Tuesday's Petya slam dunk by the bad guys, which may or may not have been a state sponsored swipe at Ukraine, was only one of several wake-up calls during the last couple of months for the folks taking care of IT security.
At least they should have been wake-up calls, but by the carnage left behind it looks as if a lot of folks have been operating their server rooms on autopilot. Not only were there patches at the ready to plug the vulnerabilities Petya used to do whatever it did (other than the fact that it probably wasn't ransomware, what it did hasn't been entirely sorted out yet), but I've heard credible first hand reports from several largish corporations that didn't have available backups.
Incredible credible reports, I should say. How is it possible for any business to not have backups more than 20 years into the internet age?
Because Petya only chased after Windows, in typical but understandable knee-jerk fashion, the media has been full of stories on how to secure Windows servers and workstations, not only against Petya but best security practices to protect against the next, as yet unknown, threat. Linux admins, meanwhile, are most likely breathing a sigh of relief and made content by the fact they're using the invincible "other" operating system.
Except, of course, Linux isn't invincible. I was reminded of this on Tuesday, while scrambling to find information on Petya.
On June 10, a web hosting company in South Korea, Nayana, was hit by ransomware that affected 153 Linux servers, which knocked out the websites of over 3,400 businesses being hosted by the company. Not good. In this case, the ransomware was Erebus, which was first detected as Windows malware in September, but which has since been ported to Linux. Initially the black hats wanted $1.62 million in bitcoins for the keys to decrypt, a figure that Nayana negotiated down to $1.01 million to be made in three installments, with the final payment not due until after two batches of servers had been successfully decrypted.
I bring this up only to illustrate that the next malware round can strike at anytime and on any platform. In fact, on Tuesday, at the same time Petya was wrecking havoc on Windows, a patch was made available for a vulnerability in systemd, the default init system in most modern Linux distributions, that could be leveraged by remote attackers to run malicious code by using a specially crafted DNS response.
In other words, while Windows admins are busy today and tomorrow making sure all their holes are plugged, Linux admins might want to join them and do the same.
As a checklist, I've found a bullet list of best practices for securing Linux servers and systems from security company Trend Micro, which I'm offering with my own comments:
- Keep the system and server updated: You might start by patching CVE-2017-9445, the systemd vulnerability. While you're at it, check to make sure you've applied all security and bugfix updates. It goes without saying, a strong patch management policy should be established, if you don't have one, and enforced, if and when you do.
- Avoid or minimize adding third-party or unknown repositories or packages: This one should be a no-brainer, but often isn't. Third-party repositories should only be added if you completely know and trust the organizations behind them. While you're checking for repositories to remove, you might want to remove or disable any unnecessary components or services on the server while you're at it.
- Apply the principle of least privilege: I would expect this to go without saying on Linux machines, but I'm sure I'd be proved wrong. After all, big companies seem to be running without backups. Don't forget to restrict the SUDO privileges of users on the SUDO list according to their needs.
- Proactively monitor and validate your network traffic: This is your first line of defense against attempts to find weaknesses in your system. Remember, no matter how rock solid you think your system to be, it can be penetrated. Use intrusion detection systems and firewalls and keep an eye on event logs. You might even want to set up a honeypot to get a handle on who's trying to pick the back door lock.
- Back up your files: Back up and back up often. How often? That depends on how much data you can afford to lose. A small organization might get away with daily backups. Large organizations: hourly or even more frequently. Trend Micro suggests there be "at least three copies in two different formats, with one stored offsite."
- Apply network segmentation and data categorization: Network segmentation is a dual win, for not only will it help slow the spread of an infection, it should boost performance as well. Data categorization will help limit the data available to a particular attack vector, thereby limiting the damage that might come from the attack.
All of this puts more drudge work on the to-do list, but it needs to be done. And kept at the top of the list instead of down in the "when I get around to it" section where it'll never get done -- until someone brings the system down.