Hackers' Preferred Entry Point Is Tough To CloseHackers' Preferred Entry Point Is Tough To Close

One of the biggest headaches of security management is keeping up with the stream of patches that vendors publish to plug security holes in server operating systems. But the alternative is less appealing: leaving open hackers' favorite route to break into companies.

Almost half of U.S. companies say that known operating-system flaws were a primary means used in the past year to attack their systems, according to information Research's Global Information Security Survey. That's up sharply from a third in 2001. So it's no surprise that improving operating-system security, cited by 63% of North American companies, is the highest tactical priority for the coming 12 months. What's unsettling is that security managers won't find a great answer to their problems.

Companies want flexible operating systems that integrate easily with many applications, and the strongest security measures require trade-offs and a level of rigidity. Some of the choices include using open-source operating systems that many administrators consider more secure, deploying software that enhances the security of existing operating systems, or just continuing to find and patch vulnerabilities before the hackers exploit them.

A final option hasn't caught on beyond industry-specific uses such as governments and financial institutions. It requires scrapping the more popular operating systems for what are known as trusted, or hardened, operating systems. The notion dates to the early 1980s, when the Defense Department and intelligence agencies developed a set of standards aimed at creating impenetrable computing systems. The Trusted Computer System Evaluation Criteria standards, commonly known as the Orange Book, were made publicly available but never took off.

A few companies sell hardened operating systems, such as Argus Systems Group's PitBull LX for systems based on Linux, Solaris, and AIX; Hewlett-Packard's Virtualvault, a trusted version of HP-UX 11.0; Sun's Trusted 8 Operating Environment; and SGI's Trusted Irix for Unix. These replace the operating-system kernel with one that restricts which operations a user with root access can perform, so an intruder can access only a small part of the system.

Super security used to sport a super-sized price tag, but these systems have become more reasonable. Argus' PitBull LX starts at $3,000.

But most managers still come out like Brian Amirian, the hosting director of a major entertainment company that considered, but rejected, a hardened operating system because of higher management costs and incompatibility with custom applications.