primary issue is a lack of consistency in testing methodologies, he says.

The question is whether an open-source model is more or less secure, Forrester's Goulde says. In the plus column, everyone can examine the code for vulnerabilities and submit fixes. But because the source code for any Linux project is so widely circulated, "it's available to every hacker in the world," he says.

Open-source contributors must be accepted into a development project, and acceptance is based on their previous work, Goulde notes. "There's a perception out there that anyone drinking Jolt Cola and eating potato chips in their basement can place code into an open-source project, and that's simply not true."

Many Linux users don't seem all that worried. An InformationWeek survey found that only 10% of 354 business-technology professionals mentioned security as a challenge that they encountered while deploying the software.

Brad Friedman, information services VP at Burlington Coat Factory, hasn't experienced major security problems with the Linux software installed on some 7,000 point-of-sale terminals and workstations. But he remains vigilant. "I'm sure we'll start to see people exploit vulnerabilities in Linux. Every piece of software has holes," he says.

In the end, the burden for securing Linux systems remains with the companies using them. They'll continue to struggle with the imperfect software and the knowledge that the cost of imperfection can be quite high.

Illustration by Peter Horvath0