As the popularity of Linux continues to increase, so does its attack surface. For organizations, this brings to light a pressing question: Who is responsible for the security of all the Linux instances running your cloud environment?
The vast majority of cloud environments are built using Linux as their foundation, and most of the major cloud providers have founded their services on Linux. The public cloud is migrating to become an open-source operating environment, and Linux is proving to be the dominating force.
Linux's strength originates in its open-source design and network of supporters. The value of Linux is that it’s the most available and reliable solution for critical workloads in data centers and cloud computing environments.
Linux is modular and scalable and can therefore support many use cases. Its ubiquity in use is a natural consequence of its development process. Decades of community development on Linux has resulted in a platform that is stable and configurable enough for everyone. It’s also resulted in many variants, and a single enterprise could have multiple ‘flavors’, including Ubuntu, Redhat, Amazon and others.
All of this begs the question: Who at your organization specializes in Linux? And as mentioned earlier, who is responsible for the security of all the Linux instances running your cloud environment?
Unfortunately, many organizations do not have a good answer for this. I reviewed job postings at the top 10 publicly known enterprise cloud adopters in early August 2021. Only a few of them had Linux admins listed on their job boards.
"Decades of community development on Linux has resulted in a platform that is stable and configurable enough for everyone"
I then used Discover.org, a third-party tool to find technologies used at companies, to dig deeper. Only four of the top 10 listed Linux as being in their environment or had job postings open. None of them were for cloud security of the Linux environment — all were on-premises roles.
Some of this could be bias in data, in addition to job openings at the time of the search, so I talked to a few of our customers. The trend was the same: the internal expertise does not exist or isn’t as strong as it needs to be.
The Linux Threat Landscape
The lack of talent in Linux specific roles contrasts starkly with the Linux threat landscape. Recently Trend Micro released a research report on the state of Linux threats in the first half of 2021, highlighting the most critical security issues. Some of the key findings include:
- Over 100,000 unique Linux hosts reported security events, showcasing a concerning amount of criminal activity targeting them
- In 2020 there were approximately 20,000 vulnerabilities reported, however, only 200 (1%) have publicly known exploits. This gives a clear path forward for security teams who should prioritize patching known vulnerabilities
- Detections were found from end-of-life versions of Linux. These unsupported systems are no longer receiving critical security patches leaving them significantly more vulnerable to future exploits and attacks
- Over 13 million malware events were detected, including coin miners (the largest group at 24.6%), web shells, ransomware, trojans and other attacks
Additionally, in July 2021, there were almost 14 million exposed Linux servers detected by Censys.io, and Shodan detected almost 19 million Linux servers with port 22 exposed, leaving plenty of openings for attackers to target.
These misconfigurations are a prime example of why having strong internal expertise is important to ensure the proper security set-up is in place.
What Does This Mean?
In one way or another, more than 65% of the malware families found by Trend Micro exist in — and run on — Linux.
So let’s add it up: Many enterprises run on Linux, as do their clouds. Yet few organizations have the expertise in house to understand, govern and control their cloud implementations. Personally, I think that sounds like a recipe for disaster.
These are broad brush strokes, but ask yourself as you’re reading this: do you know what your cloud security is in relation to Linux? Do you know how much Linux is even in your cloud environment? Do you and your company have meaningful knowledge of the cloud footprint at your organization?
If not, take time now to begin to implement the foundation for identifying and securing your Linux footprint. Some security best practices to follow are using the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model.
Work with your cloud providers, cloud architects, and technology partners to gain an understanding of your cloud environment, and then create a plan to assess and secure it. Considering today’s threat landscape as it pertains to critical Linux assets, this should be an imperative for any organization today.
