Solved

Most secure Linux or x86 Unix that are least prone to ransomware/malware

Posted on 2016-09-10
24
85 Views
Last Modified: 2016-09-15
I'm exploring to set up a VM running a Linux or x86 UNIX (say x86 Solaris or x86 SCO UNIX if it's still around)
that's dedicated to browsing the Internet : using a VM because I could scale the vRAM, vCPU, storage &
I can always take a snapshot backup prior to applying security patches.

Is SCO UNIX an Opensource & do they release patches regularly?


Currently in our environment, it takes 3-6 months to assess & test patches before applying onto
Windows (& UNIX) due to past disruptions so dedicating a VM for everyone to remote in to browse
Internet will entail less of Change Management redtapes: only internet browsing function will be
affected in the event patches cause issues


I read that Chrome (& Chromium) & Firefox are much safer browsers than IE so I'll need a Linux/UNIX
(64 bit so that can support more RAM) flavor that could support Chrome/Chromium or Firefox : some
lesser known browsers like Konqueror may not work well with certain websites (or am I mistaken?).

Some time back Firefox was banned as I was told it has too many exploits??  But I tend to think IE
has much more, glancing from the monthly MS security patches (quite a number of them are IE.

So compare Solaris x86, RHEL, SCO, Debian, Ubuntu, CentOS : need to have support for a secure
browser & the OS has least malware/ransomware that could exploit/run on it & I'm contemplating
if an email client (that could connect to MS Exchange) could also be supported in future
0
Comment
Question by:sunhux
  • 8
  • 4
  • 3
  • +4
24 Comments
 

Author Comment

by:sunhux
Comment Utility
& I don't want to compile Chrome/Chromium on an OS but want a ready-to-use
packages/RPMs that I could just install and use
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
for personal use or a template computer for enterprise-wide deployment?
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 150 total points
Comment Utility
>>  Is SCO UNIX an Opensource & do they release patches regularly?

NO, NO, NO
SCO is proprietary and costly.  Stay away from it.  Unclean.  Burn with fire.

Solaris

Stay away from that as well.  Probably you may have driver problems.

CentOS and RHEL are basically the same.  CentOS is a repackage/rebuilt of RHEL.
Ubuntu is based on Debian but with nicer features.

As for which Linux/Unix distribution is less malware/ransomware prone or insecure I don't believe there is any data out there on that.

Chrome can be got for Debian or Ubuntu.  See https://www.google.com/chrome/browser/desktop/

Email clients on Linux for MS Exchange are hit and miss.  Some people have had luck with various plugins, others don't.  It also depends on the version of Exchange and other factors ... (from a quick Google search on the matter, see https://www.reddit.com/r/linux/comments/37mkd2/linux_mail_client_that_handles_exchange/ for example).
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
Don't just switch because of some hearsay.  If you're not familiar with linux, you should just stick to using windows.  Linux can be hacked as well.  The reason linux has been "more secure" is because there are fewer users and those that use it tend to have more experience with it.  Those that are less knowledgeable will still get hacked.

If you're using a VM, you can always revert to the snapshot after you use it.  Just make new snapshots.  It makes no difference what you install in the VM.  You can stick with Windows if that's what you know better.  Honestly, if you're not browsing safely in Windows, you won't be browsing safely in linux.  The only advantage is that the attacks are directed to Windows more frequently.  It doesn't mean there aren't attacks to Linux.  I've seen users get attacked quite frequently on linux, because they're not familiar with it.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
With any system (Windows, MAC or Linux) careful browsing, good spam filters and control, and user education are the only real ways to keep viruses away. I agree that switching just for this reason does not make a lot of sense.

