The need for security to protect the data on systems and networks has skyrocketed in recent years. Cybersecurity professionals perform a wide variety of different roles, including:
- Analyzing the security of systems and networks by performing penetration testing and vulnerability assessments (cybersecurity analysis).
- Monitoring and reacting to security breaches to mitigate data loss (cybersecurity response).
- Investigating and performing post-mortem analysis of a security breach to identify the data accessed and the exploits used by the attacker (cybersecurity forensics).
- Implementing technologies and processes to harden the security of systems and networks (cybersecurity administration).
How Does Linux Apply to Cybersecurity?
Linux plays an incredibly important part in the job of a cybersecurity professional. Specialized Linux distributions such as Kali Linux are used by cybersecurity professionals to perform in-depth penetration testing and vulnerability assessments, as well as provide forensic analysis after a security breach.
Moreover, Linux is the operating system used on most network devices and security appliances, including routers, firewalls, next-generation firewall (NGFW) devices, unified threat management (UTM) gateways, virtual private network (VPN) concentrators, intrusion detection systems (IDS), intrusion protection systems (IPS), security information and event management (SIEM) appliances, wireless access point (WAP) devices, and more. Consequently, to collect security-related data from these devices or perform security hardening, you must first understand Linux.
Of course, on-premises and cloud-based Linux servers that host services and data will also be a focus of any cybersecurity professional. This is especially important today considering that most servers in the cloud run Linux, and that more and more companies are moving their data to the cloud.
5 Key Areas of Linux for Cybersecurity Professionals
In short, if you are planning on working as a cybersecurity professional, you’ll definitely need an excellent working knowledge of the Linux operating system. In this blog post, we’ll examine five key areas of Linux that cybersecurity professionals must master.
- Linux System and Network Administration
Regardless of whether you are performing penetration tests, forensic analysis or security monitoring of a Linux server, network device or security appliance, you will need to understand how to perform key system and network administration functions within Linux. This includes understanding a plethora of different commands and file locations. More specifically, you’ll need to use the appropriate commands to complete the following:
- View system information (architecture, kernel version, filesystem layout, installed packages, running processes, user sessions)
- View and modify network configuration (IP configuration, open ports, open sockets, open files, installed services)
- Determine how the Linux system starts services (SysV Init or Systemd), as well as start/stop key services and processes
- Modify key system and service configuration files
- Identify how events get logged (rsyslogd or journald) and the location of log files
- Install software on the Linux distribution (yum, dnf, apt, zypper, etc.)
- View and work with the different physical and logical filesystems on the system (mount points, LVM, ZFS, btrfs, etc.), including imaging data on a filesystem for analysis and evidence gathering using utilities such as dd
- Analyze the content of key or suspicious files
- Connect to remote systems using a wide variety of different methods, including ssh
Regular expressions are powerful wildcards used alongside certain Linux utilities to search system files and logs for key events on a wide variety of network devices and servers. Even logs on Windows servers are often collected by Linux systems (including those running SIEM), where regular expressions can be used to narrow down key security-related events.
When used properly, regular expressions can be used to determine whether a system or network has been breached, as well as the depth of the security breach and actions that the hacker performed.
For example, you can use complex Linux regular expressions to search configuration and log files for pivoting (the process by which a hacker gains access to one system and then uses that system to gain access to other trusted systems easily). Once you’ve found evidence of a security breach, you can use the information you’ve found to perform a granular search of system and log files on a series of different network devices and servers using regular expression to trace the path a hacker has taken on your network, the systems that they have compromised, and the data that they have accessed.
Both SELinux and AppArmor are application-focused security modules on Linux systems that provide a high level of protection against attacks. Nearly all Internet-accessible Linux servers and Linux-based network and security devices implement either SELinux or AppArmor to prevent applications from performing tasks that may compromise system and data security.
As a result, you should understand the in-depth configuration of both SELinux and AppArmor for use when hardening any Linux-based system. When analyzing an existing system with SELinux or AppArmor, it’s also important to identify the policies enforced and exceptions allowed by the security module. Moreover, both SELinux and AppArmor log information related to intrusion attempts and security breaches that is invaluable to cybersecurity professionals who are monitoring security or performing forensic analysis.
There are hundreds of open-source tools that any cybersecurity professional would consider useful as part of their security toolkit. Some are useful within all areas of cybersecurity (analysis, response, forensics or administration), while others may be useful in a single area. Many come pre-installed on security-focused Linux distributions such as Kali Linux, while others can be installed as necessary.
As a cybersecurity professional, you should familiarize yourself with the in-depth usage of information gathering tools (such as nmap) that can be used to learn more about systems on the network (a process called reconnaissance or footprinting). Additionally, you should master tools that are useful for vulnerability analysis (such as OpenVAS), traffic analysis (such as WireShark) and penetration testing (such as Ettercap, Metasploit, arpspoof, macof and many more). Since most cybersecurity professionals collect security information centrally using a SIEM for analysis, you should also know how to install, configure and use Linux-based open-source SIEM solutions such as Alienvault OSSIM.
Whether you are performing cybersecurity analysis, response, forensics or administration, you will need to leverage many different Linux commands, as we’ve discussed in the previous four points. Since many of these commands can be reused in the future within similar cybersecurity situations, you should always consider putting them within BASH shell scripts that you can save for later use. I keep an arsenal of cybersecurity-related BASH shell scripts that I’ve built over the years within a folder on all of my systems to ensure that I can perform cybersecurity analysis, response, forensics or administration as quickly as possible. And when it comes to security, quick response is vital.