All ContentLinux Servers: Why Native Security is Not Enough
Linux Servers: Why Native Security is Not Enough
A Trend Micro White Paper | June 2017
At the application level, for example, the LAMP stack is affected by dozens of vulnerabilities and the recent
Apache Struts 2 vulnerability was being exploited independent of the operating system. Foundational
elements such as GNU glibc and OpenSSL are other examples of code which left Linux (and other systems)
vulnerable. For reference, a sample list of Linux vulnerabilities can be found in Appendix 1.
It is very important to not confuse vulnerabilities with threats. While there may be fewer known threats for
Linux, if you look at the National Vulnerability Database, there are a similar number of vulnerabilities
reported for both Linux and Windows operating systems:
Linux Vulnerability Search
Windows Vulnerability Search
https://nvd.nist.gov
PROTECTING AGAINST NETWORK THREATS WITH INTRUSION PREVENTION (IPS)
An intrusion prevention system (IPS) protects against
vulnerabilities in core operating system AND the application
stack running on top. Great examples of network-accessible
vulnerabilities with wide-spread impacts are Heartbleed and
Shellshock, but there are many more. And even though
Shellshock has been in the wild since 2014, there are still
many (over 180,000) publically accessible servers that have
the vulnerability!
If you run a web server on Linux (running at least 37% of the
web servers out there according to W3Techs), you need
protection against vulnerabilities affecting them, including
Source: Shodan, January 2017
Apache, Nginx, etc. With many vulnerabilities available and no
protection in place, attackers can upload and execute arbitrary code, including installing backdoors,
removing/deleting business-critical files, or encrypting the files on the server in a ransomware attack.
Examples of weaponized exploitation of some application-level vulnerabilities include:
? SAMSAM, a malware attack that exploited a handful of JBoss vulnerabilities to spread and establish
a footprint. See http://blog.trendmicro.com/trendlabs-security-intelligence/lesson-patching-risesamsam-crypto-ransomware/ for more details.
? Rex malware targeted Drupal websites. https://www.trendmicro.com/vinfo/us/threatencyclopedia/malware/ransom_elfrexddos.a
Page 3 of 7 | Trend Micro White Paper
Linux Servers: Why Native Security is Not Enough
A Trend Micro White Paper | June 2017
With more and more servers moving beyond the enterprise boundary and into the cloud, network
protection at the host-level becomes increasingly important, as workloads need to defend themselves vs.
having a perimeter around them.
To give a better understanding of how Trend Micro helps, Table 1 shows number of relevant vulnerabilities
protected by Deep Security. These vulnerabilities affect the core operating system and core services like
bind, OpenSSL, Samba etc. and also vulnerabilities in other various applications that run on these
platforms.
Vulnerabilities Covered in
and after 2014 (approx.)
Before 2014
(approx.)
Total
Non-Windows OS and Core Services
80
230
310
Web Servers
114
472
586
Application Servers
255
319
574
Web Console/Management Interfaces
113
453
566
Database Servers
10
218
228
DHCP, FTP, DNS servers
9
82
91
Table 1: Vulnerabilities Protected by Deep Security
DO I NEED MALWARE PROTECTION FOR LINUX?
Contrary to popular belief, there is a lot of malware for Linux platform. While the numbers in comparison
to Microsoft Windows are not as high, there are still tens of thousands of pieces of malware designed for
Linux. Threats like Erebus, BASHLITE, Mirai, SAMSAM, Umbreon, LuaBot are some examples and notably,
the Mirai botnet is a unique case where the Windows version of the malware came out months later and
the botnet had established a large footprint already with the Linux variant. For details on some of these
please refer to:
? https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linuxsecurity-a-closer-look-at-the-latest-linux-threats
? http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linuxrootkit-hits-x86-arm-systems/
In addition to the need to defend against Linux malware, another common use case for "Linux AV" is on file
servers hosting Microsoft Windows files. It’s not uncommon for a Linux server to host Windows files and
the onus to scan them is on the Linux host.
Aligned with leading industry analyst firms like Gartner3, Trend Micro agrees that deploying ONLY antimalware is inadequate for protecting servers. However, most attacks on datacenters that lead to breach
involve the installation of malware as part of the attack chain. This is why compliance and security
frameworks such as PCI-DSS (Section #3), SANS CIS Critical Security Controls (Section #8), and NIST
Cybersecurity Framework (Section DE.CM-4) all continue to mandate anti-malware as a best practice.
3 Market Guide for Cloud Workload Protection Platforms, March 2017 ID: G00302941
Page 4 of 7 | Trend Micro White Paper
Linux Servers: Why Native Security is Not Enough
Please complete the form to gain access to this content