We only use Windows at all our clients and have very few difficulties.
0
 
LVL 61

Accepted Solution

by:
btan earned 170 total points
Comment Utility
Since your purpose is browsing stay away fro SCO UNIX and SOLARIS. You are not building a backend farm unless you are intended too. But note that ransomware can be just as platform agnostic - past feedback when CryptoWall came out after Cryptolocker

It is coded to run on both 32-bit and 64-bit systems, which increases its chances of running on whatever computer it infects, Carter said. Newer versions of Mac OS X and Windows are 64-bit operating systems
As for browsers, like Firefox which I do not really see ot being 'banned' though there are past boycott calls such as this (http://whyfirefoxisblocked.com) and also rumoured US agency has kept FF vulerability as in there is FF

Overall, I suggest you can stay clean if your browsing experience does not have sensitive data for storing - meaning separate your network from internal and Internet and use different machine or VM. Likewise has strict control over the USB device and access control righra only as user and not default admin.

See possible candidates deployment of kinda LIVECD style (dont really save files...)

a) boot using TAILS which is highly customized Debian, which itself is just GNU/Linux. It is not foolproof (likewise for others) since there exist the past "torsploit" attack which exploited an outdated version of Tor Browser may have been able to attack Tails, however the Tails firewall was able to block it. Having said that, in general, there will likely be little general-purpose malware which is effective against Tails.
https://tails.boum.org/

Another is separation through isolation
b) Qubes is a desktop environment based on Fedora that's all about security through isolation. Qubes assumes that there can't be a truly secure operating system, so instead it runs everything inside of virtual machines. This ensures that if you are victim to a malicious attack, it doesn't spread to the operating system as a whole.
For example, you could create a "Work" virtual machine that includes Firefox and Thunderbird, a "Shopping" virtual machine that includes just Firefox, and then whatever else you need. This way, when you're messing around in the "Shopping" virtual machine, it's isolated from your "Work" virtual machine in case something goes wrong. You can create virtual machines of Windows and Linux. You can also create disposable virtual machines for one time actions.
The major concern (for some) with Qubes is the fact that you need to do everything manually. For e.g. Setting up virtual machines secures your system as a whole, and you have to architect and guide in deployment and change in experience in using them.
https://www.qubes-os.org/doc/user-faq/#does-qubes-run-every-app-in-a-separate-vm

support for TOR based browser (http://motherboard.vice.com/read/the-fbi-may-be-sitting-on-a-firefox-vulnerability).

Though not entirely malware free, holistically you should also in your planning have means to protect users' privacy and add on to browser that can useful..
https://www.experts-exchange.com/articles/18652/Privacy-protection-practices-and-tools.html
0
 

Author Comment

by:sunhux
Comment Utility
Ok, just saw somewhere SCO is a No (I used it 16 yrs ago on Cyberguard firewall):
quite restrictive.

>for personal use or a template computer for enterprise-wide deployment?
I plan to deploy about 3 to 6 in our company for the 2000+ employees to
remote in to browse Internet (ie block their PCs/laptops from accessing
Internet), ie they have to go to one of these Linux to do Internet browsing.

So I'm settting up an "air-gap" Internet access
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
We are able to train our employees to ensure sensible use. I would be interested to know if browsing on a different machine will work.

How will employees who need internet for their jobs function?
0
 

Author Comment

by:sunhux
Comment Utility
>Don't just switch because of some hearsay.
Not hearsay, FireEye told me & they don't feel a need to do IOC
assessments in our environment for Unix/Linux.

I personally manage an environment of 950 RHEL+Solaris x86
plus 1300 WIndows : the malwares/viruses that hit RHEL/Solaris
are all simply Windows malwares & they can't run/exploit while
the ones that hit Windows are all 100% meant for Windows.

MAC OSX is a flavor of Linux & my kid's school mandate them to
use MAC : I know at least a dozen over kids watch movies on the
highly malicious gooddrama.net & drama.net : nothing happens
to their MAC OSX which is without any AV
0
 

Author Comment

by:sunhux
Comment Utility
We have leading brand antispam, AV, url defense & I see the reports blocking tens of thousands
of spam & thousands of malwares every month via emails : the users have always forward
our team 'suspicious' emails (ie fr unknown sender, too good to be true offers, mails with
dubious links) : thankfully not been hit via emails so far but when browsing "holiday or
hotel booking" sites, we got hit (despite a top-end proxy censoring sites that we could
visit) many times.

