Users at fault over security

According to a leading security expert it is users, not operating systems, that represent an organisation's security weak spots.

Speaking at the Infosecurity conference in London today, Ira Winkler, president of the Internet Security Advisers Group, said the big security issue is not whether NT, Unix, or Linux is inherently more secure, but how seriously administrators and users treat security.

"Users like insecure operating systems because secure ones are harder to maintain," he said. "Out-of-the-box installations are generally insecure because [users] find default configurations annoying."

He added: "Convincing vendors to fix the problem is not the answer - it's convincing users to install the patch so whatever is running is secure."

According to Winkler, the problem is slack administration, such as setting up computers with poor file sharing from a security perspective for ease of use. "This allows data to be shared with the entire world," he said. "The key thing is maintenance."

He believes that functionality and security are often opposed. "A single-user operating system such as Windows 3.1 is more secure than NT can ever be, but Windows NT can be secure," he said. "It's just that with over 40 million lines of code in the operating system, it's more likely that problems are designed into the system. If users don't install the latest service pack on NT then it is vulnerable."

Winkler added that the Unix world isn't perfect either. "It has been around longer, so more vulnerabilities have been discovered, but it is not as user friendly as NT."

He advised users to figure out what function they want their computer to fill. "It has to be decided from a security and a functionality perspective. The most secure operating systems are the ones with the least market share because nobody is bothered about finding their vulnerabilities. They have the least hacker exposure."

The battle over security between open source versus proprietary operating system vendors cannot be won, said Winkler. "Microsoft claims that inherently an open source operating system cannot be secure, whereas the open source community say that if people are out there looking for the problems, they can fix it. They are both right."

Speaking at Infosecurity yesterday, e-minister Patricia Hewitt said that information is a business asset which needs to be suitably protected, for commercial and legal reasons. However, she said that "technology cannot provide all the answers", because it is "more of a business and management challenge".

She recommended implementing the information security management standard, BS 7799. "A risk assessment approach is clearly at its heart," she said.