Bryley Basics: Setup your Android or Apple phone as a burner

/in , , /by

Anna Darlagiannis and Gavin Livingstone, Bryley Systems Inc.

Wouldn’t it be great to have a disposable phone-number; one you could use to make calls to an unavoidable person that you’d rather not have call you back?  Well, you can now get Burner from Ad Hoc Labs, Inc.

Burner creates phone-numbers on your existing phone.  You can create multiple burner numbers, temporary or long term, which are accessed through the app.

Burner is perfect for keeping your phone-number private.  Potential uses include:

  • First dates,
  • Selling items on craigslist, and
  • Responding to nuisance situations.

Basically, any time you wish to remain anonymous and keep your real phone-number private, you can call or text through Burner and avoid the hassle of a potential call-back or text-back.

Burner starts at $1.99 and can be purchased through App Store (Apple) or via Google Play.  Pricing is based on functionality:

  • Number of texts sent,
  • Number of minutes used, and
  • Number of days the phone number stays active.

Burner is, however, free to download and Ad Hoc Labs provides a free trial – you can test a free burner phone-number for up to seven days.

More Ransomware – Jeez, I’m getting sick of this topic!

/in , /by

Gavin Livingstone, Bryley Systems Inc.

Guess what:  Cyber crooks are killing it!  According to Kaspersky Labs, over 700,000 people late 2015/early 2016 gained the privilege of stress-testing their backup strategies or forking over money (and a comment on their vulnerability) to some overseas creeps who view every server and workstation as a potential cash cow; this was 5x the amount of people reporting similar issues in late 2014/early 2015.  And, the attacks are getting more sophisticated, and much more effective.

Sure, it is constantly in the news and we are all concerned, but many of us are like the proverbial Ostrich, sticking our proverbial (yes, I meant to repeat proverbial; I like the way it sounds; proverbial, proverbial, proverbial) heads in the sand.  And, it is costing us significant money!

To recover from Ransomware, we recommend backups that follow the 3:2:1 rule:

  • Three copies of your data
  • Two media types
  • One offsite

This simple rule, when followed diligently using a professional-grade backup application with at least daily, monitored, encrypted backups, can save your data from Ransomware, disasters, and other ills.  (Windows Server Backup, although improved, is not a professional-grade backup application since it lacks logging, which can lead to unintended consequences, particularly when swapping backup media on a daily basis and trying to verify previous, good backups.)

Case in point:  We saved an organization that relied on Windows Server Backup with a single, attached USB drive (no media swapping). It was attacked by Cerber Ransomware, which was inadvertently downloaded to the Windows PC of a user with administrative rights.  (Cerber Ransomware is licensed to cyber-criminals, who pay royalties for its use; these royalties are sent back to its originators in Russia.  It emerged in March 2016 and has recently targeted Microsoft Office365 users.)

The virus on the server went to high-value accounts, concentrating on encrypting data and Windows Server Backup files while making it appear that all files within most folders were already encrypted (although only about one in 10 had been encrypted initially).  Some interesting points:

  • The virus was injected into User Accounts in their AppData/Remote folder, which executed when the user logged onto the network.
  • Over 25,000 data files in about 1500 folders were encrypted.
  • All Windows Server backup files on attached drives were encrypted and renamed to @@@@@@@@.server with the current date or no date.
  • The requested ransom was $2,000; 2.725 bitcoins.

In broken English, the attackers noted:

  • “You have turned to be a part of a big community #CerberRansomware.”
  • “…we are the only ones who have the secret key to open them (your files).”
  • “Cerber … is not malicious and is not intended to harm a person…”
  • “…created for the sole purpose of instruction regarding information security.”

The upshot:

  • We rebuilt the server and reintroduced it to the network.
  • The Network Administrator’s workstation was wiped clean and rebuilt.
  • With significant effort, we recovered 90% of the company’s original data.
  • We now professionally backup this site using our remote Bryley BU/DR.

Related:

  • Anyone and everyone is a target; these criminals are happy to get a few hundred dollars each from millions of potential “customers”.
  • A solid backup plan is only one step in your line of defense; security requires a multi-layered approach.
  • Don’t pay cybercriminals; one Kansas hospital paid the ransom, and was told to pay again! Plus, you become an unwitting target for future attacks!

Please see these issues of Bryley Tips and Information (BITs):

Please also see Cyber-Security Firm:  Crypto-Ransomware Infections have reached Epidemic Level by Jonathan Keane of DigitalTrends on 6/24/2016.

