South Korean Firm Pays Massive Ransom
-
@Tim_G said in South Korean Firm Pays Massive Ransom:
Also, you need to consider what it is that's vulnerable. Is it Linux? Is it Windows?... or is it a program running on top of Linux/Windows such as Apache, Office, video driver? Which doesn't mean the OS is vulnerable.
Does it matter from an attackers point of view? Windows software by design is usually less secure than Linux software. I mean we are looking at attack surface here. If you scan two web servers (Linux and Windows) the Windows one will be more vulnerable every day of the week.
I understand what you are saying, and yes alot of Windows vulns come from shitty coded applications. However, we cannot ignore that because it is relevant to protecting servers. Your original statement was
@Tim_G said
I'm sure that if Linux was as targeted as Windows is, there would be just as many vulnerabilities found... or at least a lot more than you think. However, I'm sure they would be fixed much faster than Microsoft fixes things, due to being open source.
No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw. It is the server admin's fault for having Adobe Reader on a server in this case. Maybe we see this pattern because of the difference in mindset between Windows and Linux admins, but for me it's held true in at least a dozen different organizations where I have done this type of work.
-
@IRJ said in South Korean Firm Pays Massive Ransom:
@DustinB3403 said in South Korean Firm Pays Massive Ransom:
@Tim_G Good Vulnerabilities?
I get what you mean, and I think @IRJ is simply stating that Windows is less maintained because of update schedules and patch release schedules.
Not exactly. Windows is just more vulnerable by default. There is really no comparison.
Do you guys not do vulnerability scanning on your networks? The proof is in the pudding, I challenge you to scan your Windows vs Linux servers to see what I am talking about. Everywhere I have been and done scanning, It has the same result no matter what the company. Linux is less vulnerable than Windows.
Seriously though, don't take my word for it. Test it yourselves.
Our Nessus scans show much less vulnerabilities for patched Linux than patched Windows.
You also have to look at the real world examples already. Windows makes up around 15-20% of the web. The rest is Linux. I'm pretty sure it's heavily targeted daily.
-
@stacksofplates said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
@DustinB3403 said in South Korean Firm Pays Massive Ransom:
@Tim_G Good Vulnerabilities?
I get what you mean, and I think @IRJ is simply stating that Windows is less maintained because of update schedules and patch release schedules.
Not exactly. Windows is just more vulnerable by default. There is really no comparison.
Do you guys not do vulnerability scanning on your networks? The proof is in the pudding, I challenge you to scan your Windows vs Linux servers to see what I am talking about. Everywhere I have been and done scanning, It has the same result no matter what the company. Linux is less vulnerable than Windows.
Seriously though, don't take my word for it. Test it yourselves.
Our Nessus scans show much less vulnerabilities for patched Linux than patched Windows.
You also have to look at the real world examples already. Windows makes up around 15-20% of the web. The rest is Linux. I'm pretty sure it's heavily targeted daily.
Yes, I have used Nessus, OpenVAS, and Qualys, and Nexpose. They are all virtually the same, but their results are consistent in showing Linux as more secure than Windows.
-
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
Treating Windows like a production level system changes things significantly. Just so many people running it don't
I know many Windows admins who think all they have to do is deploy MS patches and they are safe. It is quite comical, really. They dont patch 3rd party with any centralized tool and they don't run vuln scans on their servers. As long as their MS patches are up to date, it is smooth sailing. Who cares if you have Adobe Reader 8 on your server as long as you have MS patches
-
@IRJ I'm working to get a proper security assessment of everything in my org.
I'm also drafting my own documentation on how things are setup, and what is what. So no I don't run security audits of the items on premise, but wish I could / do.
-
@DustinB3403 said in South Korean Firm Pays Massive Ransom:
@IRJ I'm working to get a proper security assessment of everything in my org.
I'm also drafting my own documentation on how things are setup, and what is what. So no I don't run security audits of the items on premise, but wish I could / do.
