Linux is secure…right?

“There are no threats for Linux servers. Aren’t they built to be secure?”

Linux servers are so secure and hardened, why do we need security controls on those?”

“I do understand there are threats out there but I am not aware of any major attacks on Linux servers”

If you find yourself nodding in agreement, you’re not alone. There is a common belief that Linux servers are more secure and less vulnerable than Windows servers. Although you’re not totally wrong, you wouldn’t be completely right either, and by acting (or not) on this belief you would be putting your business at risk.

Secure, but still vulnerable. 

With more and more servers moving beyond the enterprise boundary and into the cloud, network protection at the host-level becomes increasingly important, as workloads need to defend themselves vs. having a perimeter around them. And remember, workloads include the applications that sit on top of Linux…it’s more than just the OS.

Having a host-based Intrusion Prevention System (IPS) will help protect against vulnerabilities in core operating system AND the application stack running on top. Great examples of network-accessible vulnerabilities with wide-spread impacts are the recent Apache Struts-2 issue, Heartbleed and Shellshock, but there are many more. And just because a vulnerability, like Heartbleed, is a couple years old doesn’t mean that applications and servers are not still vulnerable. In a recent Shodan survey, it showed that Heartbleed was still an available vulnerability on more than 180,000 servers around the world, with the majority of them in the US!

If you run a web server on Linux (running at least 37 percent of the web servers out there according to W3Techs), you need protection against vulnerabilities affecting them, including Apache, Nginx, etc.

 

  Vulnerabilities Covered in and after 2014 (approx.) Before 2014 (approx.) Total
Non-Windows OS and Core Services 80 230 310
Web Servers 114 472 586
Application Servers 255 319 574
Web Console/Management Interfaces 113 453 566
Database Servers 10 218 228
DHCP, FTP, DNS servers 9 82 91

Table 1: Vulnerabilities Protected by Deep Security

 

It is very important to not confuse vulnerabilities with threats. While there may be fewer known threats for Linux, if you look at the National Vulnerability Database, there are a similar number of vulnerabilities reported for both Linux, and Windows operating systems. 

Malware, designed for Linux

Contrary to popular belief, there is a lot of malware for the Linux platform. While the numbers in comparison to Microsoft Windows are not quite as high, there are still tens of thousands of pieces of malware designed for Linux.

Deploying ONLY anti-malware is inadequate for protecting servers. However, most attacks on datacenters that lead to breach involve the installation of malware as part of the attack chain.  This is why compliance and security frameworks such as PCI-DSS (Section #3), SANS CIS Critical Security Controls (Section #8), and NIST Cybersecurity Framework (Section DE.CM-4) all continue to recommend anti-malware as a best practice. 

Layered security for Linux workloads

It’s becoming more and more clear that there is no silver bullet when it comes to server security, and that businesses should be using a layered security approach to protect vulnerable Linux machines. Beyond anti-malware and IPS, there are a number of controls that will help to build a robust Linux strategy: 

  • Application Control: helps ‘lock down’ the host to prevent any unknown process or script from running. This prevents the malware from running in the first place or attackers from taking advantage of backdoors that it might have placed on the server.
  • Integrity Monitoring: A new threat is likely to make changes to the system, so it’s important to watch for these. Integrity monitoring helps with monitoring the system for any changes outside of the change window, which tend to be few for your typical production servers.
  • Log Inspection: Scans log files and provides a continuous monitoring process to help identify threats early in the cycle. Attacks like SQL Injection, command injection, attacks against APIs can be seen in the logs and then action taken. 

The lesson we learn here is that although Linux is a more secure and reliable operating system option, it’s not your cure-all solution when it comes to security. Like any other platform, some assembly and maintenance is required, and it’s your responsibility to adopt a multi-layered security strategy and manage regular updates to ensure your systems are protected, including the applications that live on those systems. To learn more about Linux vulnerabilities and how to protect against them using Trend Micro Deep Security, read our short research paper here.

Leave a Reply