Bryley Basics: How to identify the ransomware source on a computer network

/in , /by

Mike Carlson and Gavin Livingstone, Bryley Systems Inc.

Mike Carlson, CTO and a young, 20-year employee at Bryley Systems, had these suggestions on what to do when you get ransomware on your computer network:

  • Identify the end-user login name associated with the ransomware “How to decrypt” text files that are placed in the shared folders. (You would look at the properties of all of these text files to determine the originator.)
  • Remove this end-user’s workstation from the network immediately; preferably disconnect the network cable, but, if not feasible, power it down.
  • Restore all encrypted files from backup.
  • Erase the infected workstation(s) completely, then rebuild it.

In addition, we offered these suggestions in our July 2015 Bryley Information and Tips (BITs):

  • To be prudent, change online and system passwords
  • Create forensic images of infected computers
  • Preserve all firewall, Intrusion Prevention, and Active Directory logs for potential analysis by law-enforcement officials

These three can’t hurt, but the first one won’t stop the next attack and the last two are a bit of a stretch; it seems unlikely that the criminals will ever be pursued unless they happen to be working in this country (which also seems unlikely).

The US Computer Emergency Readiness Team (US-CERT) defines ransomware, its variants, and some solutions at Alert TA16-091A, Ransomware and recent variants.

Active Directory and its uses

/in , /by

Gavin Livingstone, Bryley Systems Inc.

Microsoft’s Active Directory (AD) is not well known, but it is a critical component in securing Windows Server-based networks.

Active Directory, introduced with Windows Server 2000, is included with most versions of Windows Server, but is also available as a service1.  Its primary function is to facilitate authentication and authorization of users (members) and resources within an AD domain.  (An AD domain is a logical collection of users, computers, groups, and other objects; multiple domains can be created for different sites or groups, and trust relationships can be established between these domains.)

One of AD’s greatest strengths is to permit the centralized creation of user and group-based policies; it can then enforce these policies, ensuring that members comply with login and usage requirements.  Plus, it logs policy violations and login attempts, supporting the automation of error-log-checking solutions.

Basic AD services include:

  • Domain Services (AD DS) – Stores and verifies member credentials
  • Lightweight Directory Services (AD LDS) – A limited-feature version of AD DS
  • Certificate Services (AD CS) – Public-key certificates supporting encryption
  • Federation Services (AD FS) – Single sign-on functionality; AD and non-AD
  • Rights Management Services (AD RMS) – Management of access rights

Single instances of AD DS run on a server; once AD DS is deployed, this server is known as a domain controller (DC).  Most Windows Server-based networks have two or more domain controllers; a primary DC and secondary DC(s) to provide failover directory (via replication) and location-based access to the directory.

During login, users authenticate to the primary DC or to a secondary DC.

Active Directory is managed through a series of tools; most are included within Windows Server, but third-party tools2 exist that provide better control and automation, particularly for larger organizations managing complex environments.

Best practices for AD design include3:

  • Build a logical structure based on a hierarchical, tree-like approach:
    • Forests – Top-level container (not always used)
    • Domains – Second-level containers within forests
    • Organizational units – Third-level containers within domains
  • Construct a physical model to address location requirements/constraints:
    • Place at least one domain controller (preferably two) at each site
    • Determine placement of replicas of domain data
    • Describe network topology
    • Consider traffic limitations

AD design tips4 include:

  • Keep it simple
  • Match site topology to network topology
  • Ensure you have at least two DNS servers
  • Try to dedicate a server as a domain controller

Security best practices for AD include5:

  • Rename or disable the Administrator account
  • Physically secure domain controllers and servers
  • Apply Group Policy settings to restrict users, group, and computer access

Basically, Active Directory forms the heart of any Windows Server-based network; it is a critical component, even when using Cloud-based resources.  (Cloud-based resources can often be integrated within AD through Federated Services.)

References

1Active Directory as a service is available through Microsoft’s Azure Active Directory, Bryley Systems’ Hosted Cloud Server™, and other providers.

210 Must-Have Active Directory Tools by Walker Rowe of Anturis, 4/14/15.

3Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks from the Microsoft Developer Network.  (These are dated, but extremely detailed.)

410 Tips for effective Active Directory design by Brien Posey of TechRepublic, 8/23/2010.

5Active Directory Best Practices at Microsoft TechNet on 1/21/2005.

