Keeping Track of All Avenues of Attack

By Don Reisinger  |  Posted 2009-11-19

10 Lessons Google Must Learn About OS Security

Much has been made of Google's intentions in the operating system space. The company has made it clear that it wants its products to be used on netbooks. It wants to be the first major company to deliver an online operating system that can compete with the likes of Windows 7 Starter Edition and Linux distributions. But is Google really prepared for the challenges that await it? Creating and maintaining an operating system is a dirty business. It takes a lot of effort and understanding of what malware producers are trying to do.

Realizing that, Google needs to be prepared. It needs to understand that how well it secures the online world means nothing when it comes to operating system security. Sure, its creation will be an online OS, which makes it a little different from Windows or Mac OS X, but the basic premise remains: Malicious hackers want to take control over operating systems for their own financial gain. It's sad, but true.

That's why Google must learn some basic lessons if it wants to be successful in the OS space. Here are some lessons that Google will definitely need to face:

1. Malicious hackers want in

The first lesson Google must learn is that malicious hackers want to hit as many computers and their users as possible. For the most part, that has meant that they've focused their time on Windows. But as Mac OS X gains in popularity, they have switched gears to also target Apple's operating system. Given the hype and fanfare that will undoubtedly surround Chrome OS, it's not beyond the realm of possibility for Google to have to face many more malicious hackers than it might expect. They want in. There's no doubt about it.

2. Users need all the help they can get

When it comes to operating system security, some of the blame can be placed on users. They click on attachments they shouldn't, they open links to unknown places and much more. Realizing that, Google needs to do what Microsoft and Apple have done and make Chrome OS as simple as possible. Important security matters should be handled by the software. Users simply can't be trusted to make the right decisions.

3. Nothing is totally secure

It's easy for software vendors to say that their operating systems are the most secure on the market, but it's even more important for them to acknowledge that no matter how safe an operating system might be, it's never totally secure. Overconfidence could get Google into trouble. Is the operating system secure? Sure. But be ready for exploits. They will be coming.

4. Google presents a big target

Google should also realize that it's a major target. The hacker community is not fond of Google. The community considers Google, like Microsoft, to be a major target that it wants to take down. So far, hackers haven't been all that successful with the company's search and online products. But that could all change when Google attempts to maintain security on an operating system. Watch out, Google.

Keeping Track of All Avenues of Attack

5. Online is the new frontier

The hacker community is also fully aware that the future is in the cloud. It might be able to make boatloads of cash exploiting desktops today, but soon, all the money will be made online. We've seen a change in focus over the past few years as more hackers have targeted e-mail, social networks and other online sites. Chrome OS falls right in line with that.

6. Open source is great, but not totally secure

Chrome OS may be open source, but that doesn't mean that Google shouldn't worry. Open-source software has been the victim of major attacks on various occasions. To believe that open-source software will be able to fend off sophisticated attacks from determined hackers who really want to break into an operating system is ludicrous. Yes, an open-source approach might help Google patch holes sooner than with closed software, but it won't stop the exploitation if the software isn't developed well enough.

7. Spoofs, phishing and Web attack tactics

Since Chrome OS is online, Google will need to be especially concerned about Web attacks, which have quickly become an easy way for attackers to take control. Now more than ever, hackers are using spoofed e-mail addresses, phishing attacks, credentialing tricks and other techniques to exploit users while they feel safe online. Since Chrome OS is solely in the cloud, malicious hackers might ramp up their efforts in those areas.

8. Third parties don't care as much as you do about OS security

Attention, Google: Third-party developers won't care nearly as much about the security of your platform as you do. Microsoft knows that. Apple has made its operating system extremely closed because of it. Now it's your turn. Unfortunately, third-party developers create software in many cases that is riddled with holes that hackers can exploit. That causes a hailstorm of trouble. Furthermore, such software might take much longer to patch. Be prepared for third-party holes, Google.

9. What about the hardware?

Another obvious concern is the safety of data on hardware, such as external hard drives or USB keys. Responding to that concern, Microsoft added its encryption service, BitLocker, to mobile drives. The software, called BitLocker To Go, encrypts portable media. Google will also need to address that problem. More people than ever are bringing important data with them wherever they go. If Google doesn't make it simple and easy to secure that data, it can't rely on users to do it. And who knows what could come back in that USB key?

10. Enterprises care most

If Google wants to be a major player in the operating system market, it needs to realize that it's the enterprise, not the consumer, that will help it acquire more market share. And if it wants to capture significant market share, it will need to satisfy enterprise requirements and concerns, one of which is increasingly becoming the security of enterprise data. Unless Google can address that, it will have some serious growing pains as it brings Chrome OS to market on netbooks (a recent enterprise favorite) and possibly on desktops and notebooks.

Rocket Fuel