Please, not Windows again!

--Originally published at #CParravirgen

As part of the collective knowledge, I parter up with my friend Alex Carrillo, please give it a check at his blog too!

This time, we decided to work together on a blog about OS security. Here is what we came up with:

An OS can face many types of threats, and it needs to be able to protect itself. Here we will list some features or actions, that an OS needs to have or be done.

  • User Authentication
    • User authentication is a very important aspect to have, because with this, the OS can give access only to does people that have a user and a password. if an external person tries to access the computer by trying an invalid user and password, this will immediately reject them. Also by creating users, the OS can gave special privileges to some users. Of course, to be able to do that, the administrator is the one user that can do.
  • Security Policy
    • Creating a good and well-though security policy for the OS is a fundamental piece in making the OS more secure. We mention this, because this will be the base of creating the OS we want.
  • Vulnerability Assessment
    • From time to time, is very important to check for vulnerabilities in the system,and trying to solve them. Like they say, a computer connected to the internet is more vulnerable than an isolated one. So with that last thought in mind, we have to make sure to fix any problem that the OS might have before anyone else.

Even though we try to make our computer more secure, the reality is that we are not going to be able to make it 100% secure; but we can try to make it the most secure we can. There exist dozens of OS around

world, and because of that there is a classification of how trustworthy is a computer. This classification was made by the U.S. Department of Defense and it is called “Trusted Computer System’s Evaluation Criteria”, and this how they classify them

  • Type A.- is the highest level of security. This systems are proved not to have any kind of bugs or possibilities of having vulnerabilities.
  • Type B.- this level provides the mandatory protection. Users have special features of what can they do and what they can’t do.
  • Type C.- this level counts with user authentication and access control.
  • Type D.- this level doesn’t have any security at all, is the least secure.

So, which one is the most secure OS?

Nearly every Operating System is designed with Security as a requirement, but there can’t be a truly Secure Operating System. Maybe you have probably already heard of various security-focused Operating Systems like Tails, Whonix and Kali Linux. All these operating systems, including Windows, Linux, BSD, even OSX, are all based on a Monolithic Kernels, and it requires just one successful Kernel Exploit to hack the whole system. So, a reasonably secure operating system is one that keeps all crucial elements and activities isolated from each other.

There is a project with an OS called Qubes OS. It is a Linux based security-oriented and open-source operating system for personal computers, which runs everything inside the virtual machines.

Its visualization mechanism follows ‘Security by Isolation’ (Software Compartmentalization) principle to secure the systems, i.e. enabling the Principle of least privileges.

So, If you are a victim of a malicious cyber attack, doesn’t let an attacker take over your entire computer.

This can be a good way to keep security for the OS, at then end, is not perfect and as always, it tends to be on one or two sides of the security triangle, enforcing confidentiality and integrity, but may not have the complete availability as other systems do.

Other interesting topic to review is about Windows 10 and its updates. To comment a little on the subject, here is an article that might be interesting to read from the ONMsft site. “For those that didn’t know, Windows 10 now has forced automatic updates (unless you are on Windows 10 Professional, then you can delay Windows Updates). Yes, your PC will now be kept secure at all times, but this isn’t limited to just security updates. In fact, Windows 10’s forced automatic updates cover anything/everything Microsoft wants to put on your PC as part of Windows 10. This can potentially lead to problems, say for example a bad graphics driver.”

There are so many reasons why this is bad, the most important is because this can lead to major problems in your computer, which is not cool. Personally, we recommend a few things against this:

  1. Do NOT use Windows! Use Mac (if you have enough money and are willing to try it), or get a PC and install any flavor of Linux in it.
  2. If you really need Windows, do NOT use Windows 10! Instead, keep the nice and stable Windows 7. It is still not the best option, but way better than using Windows 10.
  3. Switch to Windows 10 PRO. If you just can’t stop using Win 10, then at least use a distribution that gives you more power over your PC.
  4. Return the PC and ask for another one without Win 10, or ask the downgrade to Win 7.

References

http://es.slideshare.net/abubakrashraf/security-protection-in-operating-system

https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/15_Security.html

https://www.tutorialspoint.com/operating_system/os_security.htm

http://thehackernews.com/2015/10/secure-operating-system.html

https://www.onmsft.com/news/windows-10s-policy-automatic-updates-causing-headaches-many