Alright, lets create a question and answer post to better explain the question of Linux and security.
Okay, here goes.
A: Yes, Linux is more secure than Windows.
Q: Why you ask?
A: Not because Linux is some super duper operating system. It's an operating system like all others and don't let anyone lie to you and say otherwise. Nothing, and I mean nothing is absolutely secure!
Q: So if that's the case, why is it more secure than Windows?
A: Ah yes. Here is where we discuss a multitude of whys.
- First you must understand there are two different *ROOT* attack vectors at play. You can attack servers and you can attack end-users. Consider this, while there are millions of servers, there are *BILLIONS* of end-users.
- There is a numbers game at play. If you wanted to compromise a system. Any system, the smart play it to play the numbers. Do you attack servers or do you attack end users? Yes, you attack end users. Windows accounts for over 40% of all operating systems in use today. Therefore attackers will undoubtedly focus there attacks on Windows because MacOS holds about a 6.3% share and Linux is *less than 1%* share. Therefore, most end-user attacks come against Windows. Don't let Apple tell you they are more secure, they are the same. They just have less people attacking them!
Q: So that's the only thing at play making Linux *seem* more secure?
A: Nope! There is more!
Back in the day, Microsoft made some ENORMOUS mistakes! Not just around security, but around many things! You can look back at quotes and many other areas and see how many mistakes Microsoft made. (BG saying "640k memory is enough", saying the Internet is just a fad leading to Microsoft's late entry into the Browser wars, etc... But there are their security related mistakes and that's what we are here to discuss!
Back in the 1990s, Microsoft wanted to dominate the PC industry and "by-golly, they did!". They did so by doing what today is considered a cardinal sin! They ignored security and pumped all resources into usability and feature sets! By doing so, not only did they create the dominate end-user operating system, but they also dominated the productivity suites with Microsoft Office which basically killed off their competition in sector. (Apple Lisa, WordPerfect, IBM Lotus, Borland Office / Quattro Pro, Corel Office, etc)
In the process of doing this, they were adding immense complexity to both Windows and to their Office suite and doing so without regard to security.
Microsoft was unable to undo the damage without reverting everything they had built. They had no choice but to restart and rebuild while maintaining the operating system that users come to expect. That took DECADES to get to where we are and why you ended up seeing dramatic changes in the Windows architecture while the Linux kernel did not start over, but only evolved over time.
Linux also followed the core values I still hold today that Windows continues to fail at. Keep It Simple Stupid (K.I.S.S) While the Linux kernel has become HUGE, the kernel is the brain and it only holds what is necessary to support the core system. The normal features you're used to seeing as a user, are bolted on. (X, CLI utilities, etc) That cannot be said about Windows even though they are trying to move that direction. Even their PowerShell ties everything at the core of Windows together making is complex to the extreme. Linux has complexity issues too, but not even remotely on the level of Windows.
Window's complexity creates a tangled web if structures within Windows. This complexity creates a enormously large attack surface for hackers to attack. For instance, lets look at Windows Mail Server, Exchange. If you've ever setup a mail server before and worked with MS Exchange. You already know Exchange is a BEAST! It's not just a mail server, its so much more! Linux mail servers normally store email in text files, but not Exchange. It has it's own database to store emails!
That was an enormous mistake and they've looked at fixing it by storing attachments outside the database. Yeah, lets add more complexity! lol. Enter Microsoft Sharepoint Servers! Google "Sharepoint nightmare" and here we go again in massive complex mistakes that open up ungodly amount of attack surfaces and not to mention system management nightmares!
Anyhow, while I made it clear MS has major self-created issues. They have actually done a really good job of trying to secure their complex environment. Of course, they've spent enormous amounts of money (more than most companies can afford) doing so by hiring some of the best engineers in the industry. (I'm an enormous fan of Mark Russinovich, CTO of Microsoft Azure and Windows Internals / Sysinternal utilities)
Q: Do I need AV on Linux?
A: It doesn't hurt, because it can happen. As a matter a fact, if you were to get an Anti-Virus system for Linux. I don't recommend a free one. I recommend you buy a paid one that also supports HIPS. (HIPS = Host Intrusion Protection System). HIPS doesn't just look for virus signatures like a normal anti-virus does. It watches command executions on the kernel level and when it sees something doing something that isn't' normal or appears nefarious. It will stop it or even sandbox the application!
Have you ever heard the term, "
Better Safe Than Sorry"?
Anyhow, if there are any upstart Linux or infrastructure guys reading this. Here is some some core rules I teach guys that work for me.
IT and Security rules to Live by:
There are some core rules that I always teach new IT and Infrastructure engineers. Those are:
- All mistakes start with an assumption. Never assume anything, or you're likely to end up correcting a mistake. Sometimes a very bad mistake! One that could cost you (or more people) your/their job!
- Follow the Principal of KISS. (K)eep (I)t (S)imple (S)tupid. Complex systems create complex problems. Simple systems create simple problems. Only get as complex as is absolutely necessary!
- Before accepting a course of action, take the horse blinders off and ask yourself. What collateral damage could this cause? What I mean by that is don't just look at A->D of what you're doing. Look at how these changes or this system could negatively impact other operations. Don't find that out after it goes live and you're running around with your hair on fire!
- Follow the Principal of Lease Privilege: Only give someone or something only the privileges they need to do their job. While it does create more work and even more complexity in privilege management. It can be the difference between having a job and not having one. In some cases, all your co-workers having a job and them not having one. Security, especially today can be that difference. A ransomware infection can kill a company and all the jobs of those employed by the company.
- Follow the Principal of Zero-Trust: This is more complex to explain, so just Google Zero Trust Architecture. While it's a complex subject. The high level overview of this subject matter can and should be applied to life in general.
- Finally, Understand that backups, snapshots, resiliency, RAID, high availability, and a multitude of other terms and/or facilities are not the same! Business continuity is a wide ranging requirement and most of the terms you hear about are only a piece of them. Not the single requirement.