Ok, agree that this air-gap "reverse jumphost" can be a Windows as it could be just as good
in filtering out infections but we have IT team to support it if it's Linux
0
 

Author Comment

by:sunhux
Comment Utility
> How will employees who need internet for their jobs function?
Doing research using google.

Though there are staff who use it to do shopping
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 150 total points
Comment Utility
MAC OS X is NOT a flavour of LInux.

It is a flavour of BSD.   Similar to Linux/Unix but it isn't them.  The standard browser for MAC OS X is Safari which is considered insecure and viruses DO exist for MAC OS X.  Do not consider OS X or Safari to be secure or/and safe.

If your IT team supports RHEL then they can/should be able to support Debian or Ubuntu.  Ubuntu has paid support plus some of its releases have long term support (LTS) which is roughly about five years.
1
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 61

Expert Comment

by:btan
Comment Utility
The air gap is good scheme but you will need to watch over (esp use of USB drive and network mapped shares) and allow authorised means to transfer information from internet to intranet only. Any lapses will negate the air gap scheme. Those point of entry need to be cleansed and inspect the load coming into the intranet. Check those system - the choice of OS is not really a factor in the safeguards as well as the choice of a more secure browser - mentioned lots of time, there is no foolproof vulnerable free system and application. You can check out Qubes
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 60 total points
Comment Utility
> The standard browser for MAC OS X is Safari which is considered insecure and viruses DO exist for MAC OS X.

agree. one of my personal practices is, i never run OS built-in browser on any platform. for OSX and iOS, it is Safari; for Windows, it is IE.
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
FireEye told me & they don't feel a need to do IOC assessments in our environment for Unix/Linux.

That just tells me that FireEye doesn't really know Unix/Linux.  I would not trust them about their assessments of anything that isn't Windows.  You need to get a 2nd opinion.  Windows is technically more secure from years of attacks.  It's just that it's a much bigger target because many more people use it, especially people with very little computer literacy.  That's the main reason windows in "insecure".
1
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
totally agree with Serialband.
0
 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 60 total points
Comment Utility
...employees to
remote in to browse Internet (ie block their PCs/laptops from accessing
Internet), ie they have to go to one of these Linux to do Internet browsing.
"Remote in"? Do you actually mean "remote in"? Or will they physically need to walk over to one of your proposed systems to access the internet, and those proposed systems are on a physically separate network?

So I'm settting up an "air-gap" Internet access
If they're going to "remote in", then there is no "air gap". If the proposed systems are on the same physical network separated only by firewall rules, there is no "air gap".

So, are you actually intending an "air gap" between employee systems and the internet? Or do you essentially only want a few "internet jump servers"? (I know they won't technically be "jump servers", but I'm not sure a better term applies.)
0
 

Author Comment

by:sunhux
Comment Utility
> you actually mean "remote in"?
Yes, sort of Rdp but plan is not to use Rdp but some other protocol/remoting tool with no file sharing.

Ok, given that Linux is more vulnerable than Windows, I still feel this is a good idea because I've not
heard of a malware that could hit both Linux AND Windows: so if the Linux got hit, the same malware
which is Linux specific is unlikely to attack Windows.  If it's a Windows malware/ransomware that got
into the Linux, it's not going to run/exploit on that Linux.

Ya, agree that in defense project, physical isolation is the safest but the comm protocol is a different
one that the regular RDP, this is going to make it more secure.

It is for this very similar idea that internal & external firewalls ought to be of different brands : if there's
a vulnerability (like the recent Cisco ASA) for one brand of firewall, at least the other layer of firewall of
a different brand is unlikely to have it.  A C&C attack that successfully gain control via a certain weakness
of one firewall will need a different vulnerability/weakness to exploit another brand of firewall : feel
free to disagree

I just learnt that there's a product called ISLA (Spanish for island) that is dedicated for users to 'remote'
in to do just Internet browsing, so some vendor out there must have the same idea
0
 

Author Comment

by:sunhux
Comment Utility
> "internet jump servers"?
I wud call it 'reverse jump servers' because we're accessing a less secure environment (Internet browsing)
from the more secure PCs.  I suppose 'jump servers' is for accessing more secure environmt from the less
secure PCs.