Bryley Basics: How ransomware attacks

/in /by

Eric Rainville and Gavin Livingstone, Bryley Systems Inc.

Most ransomware attacks through email; an end-user unwittingly opens an innocuous attachment within an email, which then loads software that quietly encrypts all data files.  Once completed, it announces its accomplishment (Hooray!) and provides instruction on how to pay the ransom (through an anonymous, online payment method) to then receive the key which removes the encryption.

The only effective ways to prevent ransomware:

  • Block the email before it is distributed to the email recipient.
  • Train email recipients to not open email attachments from uncertain sources.

Once infected, the recommended recourse is to restore the encrypted files from backup. (We recommend that you do NOT pay the ransom; this will likely put you at risk for future infections.)

An example of a recent ransomware email:

From: info@yortax.com

Sent: Wednesday, February 17, 2016 10:48 AM

To: XXX

Subject: February payment

Importance: High

We’re ready to pay, just need you to confirm the payment details.

Check the invoice, it’s attached, and let me know if everything is correct.

We will remit the payment as soon as we hear from you.

Thank you

This variant of ransomware infects a computer in a step-by-step fashion:

  • The email recipient opens the attached Microsoft Word (.doc) file.
  • The body of the text within the .doc file is a picture that tells the email recipient to “Enable editing features” and shows how to do so.
  • The email recipient follows this instruction and enables editing features.
  • Once editing features are enabled, the original .doc file downloads a document to your appdatatemp location and opens it at this location. (It looks like the same exact document, but with a different name.)
  • As requested, the email recipient again enables editing features, which causes an executable (.exe) file to be downloaded to the same location; the .exe either runs right away or runs at the next startup. (Sometimes, the .exe does not start encrypting files right away; it may have a timer to lie dormant and wait for a period of time.)

For remediation tips, see Dealing with CryptoLocker from the July 2015 issue of Bryley Information and Tips (BITs).

The value of a computer-network assessment

/in /by

Gavin Livingstone, Bryley Systems Inc.

Most situations benefit from an assessment – Firefighters assess the structure, locale, and availability of resources (water) before rushing into a burning building; politicians (hopefully) assess the potential consequences before stating their position on a controversial topic; my insurance company wants to assess the damage before they fix my car.

Business owners and decision-makers use assessments continuously:  Useful, structured information is key to reducing risks and to measuring these risks against the intended result.  An assessment simply allows one to read the current state, consider the desired outcome and potential consequences, and provide (hopefully) all of the information needed to make a superior decision.

In order to make an informed business decision on your IT investment and future, you need comprehensive, factual information on the current state of your IT infrastructure, focusing on at least these topics:

  • Business goals, needs, and budget
  • Applications, Cloud or on-premise, and their operating environments
  • End-users devices (workstations, notebooks, mobile devices, printers, etc.)
  • Network equipment (servers, SANs, firewalls, switches) and Cloud options
  • Exceptions to best and standard practices

To do so, you would request a computer-network assessment, which identifies network-based and Cloud-based assets; it should also expose security gaps and all other issues that could impact uptime.

Done right, an assessment should include:

  • Business:
    • Review business goals relative to mission-critical technology.
    • Determine current and future needs in terms of applications, users, network capacity, and Cloud options.
    • Define the available budget to address these goals and needs.
  • Applications:
    • List each application; include vendor-contact information.
    • Identify all users of each application and their operating environment.
    • Assess application’s environment for current and future needs.
  • End-user devices:
    • Create a configuration sheet for each device with relevant details.
    • Assess capacity of device compared to current and future needs.
  • Network equipment and Cloud options:
    • Create a configuration sheet for each on-premise item with full details.
    • Assess capacity of equipment compared to current and future needs.
    • Identify software licenses:
      • Review non-OEM licensing.
      • Verify license count to server settings and actual users.
    • Identify and assess Cloud options.
  • Exceptions:
    • Identify exceptions to standard practices.
    • Identify environmental exceptions.
    • Create exceptions document.