I can give you some advice on getting started if you'd like. All free , opensource tools
-
@IRJ Sure, lets create a new topic though
-
@IRJ said in South Korean Firm Pays Massive Ransom:
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
Treating Windows like a production level system changes things significantly. Just so many people running it don't
I know many Windows admins who think all they have to do is deploy MS patches and they are safe.
I know tons that feel that all they have to do is AVOID patching Windows and they'll be safe. How many people have argued with me that the risk of patching and keeping systems up to date is worse than the threat of malware and hacking! I've literally been told this, over and over again! So many Windows Admins fear Windows itself more than they fear anything else.
-
@IRJ said in South Korean Firm Pays Massive Ransom:
No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw.
Well we do. If we are running our own systems, selecting our own software, etc. we certainly care if the issue is that Windows is insecure, or if something we don't run but lots of other people do on Windows is insecure or if the issue is just that other Windows Admins do insecure things. Yes, there is an association, people running Adobe are way more likely to be doing so on Windows than on Linux, granted. But to say Windows is vulnerable requires causality, not correlation. It's not windows making it vulnerable, it's Adobe.
By that logic, we'd also say that all people who deploy Windows are vulnerable (which is more true than anything else) and that companies willing to run on Windows are inherently insecure and so forth.
Windows might not match Linux in security, but it is really good on its own. That it is almost always used by people who can't figured out security or the need for it doesn't influence what is good for us.
Example - Ferraris are one of the safest cars in the world, yet Ferrari drivers have terrible accidents all of the time because rich kids drive them like idiots. As a car buyer, that other people who drive badly often buy Ferraris does not tell me that a Ferrari is more dangerous for me. The purchasing of the Ferrari does not make me a bad driver.
Same here, if you are a secure admin, using windows will work just fine for you. If you are an insecure one, Linux won't work for you either... but for other reasons, chances are, you won't deploy Linux, only Windows.
Summary: Insecure people choose Windows, Windows doesn't make people insecure.
-
The thing I like about Windows 10 is that it does a better job at forcing users or at least home users to update. Unlike Windows XP because we all know back then users hardly pay attention to updates. Heck I still she that happens even with 7 and 8 a lot.
-
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw.
Well we do. If we are running our own systems, selecting our own software, etc. we certainly care if the issue is that Windows is insecure, or if something we don't run but lots of other people do on Windows is insecure or if the issue is just that other Windows Admins do insecure things. Yes, there is an association, people running Adobe are way more likely to be doing so on Windows than on Linux, granted. But to say Windows is vulnerable requires causality, not correlation. It's not windows making it vulnerable, it's Adobe.
By that logic, we'd also say that all people who deploy Windows are vulnerable (which is more true than anything else) and that companies willing to run on Windows are inherently insecure and so forth.
Windows might not match Linux in security, but it is really good on its own. That it is almost always used by people who can't figured out security or the need for it doesn't influence what is good for us.
Example - Ferraris are one of the safest cars in the world, yet Ferrari drivers have terrible accidents all of the time because rich kids drive them like idiots. As a car buyer, that other people who drive badly often buy Ferraris does not tell me that a Ferrari is more dangerous for me. The purchasing of the Ferrari does not make me a bad driver.
Same here, if you are a secure admin, using windows will work just fine for you. If you are an insecure one, Linux won't work for you either... but for other reasons, chances are, you won't deploy Linux, only Windows.
Summary: Insecure people choose Windows, Windows doesn't make people insecure.
Yes, this was the point I was trying to make... but you said it so much better.
-
Besides not patching, I've seen Windows environments where the firewall is turned off or allowing all incoming traffic.
Home users using a 3rd party paid security software and not keeping up with subscription. Not sure why would anyone use 3rd party when Windows 10 provides a good one that is always available and up to date. That's including Server 2016 too.
-
@black3dynamite said in South Korean Firm Pays Massive Ransom:
Besides not patching, I've seen Windows environments where the firewall is turned off or allowing all incoming traffic.
That's big too. So many people don't trust Microsoft's defaults. They disable nearly all the security that they can find.
-
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw.
