“Is it really all that important to know this Linux and open-source stuff?”
I was talking to a cybersecurity pro the other day when he asked me that question. We were discussing how to implement a security information and event management (SIEM) program for his network. He was interested in using something – anything – to help his security analysts to get more insights into the chronic security issues that had been plaguing his company over the past few years. I recommended a few ways to reorganize his IT department and better communicate with management. Once we discussed that critical piece and had moved on to specific SIEM tools, the topic of Linux arose.
“Well, my friend, Linux is pretty much table stakes.”
I’ve been hearing a colleague use the phrase “table stakes” over the past few years, and I was really excited to steal it from her. I was even more excited to realize that I used it correctly and in context. That’s a pretty important feat for me. She would have been proud.
But back to the Linux question: If you want to just talk about security tools, then yes, Linux is a highly significant part of a cybersecurity professional’s toolkit. It just is.
For some time now, we’ve been talking about the CompTIA Cybersecurity Career Pathway. We’re also working on something similar for infrastructure, which will include certifications like CompTIA A+ and CompTIA Network+. To boot, we’re looking for ways to recognize achievements along those pathways.
How Linux Relates to Cybersecurity
These are a great start. But over the past year when I talk with cybersecurity folks about the topic of security tools, each group and person simply expects their IT workers to have strong Linux knowledge. There are quite a few reasons for this.
First of all, you’ll likely be asked to help secure systems – both installed and virtual – that are either Linux systems or are based on Linux in one way or another. All of those Android phones and tablets? Just “purdified” versions of Linux. All of those IoT systems? They’re running Linux – up to 84 percent, in fact. All of those virtualized Windows servers running the public cloud? The vast majority are running on one flavor of Linux or another.
If you’re interested in security analytics, you’ll need to get your Linux act together, too. The vast majority of Linux tools, from Yara (used to identify malware patterns in software) to AlienVault OSSIM? Open source. And most security professionals prefer to run these tools on Linux systems. What about the intrusion detection system (IDS) software that reports into SIEM tools? Well, there’s Snort, Bro and a dozen other open-source tools, each of which runs natively on Linux. And, ever use Wireshark? Open source. Sure, Wireshark runs great on Windows, or even in a browser. But it all started on Linux.
The other day, I was talking to another friend about how a well-known retailer in the United States was using a bunch of different, cool programs to create its own SIEM program. What I thought was really interesting was that my friend didn’t realize all of these tools were running on Linux. Tools such as Apache Flink and the ELK Stack (Elasticsearch, Logstash and Kibana – now often called the Elastic Stack), all pretty much require Linux. Sure, you can run some of these things on Windows pretty well, but Linux is the platform.
Cybersecurity Pros Can Address Open Source Flaws
Nothing is perfect, of course. We’ve seen recent news about how open-source and Linux systems have been at the root of major, crippling security events over the past few years. From Heartbleed to Shellshock and now the Equifax hack, we’ve seen that open source isn’t perfect. In 2016, we saw major issues, including the glibc flaw and the revelation of a zero-day flaw in the Linux kernel that likely had gone unnoticed for years.
The gifts that open source give us do come with a price, as with anything else. And when you consider that IoT implementations are using Linux in, well, rather questionable ways, it’s clear that cybersecurity folks will have plenty to do. We need more qualified cybersecurity workers.
But that’s the point: learn your Linux and security. Do what it takes to reserve your place at the cybersecurity table. CompTIA Linux+, CompTIA Security+, CompTIA Cybersecurity Analyst (CySA+) and CompTIA Advanced Security Practitioner can help you get there. And CompTIA Penetration Tester (CPT+), what we’re calling our vulnerability assessment certification, is on its way. Each of these certifications – and more – imply the use of Linux and open source. When it comes to understanding the myriad technical skills you need in cybersecurity, I’d argue that you’ve got to get proof that you know Linux.
If certification doesn’t really mean much to you, that doesn’t really matter. The security community expects you to have a firm grasp of the tools and utensils that Linux and open source bring you. If you’re interested in learning more, give me a shout on Twitter, or via e-mail. I’d be happy to spend some time at the (virtual) table and dig in to an open-source tool or two with you.
Also, watch Admin Magazine for my forthcoming article on how security pros around the world use Linux and open source. We can tweet each other about that, too.