Although there are many different operating systems, in all likelihood it will be a flavor of Microsoft’s Windows OS that you will test against. There are other OSs in the wild that have a certain amount of enterprise market presence, but Microsoft still has a massive foot-hold on the OS market. By the end of 2013, Windows was the installed OS of choice for over 90 percent of the market. That’s a pretty big target! Let’s take a look at some common vulnerabilities of this market dominator:
- Patches, patches, and more patches. Microsoft, being an OS juggernaut, constantly compiles and distributes patches and service packs for their operating systems. But those patches may not get installed on the systems that need them most. As strange as it may seem, constant updating may in itself become a problem. It is not uncommon for a patch or update to be applied and introduce other problems that may be worse than the original.
- Major version releases and support termination impact Windows products. Yes, I have friends who still love their Windows 98 machines. What this translates into is a system with multiple vulnerabilities simply due to age, especially if that system is no longer supported by the manufacturer.
- Attempts at consumer friendliness have been a tough road for Microsoft. What this means is most installations deploy default configurations and are not hardened. For example, ports that a user may never use are left sitting open just in case a program requires them in the future.
- Administrator accounts still remain a tempting target. Admittedly, Microsoft has taken some effective steps in protecting users from unwanted or suspicious code execution, but quite a few systems exist that are consistently running admin accounts without any kind of execution filtering or user account control.
- Passwords also remain a weak point and a tempting target in the Windows world. Weak admin account passwords are common on Windows computers and networks; although these passwords are controlled by Group Policy in an enterprise environment, there are ways to circumvent these requirements, and many system admins do just that.
- Disabling Windows Firewall and virus protection software is an ongoing issue for Windows OSs. The Notification Center does notify the user of the lack of virus protection or a disabled firewall, but that’s as far as it goes. Granted, it’s not something that can be mandated easily, so proper virus protection remains a vulnerability in the Windows category.
Apple and its proprietary OS are making a larger and larger market presence, boosted by a strong advertising campaign and easy-to-use products. Just a few years ago Apple made an official statement regarding its company status as not a computer manufacturer but an electronics company. Regardless of how Apple classifies itself, the fact remains that more and more Apple products are making their way not just to the local Starbucks but into enterprise settings. In one company I worked for recently, it started with the iPhone. Then all of sudden we started seeing iPads walking down the halls. Then iMac desktops suddenly started appearing on users’ desks. Can they be classified as toys? Perhaps, but of greatest importance to both system admins and pen testers is that these things are attached to the network.
One interesting site that can be used for general comparison of system vulnerabilities is www.cvedetails.com . A quick perusal of the site for Max OS vulnerabilities brings up quite a list, such as the following. We intend no Apple bashing, but it’s a definite growing concern for enterprise administrators and a growing target for hackers like us.
- A primary concern among Mac users, and a benefit to the hacking community, is the Mac owner mind-set that Macs aren’t susceptible to viruses or attack. It is an interesting stance considering that the thing they are claiming to be naturally impervious from attack is, well, a computer! Even in my own painful years as a system administrator, the culture is similar even at the enterprise level. I remember calling our national office for guidance on group policies for our newly acquired Apple desktops. Answer: “Um, well, we don’t have any policies to apply or a method of applying them.”
- Feature-rich out-of-the-box performance for many Apples creates quite a juicy attack surface for those looking to break in. Features such as 802.11 wireless and Bluetooth connectivity are all standard in an out-of-the-box installation, and such features are all on the table for a potential doorway in.
- Apple devices simply don’t play well on a Windows domain. Yep, I said it. I’m sure some would fervently disagree, but Apple on a Windows domain is like spreading butter on toast outside in December in Grand Forks, North Dakota. Some features will play nicely, but the majority of those integral features will be a bit hokey. The point here is when stuff begins to get too hokey, administrators and users alike will begin to circumvent the normal processes (for example, appropriate login procedures).
Enter our open source favorite, Linux, which is not a completely foolproof operating system but one with a reputation for being a much more secure player in the OS category than Windows or Apple. As we saw with firewalls, the equipment—or in this case the operating system—is only as secure as the administrator configuring it. With Linux, this is particularly true because the OS does expect users to know what they are doing.
The OS has done a good job of separating administrative tasks from user accounts. Linux users aren’t usually running under the administrative account as superuser or root. This substantially reduces system risk by segregating these functions.
Open source is a double-edged sword. The open source community works hard to ferret out even the smallest issue in different iterations of Linux, but open source also means it’s open. Anybody and everybody are privy to the source code. Because it is open source, Linux is almost always in a beta format to one degree or another. With constant work being done on each release, the beta testers of these releases end up being you and me.