Well we do. If we are running our own systems, selecting our own software, etc. we certainly care if the issue is that Windows is insecure, or if something we don't run but lots of other people do on Windows is insecure or if the issue is just that other Windows Admins do insecure things. Yes, there is an association, people running Adobe are way more likely to be doing so on Windows than on Linux, granted. But to say Windows is vulnerable requires causality, not correlation. It's not windows making it vulnerable, it's Adobe.
By that logic, we'd also say that all people who deploy Windows are vulnerable (which is more true than anything else) and that companies willing to run on Windows are inherently insecure and so forth.
Windows might not match Linux in security, but it is really good on its own. That it is almost always used by people who can't figured out security or the need for it doesn't influence what is good for us.
Example - Ferraris are one of the safest cars in the world, yet Ferrari drivers have terrible accidents all of the time because rich kids drive them like idiots. As a car buyer, that other people who drive badly often buy Ferraris does not tell me that a Ferrari is more dangerous for me. The purchasing of the Ferrari does not make me a bad driver.
Same here, if you are a secure admin, using windows will work just fine for you. If you are an insecure one, Linux won't work for you either... but for other reasons, chances are, you won't deploy Linux, only Windows.
Summary: Insecure people choose Windows, Windows doesn't make people insecure.
Well the Windows OS itself is less secure by far. So there is also that...
-
@IRJ said in South Korean Firm Pays Massive Ransom:
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw.
Well we do. If we are running our own systems, selecting our own software, etc. we certainly care if the issue is that Windows is insecure, or if something we don't run but lots of other people do on Windows is insecure or if the issue is just that other Windows Admins do insecure things. Yes, there is an association, people running Adobe are way more likely to be doing so on Windows than on Linux, granted. But to say Windows is vulnerable requires causality, not correlation. It's not windows making it vulnerable, it's Adobe.
By that logic, we'd also say that all people who deploy Windows are vulnerable (which is more true than anything else) and that companies willing to run on Windows are inherently insecure and so forth.
Windows might not match Linux in security, but it is really good on its own. That it is almost always used by people who can't figured out security or the need for it doesn't influence what is good for us.
Example - Ferraris are one of the safest cars in the world, yet Ferrari drivers have terrible accidents all of the time because rich kids drive them like idiots. As a car buyer, that other people who drive badly often buy Ferraris does not tell me that a Ferrari is more dangerous for me. The purchasing of the Ferrari does not make me a bad driver.
Same here, if you are a secure admin, using windows will work just fine for you. If you are an insecure one, Linux won't work for you either... but for other reasons, chances are, you won't deploy Linux, only Windows.
Summary: Insecure people choose Windows, Windows doesn't make people insecure.
Well the Windows OS itself is less secure by far. So there is also that...
Which ones are we comparing? I agree, Windows 95 is much less secure than CentOS 7.
-
@Tim_G said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw.
Well we do. If we are running our own systems, selecting our own software, etc. we certainly care if the issue is that Windows is insecure, or if something we don't run but lots of other people do on Windows is insecure or if the issue is just that other Windows Admins do insecure things. Yes, there is an association, people running Adobe are way more likely to be doing so on Windows than on Linux, granted. But to say Windows is vulnerable requires causality, not correlation. It's not windows making it vulnerable, it's Adobe.
By that logic, we'd also say that all people who deploy Windows are vulnerable (which is more true than anything else) and that companies willing to run on Windows are inherently insecure and so forth.
Windows might not match Linux in security, but it is really good on its own. That it is almost always used by people who can't figured out security or the need for it doesn't influence what is good for us.
Example - Ferraris are one of the safest cars in the world, yet Ferrari drivers have terrible accidents all of the time because rich kids drive them like idiots. As a car buyer, that other people who drive badly often buy Ferraris does not tell me that a Ferrari is more dangerous for me. The purchasing of the Ferrari does not make me a bad driver.
Same here, if you are a secure admin, using windows will work just fine for you. If you are an insecure one, Linux won't work for you either... but for other reasons, chances are, you won't deploy Linux, only Windows.
