What advice do you have for people that are considering switching to Linux?
For individuals, switching to Linux has become an easy transition thanks to tons of good books, helpful USENET groups, useful Web sites and easy to install distributions.
However, many corporations are still switching to Linux the old fashion way. Someone in the MIS becomes tired of rebooting the blue-screen servers and switches one to Linux. Then one Linux server becomes two and so on. IMHO, such a process often lacks a proper migration strategy and can result into expectation mismatch.
I think large corporations interested in switching to Linux must make a strategic migration plan and execute it with expert help so that expectation mismatch is avoided. A migration plan that includes user training, security measures, expert review can yield a long-lasting positive Linux experience for everyone involved.
What's your take on the adoption of Linux in the enterprise? Do you think it will give a boost to security?
Linux is already in many large and small enterprises throughout the world. Corporate adoption to Linux is very important for the growth of Linux as a professional server OS platform.
The consulting arm of my company is dedicated to Linux and other great open source technologies. We have helped many enterprises deploy Linux in their core business functions. It is our professional experience that many CEO/CTO/CIO are more and more aware of the security risks today than ever before. They are now asking for security blue-prints as part of new development or migration, which is good news for their customers. In short, security is finally "in" and it will play an active role in design, development, and deployment of IT infrastructure of the future.
What do you think about the full disclosure of vulnerabilities?
It's a double edged sward. By having full disclosure consumers can gain information about potentially pending risks due to a breaking. This can potentially hurt a business if customers associate break-ins with negligence. Therefore, corporation will have to take a pro-active role in managing information security. IT security funding should grow, which would mean growth in security products and services -- a very good thing.
Unfortunately, full disclosure can also benefit the bad guys. But in the long-run it should do more good than harm.
What's the most careless act in system administration you've ever seen?
My company works in the email space a great deal. We often find system administrators leaving their email servers open for spam relay, which is very careless.
Another common issue we notice frequently is that often site administrators leave PHP error_reporting turned on a production site. This is very dangerous since it can often reveal important information that bad guys can abuse.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.