2

I am assuming that it should be considered a risk because there may be several security issues of various OSes known to hackers. If a hacker gets access into the victim's network, the extra knowledge will only help the hacker, and will make hidden information more easily available.

Also, can you help me by citing any cases from history where this information led to a hack?

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
  • In my opinion it is a risk, but we know that risk levels are different and this one is on low level. – Mirsad Mar 27 '16 at 15:08

3 Answers3

3

In my opinion it is an indirect threat that is obtained during the first step in an attack, information gathering.

Know what you're dealing with, from an attacker's perspective, helps you prepare a successful attack. The more information obtained during the information gathering process, the more likely it is for an attack to succeed.

It is quit hard, especially for larger organisations, to avoid disclosing this type of information. An example is the human resource department that is instructed to hire technical people. Searching for job opportunities at your target company generally reveals specific details about the infrastructure or used operating system(s).

Having said that, it is import to properly secure your network (network segregation), harden your operating system(s) and have proper policies and procedures in place. When this is considered sufficiently done, an attacker that only knows the operating system should not be a big deal.

Ultimately, the attacker will determine what operating systems are used anyway, just not in the information gathering process.

Jeroen
  • 5,813
  • 2
  • 19
  • 26
1

From a Hacker's perspective,every information that he/she knows about the victim's systems is important. Knowing the Operating system allows the attackers to plan their method of attack and determine an exploit that will work best with minimal footprint and give them access.

There are programs that can fool network scanners like Nmap which can guess the operating system being used based on their network footprint. However solely relying on such softwares is security by obscurity and will lead to disaster as the bad guys always know more than you do.

Give outsiders as little information as you can about your systems. Give them only what they ask for and what they are authorised to read. Never rely on the fact that the details of the OS are not known to an outsider. Always keep your software updated. Read Security mailing lists frequently and watch out for potential security exploits about software that you are using. Use Operating Systems that are build with security in mind like OpenBSD. When designing systems always design them to handle the Worst possible scenario.

Ray
  • 71
  • 1
  • 3
1

It is a security risk, and not worth worrying about. Hackers who are going to attack will likely use social engineering to trick people into running code. They'll use issues such as those outlined in the OWASP top ten to attack your custom code.

It is incredibly unlikely that the additional knowledge of what servers you're using will make a substantial difference in the effectiveness or speed of an attack.

Also, it is highly likely that your organization has made an implicit choice to reveal that information (and much more) via Linkedin resumes of current and former staff, and in your job descriptions.

For example, if you advertise for a "server admin (secret OS)" you're going to get fewer and worse resumes than if you ask for "server admin (CentOS v 14)".

So, there are good reasons to reveal it and attackers don't gain much. Worry about other things.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12