Bryley Systems offers an entry-level service, Network Assessment/Basic™, but also offer two higher-value network-assessment options:

  • Network Assessment/Plus™
  • Network Assessment/Pro™

Network Assessment/Basic™ provides basic information at a modest investment.  It includes the following:

  • Deployment of our secure, non-invasive, network-assessment tool for one-time collection of data (followed by immediate removal of this tool).
  • Brief, non-client-facing review of these reports by a Bryley Engineer.
  • Presentation of these network-infrastructure reports:
    • Network Assessment PowerPoint – Summary with risk and issue scores
    • External Network Vulnerabilities Summary – External vulnerabilities
    • Client Risk Report – Overall risk score with risk-area charts
    • Site Diagram – A Visio-style graphic of network assets

Network Assessment/Plus™ is a mid-level approach with additional reports and an in-depth review with written comments.  It includes the deliverables above plus these additional items:

  • In-depth, non-client-facing review with comments from a Bryley Engineer.
  • Presentation of these additional, network-infrastructure and security reports:
    • Full Detail Report – Unfiltered details on configurations and activity
    • Internal Vulnerabilities Report – Deviations from industry standards
    • Network Security reports – Proprietary Security Risk Score
    • Security Assessment reports –Security policies and login

Network Assessment/Pro™ is an all-inclusive effort with an onsite, client-facing presence by a Bryley engineering team and a complete, detailed write-up with recommendations.  Its purpose is to review and document all assets, security gaps, and related issues identified via our network-assessment tool and an onsite, visual examination.  These findings are documented, along with all relevant reports from our network-assessment tool, and are presented onsite to the recipient.

Click here to see our current promotion on Network Assessment/Basic™.  You can also email ITExperts@Bryley.com or call 978.212.5806.

Recommended Practices:  Dealing with CryptoLocker

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

CryptoLocker surfaced in the fall of 2013; it is a ransomware trojan that, upon activation, encrypts all data files to which the infected end-user has read-write access, and then demands payment to decrypt.  It typically hides as an attachment within a phishing email and can even work over a home user’s VPN connection to encrypt data files on the organizations’ server(s).

cl-ex

The cyber-criminal’s intent is to receive untraceable payment via cyber-currency in exchange for a decryption key to unlock the data files, forming a one-to-one relationship between the cyber-criminal and the infected user:  The cyber-criminal knows the user is infected and awaits payment; if thwarted in his/her extortion attempt, that information is retained by the cyber-criminal, which could reduce future efforts to pursue your organization.

Of greater concern; if an individual or organization pays the ransom, that information is also known, recorded, and potentially shared for future attempts.  Basically, if you pay the ransom, you may be targeted for new efforts.

The cyber-criminal is likely acting within a crime syndicate; he/she might not even be technically savvy since CryptoLocker tools are readily available and easy to use.

We have recently seen a significant upswing in CryptoLocker attempts; the source emails spoof the email addresses of known parties while the attachment might carry a seemingly harmless “PDF” extension.  The message is compelling; an end-user unwittingly clicks the attachment and starts the process.

The first best step is prevention:

  • If feasible, use group policies or AppLocker to restrict software execution1
  • Limit access only to needed files; make them read-only where appropriate
  • Update security patches on all operating systems and end-user applications2
  • Deploy and continually update anti-malware apps on all end-user devices2
  • Deploy a robust, anti-spam solution that can block executables2
  • Consider blocking or quarantining all incoming attachments
  • Setup a backup routine that addresses data files frequently3

For more information, Jonathan Haskell of ComputerWorld reviews group policy restrictions in his article:  “CryptoLocker:  How to avoid getting infected and what to do if you are”.  Also, Third Tier and SMB Kitchen have jointly released a CryptoLocker Prevention Kit to assist in developing these group policies.

Education is also critical4:

  • Schedule regular training reviews with your end-users
  • Demonstrate to your end-users how to spot potential threats
  • Discuss the dangers of clicking attachments, even those from known sources

If you are infected by CryptoLocker5:

  • Identify the infected computer and remove it from the network
  • To be prudent, change online and system passwords
  • Create forensic images of infected computers
  • Preserve all firewall, Intrusion Prevention, and Active Directory logs for potential analysis by law-enforcement officials

Index of referenced articles:

1 See the January 2015 Bryley Tips and Information article: Recommended Practices:  Manage End Users via Active Directory and the February issue for the article: Recommended Practices – Part 7:  Resource Management via Active Directory.

2 See the June 2015 Bryley Tips and Information article:  Recommended Practices:  IT security cheat-sheet.

3 See the April issue of Bryley Tips and Information for Bryley Basics:  How ransomware (CryptoLocker) makes backups more critical.

