Companies continue to scramble to secure endpoints and data center systems from constant attack. Admins must know how to both prevent attacks, such as ransomware, and mitigate the ones that get past security measures. This means using encryption, firewalls, routine vulnerability scanning and recovery plans.
The threat landscape continues to change, with new attacks popping up all the time. Admin can't set up systems and hope they remain protected. Rather, they're in a continuous battle to keep adversaries out. Linux server admin David Clinton provides admins blueprints to tackle common Linux vulnerabilities, conduct risk assessments, configure backups and more in his book, Linux Security Fundamentals.
"Everyone needs to be more security-conscious," Clinton said, "whether they have anything to do with infrastructure -- or even just use a laptop."
Linux Security Fundamentals covers security best practices that Linux admins should follow to ensure their infrastructure remains secure and can recover quickly following successful attacks. Through nine chapters, Clinton looked at vulnerabilities and threats, access control, network security, data encryption, risk assessments, backups and recovery plans, and isolation tactics. He rounded out the book by providing readers with review questions at the end of each chapter.
In this Chapter 2 excerpt, Clinton reviews common Linux vulnerabilities that admins should know but sometimes don't. He covers software, hardware and people-created vulnerabilities. The rest of the chapter goes beyond common Linux vulnerabilities and looks at threats, such as credential theft; malware; and network-focused attacks, like man-in-the-middle attacks, denial-of-service attacks and routing attacks.
More on Linux Security Fundamentals
In an interview, author David Clinton covered Linux security best practices around backups, patch management and vulnerability scans.
We're not going to talk about solutions here. That'll be the subject of the rest of the book. But for the rest of this chapter, we are going to try to better understand some of the more common vulnerabilities out there and the kinds of threats that can be used to exploit them.
Whether you're a sysadmin responsible for hundreds of active devices or an end user with a laptop and smartphone, it doesn't have to take much work to keep the software you're running secure. But that doesn't mean enough people actually do it. Recovering from the chaos of an attack will often reveal that the blame lies with a remarkably predictable list of root problems.
The first -- and perhaps most critical -- is the presence of unpatched operating systems and software packages. Linux distributions, of course, include repository management tools -- such as APT (Advanced Package Tool), and YUM (Yellowdog Updater, Modified) and snaps -- that can be set to automatically install security updates for all active packages. So it would be foolish not to update your software to the latest versions whenever they become available. Such updates will, ideally, fix any recently discovered security holes. The costs of not patching can be catastrophic.
Perhaps, from a security perspective, the most important individual piece of software running on a consumer PC is your web browser. Because it's the tool you use most to connect to the internet, it's also going to be the target of the most attacks. It's therefore important to make sure you've incorporated the latest patches in the release version you have installed and to make sure you're using the most recent release version.
Besides not using unpatched browsers, you should also consider the possibility that, by design, your browser itself might be spying on you. Remember, your browser knows everywhere on the internet you've been and everything you've done. And, through the use of objects like cookies (data packets web hosts store on your computer so they'll be able to restore a previous session state), complete records of your activities can be maintained.
Bear in mind that you "pay" for the right to use most browsers -- along with many "free" mobile apps -- by being shown ads. Consider also that ad publishers like Google make most of their money by targeting you with as for the kinds of products you're likely to buy and, in some cases, by selling your private data to third parties. So, when thinking about how you really want your private data used, it might not be too far-fetched to talk about a commercial browser itself as a possible vulnerability.
We couldn't leave our "greatest hits of dumb software vulnerabilities" list without mentioning those people who fail to protect their devices -- especially mobile devices that are left logged into sensitive online accounts -- with passwords and screen locks. Or, just as bad, those people who insist on using weak and easy-to-guess passwords. Don't try to hide. You know exactly who you are.
What can go wrong with your hardware? Well for one thing, all hardware will, sooner or later, inevitably fail. But that's not specifically a security issue. There are, however, a couple things that should concern us here.
You should, for instance, protect your compute devices from physical attack. That could mean making sure the door to a server room is locked or a boot-time Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI) password is set. It could also involve establishing policies for the use of USB data sticks (which can unknowingly be used to introduce malware into a system) or installing security cameras and a protocol for viewing and archiving the video feed.
The elephant in the room when it comes to IT security is the people in the room. Everything would probably go far more smoothly if we didn't have to allow for more human interference. But given that we won't be eliminating humans anytime soon, you should prepare by properly educating your users (and yourself) to act responsibly around your digital infrastructure.
This includes remaining up to date on the latest phone and email scams that are being launched against your part of the world or your particular industry. It will also mean increasing awareness of the way you talk about your technology use in public, especially via social media posts. You never know who's paying attention. An informed technology user is a much safer technology user.
As you read earlier, all kinds of people and organizations may be watching you carefully for the opportunity to get a piece of what you have. Whether it's a foreign government or some guy with a laptop parked out in front of your house, it's good to be aware of the items on the digital dinner menu they're working from.
Have you ever passed one of those USB flash drives lying abandoned on the sidewalk? It could be someone's wedding pictures and you'd be doing them a big favor by plugging it in and looking for some contact information. But it could also be a booby trap loaded with malware that just can't wait to be activated and let loose on your computer.
Remember Stuxnet? That was the software worm created using the resources and ingenuity of a couple national security agencies and used to physically destroy centrifuges being use for an Iranian nuclear program. How did the worm get so deep into the system? It was apparently carried in on a simple USB drive. So, treat stuff you find on the street with suspicion.
A backdoor is an undocumented (and often, unauthorized) method of accessing a compute device. Device and software manufacturers might include backdoors for perfectly legitimate reasons: to give support teams a way to access and administrate a malfunctioning server, for instance. But they can also be used to let criminals in to work against the interest of the device owners.
About the author
David Clinton is a Linux server admin and AWS Certified Solutions Architect who has worked with IT infrastructure in both academic and enterprise environments. He has written technology books -- including AWS Certified Solutions Architect Study Guide: Associate SAA-C02 Exam, Third Edition (Sybex, 2020) and the Ubuntu Linux Bible (Wiley, 2020) -- and created more than 25 video courses teaching AWS and Linux administration, server virtualization and IT security for Pluralsight. Clinton is also the creator of The Data Project, a free, online resource for teaching yourself data analytics skills and engaging with data stories.