Now the difficult part for me is : suppose users download files to the Linux & they want those files on their
PCs/laptops : if I stop them, there will be violent objections;  if I allow it,  'infected' files are going to get thru
tho I think in most cases, they can just do a "copy" from the Linux browser & then "paste" it into their
Windows PCs : I suppose not many malwares could get 'copied' & 'pasted' over via this way or am I
mistaken?
0
 

Author Comment

by:sunhux
Comment Utility
So far all the successful malware/ransomware attacks we've seen are due to users browsing malicious/infected sites
& I'm trying to patch this loophole.  Attacks via emails : unheard of so far as users have been aware of unsolicited
& emails from unknown senders & have always reported them & not click anything in them : despite the product
filtered away more than 100,000 such emails monthly, some get thru
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 150 total points
Comment Utility
>>  Ok, given that Linux is more vulnerable than Windows,

That's a debatable and controversial statement.  Rather than debate it, best to say that BOTH have vulnerabilities.  Now the vulnerabilities that do exist in BOTH aren't necessarily the OSes but rather the applications that run on them.

>>  I still feel this is a good idea because I've not heard of a malware that could hit both Linux AND Windows:

They do exist but are mostly in applications.  For example, Flash, PDF, Java, Javascript, Word documents, ZIP files are all good containers for malware for both OSes.

See https://blogs.sophos.com/2015/03/26/dont-believe-these-four-myths-about-linux-security/ and the section 3 – Windows malware cannot run on Linux for cross platform threats.
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 150 total points
Comment Utility
Malicious internet sites:

You can disable Flash, you can use ad blockers (a number of attacks are through malicious ads) but ad blockers can cause problems with some sites, you can disable Javascript (but I do not recommend this), you can stop the use of Java (recommended).
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Different brand of FW;

in a way yes that vulnerability in one FW brand normally does not affect the other brand. That is risk measured approach for segregating high and low risk network. But we also do not want to overdo it. Have the operation in mind too such that rules can still be reviewed for consistency and audit , siem can still oversight on correlated events for the FWs and admin account should be separated if possible to reduce threat of abuses.

Need to guard the Internet to intranet transfer of data (if that is required) and probably has to consider diode.
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 60 total points
Comment Utility
Ok, given that Linux is more vulnerable than Windows,
You have a misunderstanding.  They have different vulnerabilities and are affected differently.  One is not necessarily more vulnerable than the other.  Switching to linux just because FireEye told it was safer was incorrect.  Linux has different vulnerabilities and needs patching and protecting as well.  They just won't suffer from Windows viruses.  They can still be attacked.  The attack vectors are different.  If you're unfamiliar with Linux, you will get hacked on Linux.  Stick with what you know.

Security is a process.  You need to have firewalls, antivirus, and adblockers to protect your systems.  Users also need to be educated about not clicking random stuff.  There are hardware firewalls that have subscriptions to update their block lists and prevent access to malicious sites.  There are software firewalls and antivirus that will scan for incoming junk.  You need them all to be more secure.  Don't leave out the user training.

If your uses are not careful, no amount of software or hardware will protect them.  All scanners can do is block users and systems from known attack vectors.  New viruses and malware are being written all the time that will slip past existing protections.  A user just need to click on any one of those that have slipped through and they're down.  You can't just rely on the technical solutions to protect your users.  A big part of it is user education.  If you don't click on junk, you could theoretically run without any antivirus or firewall(as long as you don't run services that open ports) and never get infected.  Unfortunately, you do need adblockers, unless you run a browser that never loads plugins or runs scripts, which fully limits access to some sites.  Many of them are still readable if you load the source, but some are not.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now