4 See the May 2015 Bryley Tips and Information article: Recommended Practices: Basic IT training for end users

5 View detailed prevention and response techniques in CryptoLocker Prevention and Remediation Techniques, presented by fishnet security.

Bryley Basics: Free anti-malware plug-in for WordPress

/in , /by

Intel Security’s McAfee group now offers a free McAfee SECURE certification plug-in for WordPress-based websites.  This plug-in protects WordPress websites from unwanted malware while site-visitors can verify a site’s integrity by right-clicking on the McAfee SECURE logo (shown below).

McAfee Secure Icon

The free version covers the first 500 site-visitors each month; a paid version (about $80 per month) accommodates more than 500 visitors and allows for some different themes for the trust-mark itself.

James Wheeler, our Internet Marketing Associate, installed the plug-in in May; at first, it did not initially deploy the trust-mark properly, but has since been working reliably at Bryley.com since early June.

Recommended Practices: IT security cheat-sheet

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

All organizations are at risk of a breach in IT security, whether externally (by a party outside the organization’s computer network) or internally (by a person connected to the organization’s computer network); studies show that even small companies are targeted externally, primarily because they are more vulnerable than larger organizations who can dedicate resources to combat external threats.

Organizations take great efforts to secure their data; they have firewalls, spam blockers, anti-malware applications, intrusion detection, etc.  However, the greatest threat comes from within:  End-users often inadvertently introduce malware (via web browsing or email-attachment clicking), which can spread across the network or attack confidential data.

Effective IT security requires a layered approach; it is comprised of multiple solutions at different points-of-entry and areas of concern.  It must be setup properly, but must also be continually monitored and then updated as appropriate.  Security should be periodically reviewed by an IT expert and, if budget permits, tested to ensure what is expected is what is received.

Effective IT security also requires ongoing training for all users and monitoring and enforcement of usage policies.

For an overview on IT security, I recommend viewing Derrick Hughes’ Ten ways to prevent a data breach and secure your small business in The Globe and Mail.

Here is our checklist, organized by security concern:

1.) Computer network:

  • Deploy, update, and monitor stand-alone firewall(s) between all external networks (IE: Internet) and the organization’s network.
  • Deploy, update, and monitor an email/spam-protection capability.
  • Deploy, update, and monitor an event-log management capability.
  • Deploy, update, and monitor intrusion-prevention/detection capability.
  • Lock-down wireless access points.

The first line-of-defense from external threats is a professional-grade, stand-alone firewall configured to refuse unwanted traffic from external sources while permitting only desirable connections.  It should be supplemented with email/spam protection; either as a Cloud-based service or via an internal appliance.  Event-log management and intrusion prevention/detection are also available either as a service or appliance; both are recommended, but budget versus benefits must be considered.

Enable Service Set Identifier (SSID) for internal-use wireless access points.

2.) Servers, their operating systems, and their applications:

  • Test and then install all recommended security patches/firmware updates.
  • Manage operating system and application security-updates continually.
  • Deploy, update, and monitor anti-malware application on all servers.
  • Monitor continuously and review periodically for anomalies.

Servers, whether in-house or Cloud-based, contain not only valuable data, but also end-user information (usernames, passwords, profiles, etc.) that can be manipulated and used to infiltrate.  They, their operating systems, and server-based applications, must be aggressively patched, protected through anti-malware, and monitored continuously.

Anomalies in performance and event logs can highlight potential security risks; both should be reviewed periodically.

3.) Data:

  • Identify at-risk data and its location; keep only what you need.
  • Outsource payment processing to a reliable, third-party partner.
  • Verify security of vendors and partners with access to your data.
  • Where performance permits; encrypt data at-rest and in-motion.
  • Deploy an encrypted backup solution with onsite and offsite storage.

Company data should be classified as to its value and stored accordingly.  It is best always encrypted, although many organizations might not have the processing power to permit such.

Rather than process payments onsite, many third-party vendors provide this service, but they should be verified before engaging.

Data backups should be encrypted and follow the 3-2-1 rule for reliability:

  • Three copies of important data
  • Two different media types
  • One copy offsite

4.) End-user devices, operating systems, and applications:

  • Manage operating system and application security-updates continually.
  • Deploy, monitor, and update anti-malware app(s) on all end-user devices.
  • Test and install security-required firmware updates to end-user devices.