Summary: Insecure people choose Windows, Windows doesn't make people insecure.
Well the Windows OS itself is less secure by far. So there is also that...
Which ones are we comparing? I agree, Windows 95 is much less secure than CentOS 7.
That's actually DOS as the OS. And DOS might actually be decently secure
-
Mostly because... there was nothing to secure, ha ha.
J/K the lack of users was pretty insecure.
-
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
@Tim_G said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw.
Well we do. If we are running our own systems, selecting our own software, etc. we certainly care if the issue is that Windows is insecure, or if something we don't run but lots of other people do on Windows is insecure or if the issue is just that other Windows Admins do insecure things. Yes, there is an association, people running Adobe are way more likely to be doing so on Windows than on Linux, granted. But to say Windows is vulnerable requires causality, not correlation. It's not windows making it vulnerable, it's Adobe.
By that logic, we'd also say that all people who deploy Windows are vulnerable (which is more true than anything else) and that companies willing to run on Windows are inherently insecure and so forth.
Windows might not match Linux in security, but it is really good on its own. That it is almost always used by people who can't figured out security or the need for it doesn't influence what is good for us.
Example - Ferraris are one of the safest cars in the world, yet Ferrari drivers have terrible accidents all of the time because rich kids drive them like idiots. As a car buyer, that other people who drive badly often buy Ferraris does not tell me that a Ferrari is more dangerous for me. The purchasing of the Ferrari does not make me a bad driver.
Same here, if you are a secure admin, using windows will work just fine for you. If you are an insecure one, Linux won't work for you either... but for other reasons, chances are, you won't deploy Linux, only Windows.
Summary: Insecure people choose Windows, Windows doesn't make people insecure.
Well the Windows OS itself is less secure by far. So there is also that...
Which ones are we comparing? I agree, Windows 95 is much less secure than CentOS 7.
That's actually DOS as the OS. And DOS might actually be decently secure
Fine... DOS in Win95 GUI is much less secure than CentOS 7.
-
@Tim_G said in South Korean Firm Pays Massive Ransom:
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
@Tim_G said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
@scottalanmiller said in South Korean Firm Pays Massive Ransom:
@IRJ said in South Korean Firm Pays Massive Ransom:
No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw.
Well we do. If we are running our own systems, selecting our own software, etc. we certainly care if the issue is that Windows is insecure, or if something we don't run but lots of other people do on Windows is insecure or if the issue is just that other Windows Admins do insecure things. Yes, there is an association, people running Adobe are way more likely to be doing so on Windows than on Linux, granted. But to say Windows is vulnerable requires causality, not correlation. It's not windows making it vulnerable, it's Adobe.
By that logic, we'd also say that all people who deploy Windows are vulnerable (which is more true than anything else) and that companies willing to run on Windows are inherently insecure and so forth.
Windows might not match Linux in security, but it is really good on its own. That it is almost always used by people who can't figured out security or the need for it doesn't influence what is good for us.
Example - Ferraris are one of the safest cars in the world, yet Ferrari drivers have terrible accidents all of the time because rich kids drive them like idiots. As a car buyer, that other people who drive badly often buy Ferraris does not tell me that a Ferrari is more dangerous for me. The purchasing of the Ferrari does not make me a bad driver.
Same here, if you are a secure admin, using windows will work just fine for you. If you are an insecure one, Linux won't work for you either... but for other reasons, chances are, you won't deploy Linux, only Windows.
Summary: Insecure people choose Windows, Windows doesn't make people insecure.
Well the Windows OS itself is less secure by far. So there is also that...
Which ones are we comparing? I agree, Windows 95 is much less secure than CentOS 7.
That's actually DOS as the OS. And DOS might actually be decently secure
Fine... DOS in Win95 GUI is much less secure than CentOS 7.
Believe what you want, but I see this stuff everyday. Run your own scans and see for yourself.
-
Which Linux distros are you using in the example? Just CentOS / RHEL? Are you looking at several? That RHEL and Suse are super secure I have little doubt. Get much beyond that and anything might happen.