DoD Has No Desire to Mitigate Windows Dependency

February 27, 2006: ServersThe United States Department of Defense is one of the largest consumers of Microsoft’s Windows family of operating systems. There are certainly a small number of organizations with a larger install base, but definitely not one as distributed, inter-connected and solely dependent upon Windows to complete just about every facet of work accomplished. The reliance solely on Windows, from the end-user workstation to the back-end server farm, is a huge risk which DoD has shown no desire to mitigate.

There are a staggering number of workstations required for the warfighters throughout DoD. Approximately 95% of these systems are WinTel, with only a very small number being Unix based. However, even the Unix based workstations are merely virtual Windows sessions – although the host OS is Unix, the user is performing all work within Windows!

The reliance on Windows is the single biggest weakness in the DoD information assurance strategy. Our adversaries know what we run and use that knowledge to craft specific attacks aimed directly at Windows. The Windows family of operating systems are riddled with vulnerabilities if not properly maintained – this delicate foundation has allowed attackers to compromise DoD networks at-will.

The problem, according to a second Army e-mail, was prompted by a “virus called Agent.btz.” That’s a variation of the “SillyFDC” worm, which spreads by copying itself to thumb drives and the like. When that drive or disk is plugged into a second computer, the worm replicates itself again — this time on the PC. “From there, it automatically downloads code from another location. And that code could be pretty much anything,” says Ryan Olson, director of rapid response for the iDefense computer security firm. SillyFDC has been around, in various forms, since July 2005. Worms that use a similar method of infection go back even further — to the early ’90s. “But at that time they relied on infecting floppy disks rather than USB drives,” Olson adds.

There are many strategies for mitigating this type of vulnerability. I previously spoke about defense-in-depth, whereby a layered approach to security strengthens the overall security of the network. Being reliant on a single operating system is wholly anti-defense-in-depth.

To counteract the threat to their networks, DoD needs to incorporate alternative operating systems in their approach to information assurance. It is time to start purchasing Apple workstations and installing strong workstation-based Linux distributions like Ubuntu, Red Hat, Novell and/or Suse. Integrating additional types of operating systems in use throughout DoD will complicate the types of attacks required to successfully compromise DoD networks. The Army understands the threat and has recently purchased Apple workstations as a means of mitigating these vulnerabilities.

While this change in strategy is required to assist in mitigation of many existing known threats, it is not an inexpensive solution. In addition to purchasing new hardware and software licenses, users will require training on these systems. Most DoD users, like most users, are solely familiar with Windows and have very little, if any, experience with Apple or Linux. Education is necessary and the associated costs substantial.

Does the risk associated with staying entirely Windows-based outweigh the funding required to migrate to a multiple OS strategy? According to existing DoD policy, there is absolutely no desire to mandate such a policy. DoD desires to stick with Windows and pray their high-paid system administrators tasked with protecting the network will do what is required of them.

Unfortunately, DoD is going to continue to stick its head in the ground, hoping the holy grail of resolutions is right around the corner and everyone can continue to use Windows in perfect harmony. After all, why upset the delicate balance by incorporating such a radical transformation? For the DoD, as with most of the US government, business as usual is far more essential than change for the better.

  • Jim MIlls

    Totally agree. The are a number of viable solutions to the MS software catalog that can be run on OSX or Linux. The hardest part is getting the government powers to be in a proactive mindset rather than "well this is how we have always done it" mindset.

  • http://intensedebate.com/people/chuckrey Rich Chuckrey

    I'm sure DISA have a Linux-like workstation image approved for the network, no? If they do, could you ramp up a few as a pilot?

  • http://intensedebate.com/people/jark Scott Jarkoff

    Thanks for stopping by Joshua!

    Interesting that you mention administrator access – the fact that someone offered it to you so easily is crazy yet not surprising. All too often this happens in organizations who do not take security seriously.

    Handing out admin access like candy is one of the more dangerous practices which needs to be curbed otherwise organizations will get compromised via one of the various social engineering techniques, and will ultimately end up handing out admin access to an attacker!

    Scary stuff methinks!

  • http://intensedebate.com/people/jark Scott Jarkoff

    While they do not have a Linux workstation image (DISA is not in the business of building images), they do have published STIG's explaining the procedures for properly securing a number of operating systems. Unfortunately, their Linux STIG is geared towards Linux as a server and does not address X at all.

  • http://intensedebate.com/people/jark Scott Jarkoff

    Agreed – that is always going to be the hardest part. It is merely a matter of trying to sell a migration, or better yet a pilot, as a win-win situation for everyone involved. Definitely easier said than done, but completely doable under the right circumstances.

  • Joshua Jones

    Excellent post! I think the majority of companies have the mindset you stated Scott. It appears too costly to buy new systems and get everyone trained on them. I had the difficult challenge of explaining that very fact recently. Easy to just use Windows and pay the IT guy to give administrator access to anyone who asks.

    Nuts, right? Tested that when I heard, asked for admin access myself. (I'm just a contracted web designer for them) He gave it to me.

    Keep up the posts, hopefully you guys get more readers!

  • http://techmiso.com/706/a-laptop-price-comparison-for-the-mac-haters/ TechMiso :: A Laptop Price Comparison for the Mac Haters

    [...] architecture. People are completely averse to change, so trying to get leadership to inject some defense-in-depth on the desktop operating system side of the house is a hugely tough sell these [...]

  • http://lifeinthenavy.com/ Jim

    I've always wondered why, with all the crap the DoD makes, we have yet to see a hardened-Linux based NavOS, ArmyOS, DoDOS, etc. It makes sense that if we use Linux as a framework, and only install/configure the bare essentials, we'd be less likely to be compromised.

  • http://security-wire.com/ Remove Spyware

    Yeah, Windows is more vulnerable to virus.

  • Zero11534

    Yes windows is a weakness however, you can’t push out patches using different operating systems there for you will need a diff WSUS type servers creating more of a risk then before. Plus the admins are not familiar enough with Mac X to use it.  There are a lot of Linux systems on the networks however they are built per site. As the DoD is not into giving up it’s info on what systems they are running you would never know what is on the full GiG.  I for one do not like OSX yes there are less virus for it however less people use it, so when it becomes used as much it will have the same issue that windows does.  I could list many more reasons NOT to move to to Mac and Linux is well incorporated already. AKA RED HAT, and Solaris. Just saying… I think this post is a good opinion however it’s just not practical with in the next 4-10 years. When IPV6 is fully used in the DoD maybe OSX will be too hahaha!