End-user devices are a primary target; they are difficult to secure and change continually.  However, end-user tools also share some blame:  Karen A. Frenkel of CIO Insight writes in “How Malware Bypasses Detection Tools” that 81% of IT professionals believe that web-browser-initiated malware can remain undetected by security tools and that the primary attack vector is an insecure web browser.

End-user devices, their operating systems and their applications must also be aggressively patched, protected through anti-malware, and monitored continuously.

Occasionally, a manufacturer will issue an alert for a security-required update to an end-user device, which should be applied as soon as possible.

5.) Usage:

  • Lock-down user rights to restrict data access to as-needed basis.
  • Require complex passwords with forced, periodic changes.
  • Enforce periodic time-outs when computer is left unattended.
  • Separate social-media browsing from financial-data handling.
  • Require two-factor authentication for all online transactions.
  • Create end-user policy detailing appropriate Internet use.
  • Create end-user policy on how-to protect sensitive data.
  • Enable web-monitoring capability to enforce policies.
  • Protect email via encryption (as needed).

Data should be restricted, preferably by need-to-know.  (Crypto Locker can initially only attack data available to the end-user introducing this virus.)  Complex passwords with periodic changes can restrict untrusted access while forced time-outs keep private information from unwanted eyes.

Setup a separate login account or device for access to financial-data.  All online financial transactions must have two-factor authentication.

Policies should exist to inform end-users; they can be enforced through web-monitoring solutions.

Sensitive emails should be encrypted (via a service or appliance) while sensitive documents can be transferred via a secure FTP site.

6.) Training:

  • Define an organization’s best practices for IT security.
  • Demonstrate how to spot an unwanted ad while browsing.
  • Train users how to verify a website link (before clicking it).
  • Show how to verify an email attachment (before opening it).
  • Train users to check the address of an email’s sender/source.

Data breaches occur due to the inadvertent introduction of malware, sometimes through the failure to comply with policies designed to limit inappropriate behavior, but often through a lack of IT-security knowledge and training.

50% of corporate employees do not consider IT security to be their responsibility; Millennials are at greater risk than Baby Boomers due to their use of company devices for personal use (64%) and willingness to change default settings (35%).  (These findings are highlighted in Karen A. Frenkel’s of CIO InsightsMillennials Pose a Greater Security Risk”.)

The more training, the better.  Initial training should be acknowledged by the recipient and then tested for knowledge gained.  Security training should be repeated periodically; preferably at least annually.

7.) Maintain a Written Information Security Plan (WISP):

  • Assign a responsible person.
  • Define and announce the WISP.
  • Review WISP periodically (at least annually).
  • Document changes to WISP when they occur.
  • Periodically test, assess, and rework policies and procedures.

The Commonwealth of Massachusetts, under statute 201 CMR 17.00, requires a WISP for all organizations that hold personal information on any Massachusetts resident.  The WISP must be assigned to an Information Security Manager, periodically reviewed, and changes must be documented.  All WISP policies and procedures must be periodically tested, assessed, and reworked as needed to ensure maximum, ongoing protection.

Visit Bryley Systems’ 201 CMR 17.00 Seminar.

Bryley Basics: Microsoft Windows is not as vulnerable as Apple OS or Linux

/in , , /by

Due to their size and complexity, it is difficult to completely secure a computer operating system, which leaves them vulnerable to attack.  With the number of reported hackings, most might consider Microsoft Windows to be extremely vulnerable, but Windows actually ranked less vulnerable than Apple Mac OS X, Apple iOS, and Linux.

This ranking was made by GFI Software in 2014, which reviewed popular operating systems and the number and rating of reported vulnerabilities.  GFI reported these top-5 results:

  1. Apple Mac OS X – 147 vulnerabilities; 64 High, 64 Medium, and 16 Low
  2. Apple iOS – 127 vulnerabilities; 32 High, 72 Medium, and 23 Low
  3. Linux – 119 vulnerabilities; 24 High, 74 Medium, and 12 Low
  4. Microsoft Windows Server 2008 – 38 vulnerabilities; 26 High and 12 Medium
  5. Microsoft Windows 7 – 36 vulnerabilities; 25 High and 11 Medium

Microsoft’s Internet Explorer, however, was ranked as the most-vulnerable application followed by Google Chrome, Mozilla Firefox, Adobe Flash Player, and Oracle’s Java.

See the article from Swati Khandelwal of The Hacker NewsWindows?  NO, Linux and Mac OS X Most Vulnerable Operating System in 2014.