We all know hackers like to target people like us. Why wouldn’t they? We have access to some of the most critical – and valuable – data our organizations generate. Patient records, billing details, unpublished research – if we store it on our IT systems, hackers will target it. How do they get access to that, you ask? We’ve covered some of the ways before here and here. But in this physician’s guide to secure operating systems, we want to talk about the biggest attack method: hacking.
A 2019 study by Verizon found that 52% of all breaches had a root cause of “hacking” (meaning system compromise), with an additional 15% closely related (system misuse or error). While this number includes a lot of sub-factors, even a cursory reading of the report tells us that hackers specifically target software applications and their underlying operating systems (OSes). Today, we will look at OSes and discuss a few who offer greater security protections than most.
A Quick Aside
As an aside, we understand you or your IT staff may not want to do full system migrations to new OSes. Especially in healthcare, software developers usually create applications for Windows without concerning themselves with convenience or cross-platform compatibility (hi Epic!). You may have to use Windows no matter what, and that’s okay- we still can help you secure Windows, Mac, and Linux OSes just fine.
We mostly want to share this list for reference, should your practice change its IT infrastructure in the future. Others may find this list useful for securing their private data outside of the practice, like on a travel laptop. Finally, we will not cover OSes designed to attack systems, like Parrot OS, Kali, or BlackArch. The developers of those OSes designed them to help IT security professionals complete specific tasks, and we’ll consider them out-of-scope for this article.
Now that we got that out of the way, what do we consider the most secure OSes in the world?
Secure OS Options
Of all the options we’ve ever reviewed, Qubes stands out as the most secure OS on the market. Not only do such security wizards as Edward Snowden, Micah Lee, and Isis Agora Lovecroft all endorse Qubes, I (Mark) personally prefer it over all others. I don’t give recommendations lightly, so let’s look at why I prefer Qubes over the other options.
At a high level, Qubes isn’t a “operating system” like you would expect, like Windows, Linux, or MacOS. Rather, Qubes uses a “bare metal” hypervisor called Xen. Hypervisors run additional OSes (normally called “virtual machines” or “VMs”) and provide connections between those OSes and your computer’s physical hardware. Hackers have much harder times compromising hypervisors due to a very limited attack surface. On Xen, Qubes has several “template” OSes, and makes copies of those templates based on what you want to secure. Qubes calls these copies “qubes”, and adds some special protective measures (like colored borders and lack of Internet connectivity as a default) to ensure the data kept on each qube can’t move outside of them. So right away, the attacker needs to compromise three things to get to your data: the Qubes/Xen hypervisor, the template OS, and the actual modified qube you store your data on. And even if they do that, they’ll need to compromise every other individual qube you have to gain access to all your data.
Qubes OS offers myriad other protections on top of that, such as the ability to completely anonymize your Internet traffic with Whonix, disposable/temporary qubes, dedicated qubes for network traffic and USB devices, and anti-physical-tampering protection.
However, using Qubes will require you to break certain insecure habits, and because of that, isn’t terribly user-friendly. For example, copying and pasting between two qubes requires four separate key combinations, as opposed to your normal Control+C, Control+V. Qubes also makes it more difficult to apply updates or install software – you’ll need to update/install things on your template, then restart each of your custom qubes afterwards. Not the easiest, but if you truly care about security, Qubes handles security the right way.
It’s also free and open-source! Please see the Qubes OS introduction page for further details.
OpenBSD is a free and open-source Unix OS designed with security in mind. The OpenBSD developers pride themselves on code correctness, comprehensive review and auditing, and minimal tweaking required by users. What they do works – since the OS’s release in 1997, people have discovered only two remote code execution vulnerabilities in the base install, ever. Further, OpenBSD developers have created some of the most innovative security protections and tools in use today, like address-space layout randomization (ASLR), OpenSSH, bcrypt(3), and IPSec.
OpenBSD has all the security features I like. However, I haven’t used it as my “daily driver” since 2013. The reasons vary, and most don’t relate to OpenBSD per se. For OpenBSD specifically, I had the hardest time working around the initial lack of a clean user interface (GUI). I believe the developers intend for us to use OpenBSD for IT infrastructure (like firewalls and web servers) as opposed to desktop use. This means (a) GUIs don’t matter as much, and (b) not much comes with the base install.
