Bridging the Linux security skills gap
Linux is at the very heart of the internet at an infrastructure level and its reach stretches far and wide. So where have all the Linux security experts gone?
Linux has not only been ported to more hardware platforms than any other operating system and runs on more than 450 of the 500 fastest supercomputers on the planet but also happens to be the power behind the Internet. Linux distributions are popular with web hosting services and web developers alike: think LAMP (Linux, Apache, MySQL, Perl/PHP/Python) and you start to get the idea.
That was the question raised by a recent Sophos press release announcing a 'cyber security challenge' which stated quite categorically that while the majority of Internet infrastructure is based on Linux distributions, Linux security experts themselves are scarce. But can this really be the case? I caught up with James Lyne, director of technology strategy for Sophos, who insist that this is unfortunately the case. "Clearly there is a great community of Linux developers and contributors pushing forward the platform, as evidenced by its widespread use and great capabilities" he told me, continuing "it is incredibly common for businesses to set up Linux platforms to host databases, websites or other critical/visible infrastructure for performance, cost or security" but he also insists that there is "a perception that Linux is immune to attack and that malware is a Windows only problem".
Of course this isn't true, not the perception but the reality, and plenty of attacks occur in the hacking realm mainly. "An astonishingly large number of websites running on the LAMP platform fall victim to SQLi or XSS and contribute to the new infected websites we find every few seconds in SophosLabs" James reckons, adding that not only do SQL injection attacks against web applications contribute to the majority of malware distribution on the web but equally "default passwords on Linux systems or exploits can be very dangerous as Linux platforms often host some of the highest value data within an enterprise".
The Sophos case would appear to be that because many of these systems tend to be left in a 'relatively default configuration' with log files unreviewed and without regular patching or hardening, that suggests the existence of security experts focused on Linux taking care of these practices in the enterprise is on the wrong side of scarce. "In some cases where they do exist, they deny the possibility of such attacks out of principle, pointing the finger at Microsoft" James goes on to argue "granted, Microsoft do have a bigger problem but there is also mass awareness of this problem, and a huge industry built around dealing with it".
Not everyone in the security industry agrees, some like Marta Janus, a security researcher at Kaspersky Lab, counter the claims by insisting that there are "many excellent, highly qualified Linux professionals, administrators, developers and security experts" but does admit the topic of Linux security itself, and "especially Linux malware and attacks on Linux machines" remains one that is not very popular and this had led to "a lack of awareness about Linux vulnerabilities and threats amongst the users". So do we need more Linux security specialists or not? Marta is adamant that "good security specialists should have an understanding of all varieties of threats - be it Linux, Windows, Mac OS or other platform related threats" and has a point. As does Professor Kevin Jones, the Head of Computer Science and Researcher in the Centre for Cyber Security Sciences at City University London, who told me that in general there's a shortage of properly trained security professionals in every segment of the space. "It's not clear that the situation is necessarily worse for Linux than for any other platform" Professor Jones says "although there is a tendency for platform specific expertise to be focused more towards the "mainstream" platforms and Linux is not perceived as being that. The number of people vs the need is probably no different for Linux than almost any other platform, especially if the focus is more on servers rather than personal devices".
That doesn't negate the need for a relatively small number of experts with specific technical knowledge of the vulnerabilities of the Linux platform though. "There is a larger need for professionals that have a holistic view of security and risk" Professor Jones continues "Linux has some specific vulnerability vectors in that it is maintained and distributed in a manner that is very different from traditional vendor specific platforms, but that is just one more factor that needs to considered in the overall risk assessment. A competent security professional familiar with a number of platforms ought be well aware of where their knowledge needs to be supplemented to ensure there are no Linux specific issues".
Does that mean there's a need for more education at the basic ICT level, or are we talking about hands-on training here to fill the skills gap? Professor Jones sees it as being a minority concern, and argues that if people get a solid fundamental education in security principles and practices then the extra information necessary to be Linux competent can be covered best in specific training classes appropriate to the background of the individual and the specific need. "I do recognise that there is a need for such expertise" Professor Jones says "but it is niche and so shouldn't overly influence the mainstream. I support good fundamentals in education supplemented by specific technical material in a very focused manner where and for those to whom it is necessary".
But what about enterprises which require specialist expertise in Linux security now, and are impacted by this reported skills shortage? What is the go forward solution that can be started today? David Harley, senior research fellow with ESET, says that they simply need to consider hiring people with a good generalist background as well as experience and interest. They can then "encourage them to develop that interest in the directions the company needs, not least by providing them with good external training. In many cases, they'll end up with staff better suited to their long-term needs".
A philosophical problem
Simon Brown, head of Open Source Technologies at The Bunker, thinks that part of the overall problem is the UNIX philosophy which Linux itself inherits. Part of this philosophy is that the system is composed of many simple components which work together well. To a certain extent, this has carried over into the Linux software stack which commonly favours applications that have a single well-defined purpose, are interchangeable with different implementations, and can be easily integrated with other applications. "This is one of the advantages of Linux - it's flexible, customisable and users are free to solve problems using the best tools for the job" Simon explains.
"However, this less prescriptive approach does mean there is often no single vendor assuring the security of the system as a whole and stopping the inexperienced from shooting themselves in the foot".