Linux is secure…right?
Credit to Author: Lauren Newby| Date: Tue, 25 Apr 2017 18:45:13 +0000
“There are no threats for Linux servers. Aren’t they built to be secure?”
“Linux servers are so secure and hardened, why do we need security controls on those?”
“I do understand there are threats out there but I am not aware of any major attacks on Linux servers”
If you find yourself nodding in agreement, you’re not alone. There is a common belief that Linux servers are more secure and less vulnerable than Windows servers. Although you’re not totally wrong, you wouldn’t be completely right either, and by acting (or not) on this belief you would be putting your business at risk.
Secure, but still vulnerable.
With more and more servers moving beyond the enterprise boundary and into the cloud, network protection at the host-level becomes increasingly important, as workloads need to defend themselves vs. having a perimeter around them. And remember, workloads include the applications that sit on top of Linux…it’s more than just the OS.
Having a host-based Intrusion Prevention System (IPS) will help protect against vulnerabilities in core operating system AND the application stack running on top. Great examples of network-accessible vulnerabilities with wide-spread impacts are the recent Apache Struts-2 issue, Heartbleed and Shellshock, but there are many more. And just because a vulnerability, like Heartbleed, is a couple years old doesn’t mean that applications and servers are not still vulnerable. In a recent Shodan survey, it showed that Heartbleed was still an available vulnerability on more than 180,000 servers around the world, with the majority of them in the US!
If you run a web server on Linux (running at least 37 percent of the web servers out there according to W3Techs), you need protection against vulnerabilities affecting them, including Apache, Nginx, etc.
Vulnerabilities Covered in and after 2014 (approx.) | Before 2014 (approx.) | Total | |
Non-Windows OS and Core Services | 80 | 230 | 310 |
Web Servers | 114 | 472 | 586 |
Application Servers | 255 | 319 | 574 |
Web Console/Management Interfaces | 113 | 453 | 566 |
Database Servers | 10 | 218 | 228 |
DHCP, FTP, DNS servers | 9 | 82 | 91 |
Table 1: Vulnerabilities Protected by Deep Security
It is very important to not confuse vulnerabilities with threats. While there may be fewer known threats for Linux, if you look at the National Vulnerability Database, there are a similar number of vulnerabilities reported for both Linux, and Windows operating systems.
Malware, designed for Linux
Contrary to popular belief, there is a lot of malware for the Linux platform. While the numbers in comparison to Microsoft Windows are not quite as high, there are still tens of thousands of pieces of malware designed for Linux.
Deploying ONLY anti-malware is inadequate for protecting servers. However, most attacks on datacenters that lead to breach involve the installation of malware as part of the attack chain. This is why compliance and security frameworks such as PCI-DSS (Section #3), SANS CIS Critical Security Controls (Section #8), and NIST Cybersecurity Framework (Section DE.CM-4) all continue to recommend anti-malware as a best practice.
Layered security for Linux workloads
It’s becoming more and more clear that there is no silver bullet when it comes to server security, and that businesses should be using a layered security approach to protect vulnerable Linux machines. Beyond anti-malware and IPS, there are a number of controls that will help to build a robust Linux strategy:
| |
The lesson we learn here is that although Linux is a more secure and reliable operating system option, it’s not your cure-all solution when it comes to security. Like any other platform, some assembly and maintenance is required, and it’s your responsibility to adopt a multi-layered security strategy and manage regular updates to ensure your systems are protected, including the applications that live on those systems. To learn more about Linux vulnerabilities and how to protect against them using Trend Micro Deep Security, read our short research paper here.