Regardless of the developer’s intent, I’ve found a base install of OpenBSD difficult to convert to a desktop OS. OpenBSD comes with Xenocara as a basic framework for GUI functionality, but you don’t want to use Xenocara as your actual GUI itself – it’s hideous. Most people would use a more “normal” desktop environment like KDE, GNOME, or XFCE. However, I always had issues having my settings for XFCE preserved across reboots and with the installation of GUI dependences. I’m definitely not saying I blame the OpenBSD team for this; I was still in grad school and didn’t have a lot of time to get things working. But I remember struggling so much that I eventually moved back to Arch Linux (and that’s a whole ‘nother story). I’ve played around with it in the past year or so, and I’ve noticed significant improvements. But I fundamentally prefer other OSes and recommend using OpenBSD mostly for secure infrastructure setup.
For more information, please review the official FAQ.
TAILS is a free and open-source Linux OS designed for preserving privacy and anonymity in hostile environments. The developers designed TAILS to run from a USB drive or CD/DVD. This protects our normal (possibly-compromised) computer by hiding the fact we ever used TAILS to begin with. TAILS forbids itself from writing information anywhere an attacker could recover it besides RAM. Even in RAM, TAILS erases its presence since (a) it wipes RAM upon shutdown, and (b) RAM gets cleared “naturally” a few minutes after shutdown regardless. TAILS comes with a full suite of secure productivity tools like an email client, a web browser, the LibreOffice office suite (a free equivalent of Microsoft Office), the Electrum Bitcoin wallet, and various encryption tools. Further, TAILS routes all traffic through the Tor anonymity network for further privacy. You can even make TAILS install additional software each time you use it, as well as securely store important files across uses. The TAILS developers regularly patch security vulnerabilities and push out new versions as fast as possible.
I love TAILS and use it pretty regularly for my more sensitive correspondence and research – the built-in OpenPGP integration comes in handy. My only real complaint has nothing to do with TAILS – the Tor network is painfully slow. I’ve waited literal minutes for a single webpage to load. The Tor designers intended this to ensure maximum anonymity, but as an everyday user, I usually prefer something faster. I also dislike having to re-set up TAILS every time they release a new version, but again, I consider that a net benefit, all things considered. I’d rather have to reinstall a secure OS every few weeks rather than have my most important financial, business, and personal records stolen due to an unpatched weakness.
Read more at the TAILS official introduction here.
Although the project may have died, we still wanted to mention Subgraph OS. Subgraph works somewhat similarly to Qubes OS, offering a multi-layered security approach (called “defense-in-depth” in the industry). At the application level, each piece of software operates in a dedicated container, meant to isolate the application from the underlying OS as much as possible. This means that if a high-risk application (like a PDF reader, email client, or web browser) gets compromised, the attacker has no access to the underlying OS. Even if they do, the attacker has a few more layers to get through: a “metaproxy” that routes all traffic through the Tor network, an application firewall that can block all outgoing connections by default, a Grsecurity-hardened Linux kernel, and a fully-encrypted filesystem. Finally, like all good secure OSes, the developers have released Subgraph for free and have provided the source code on Github.
Unfortunately, we can’t recommend actual use of Subgraph for one reason – the developers label Subgraph an “alpha” release. That means they still have quite a few bugs to fix and features to add. Just as importantly, they last released a stable version in September 2017. As a result, we can’t verify the current security of the OS to the extent we would like. Right now, you should use or test Subgraph as a curiosity only, not deploy it in production environments. However, the principles of Subgraph look promising and we hope the developers create new releases soon, or that someone else takes over the project.
One more thing – it appears that someone has done some work related to Subgraph as recently as two months ago (see here), meaning the project may not have completely died. We cannot confirm this as official development, however.
The Subgraph team has provided an easy-to-read introduction here.
We actually want to share a few other secure OSes, but in order to save some space, won’t list a summary. Feel free to review the links listed below for more information.
- Whonix – a set of VMs designed for anonymous computer usage through the Tor network
- TENS – a US Air Force-developed OS for accessing secure IT networks from insecure devices
- Discreete Linux – a “live USB” OS designed to protect against information theft or malware infection; dead project
- IprediaOS – anonymizes and encrypts network traffic through the I2P network; dead project
We’ve provided some examples of reasonably-secure operating systems, like Qubes OS, OpenBSD, and TAILS. As security professionals, we feel comfortable recommending all of them (the active projects, at least). But only you and your trusted IT partner can determine which security features you most desire and therefore which OS to actually use in practice. Please do your own research or partner with us to figure out what security-focused OSes fit your needs the best.