Addressing Man-in-the-Middle Attacks in Linux Server Environments
By: Mohie Ahmed
The benefits of using Linux Servers are well known, and the advantages of leveraging a more open operating system and software that can be loaded onto any “bare metal” server have driven the adoption of Linux-based solutions across large enterprises and organizations in every industry.
The global Linux operating system market size stood at USD 3.89 billion in 2019 and is projected to reach USD 15.64 billion by 2027, exhibiting a CAGR of 19.2% during the forecast period, according to Fortune Business Insights.
A man-in-the-middle attack (MITM) is an attack against a cryptographic protocol, with an adversary sitting in the middle and negotiating different cryptographic parameters with the client and the server. As more Linux servers are in service, enterprise, cloud providers, and application providers must focus on protecting the data and sessions enabled by those servers from MITM attacks.
A MITM attack may allow the attacker to subvert the encryption and gain access to content, including passwords, then injecting commands into the session to modify data in transit, to steal the data, or to cause other harm.
Sophisticated tools for performing MITM attacks vary and are used by professional hackers and by cybersecurity experts for pen-testing.
To protect against MITM attacks, a comprehensive “trust stack” is required, and an important pillar of that stack is the use of Zero Trust Least Privileged Access Management.
Ironsphere provides privileged access security capabilities based on the MITM threat architecture to prevent credential theft of super-user accounts and ensures they are used only for legitimate business purposes.
Direct Access refers to the accidental or intentional access attempts from users’ computers to remote hosts/servers directly, and Ironsphere has developed an advanced solution that redirects attackers, forcing the sessions to go through our platform.
Privileged user direct access management can be approached in 4 different ways:
- Changing the owner of the privileged credentials (from users to Ironsphere)
- Blocking direct access at the network level
- Detecting and responding to direct access attempts
- Deploying Access Control Agents on Hosts/Servers
These options can be used individually or combined in a single deployment. This decision will be primarily driven by the nature of the infrastructure and the desired level of control/security.
Our new solution brief details how Ironsphere deploys Access Control Agents on Hosts/Servers – specifically as it applies to Linux Servers.
The Access Control Agents run on target hosts/servers (in this case Linux servers) and detect user remote console access attempts, regardless of the source or type of attempt.
Once the Access Control Agent detects a remote console access attempt on a Linux server, it manages whether or not the user is allowed to connect and limits the commands that the user will be allowed to execute, via a centralized server.
The access permission and application isolation policies are managed by the central Ironsphere server (i.e., Policy Decision Server) and enforced by the Ironsphere Access Control Agent (i.e. Policy Enforcement Point) on Linux servers.
All-access attempts, session details, and user activity are tracked by the Access Control Agent and sent to the central server, enabling unified visibility into user activity throughout all Linux servers in the organization’s technology infrastructure.
Access Control Agent-based deployment provides the following direct access capabilities to manage such exceptional or edge use cases:
- Segregation of duties: central management of which users have direct access to which servers
- Single-Sign-On: enable users to log in to Linux servers with their personal accounts on Active Directory
- Multi-Factor Authentication: additional security layer to ensure the person accessing Linux server is who they claim to be
- In-Session Least Privilege Management: central management of which users can or cannot execute which commands on remote Linux servers
- Role-based Privilege Management
- Unified Visibility and Audit Trails of all user activities during direct access sessions
Learn more about the details of our PAM solution, which is the fastest and easiest to deploy in the market due to its agentless man-in-the-middle architecture, by downloading our new solution brief, specifically designed to support Linux server environments.
As Attacks on Infrastructure Continue to Intensify, Cyber Security Leaders Call for Further Investment
This past week Colonial Pipeline company, which operates a pipeline that carries gasoline, diesel fuel, and natural gas along a 5,500-mile path from Texas to New Jersey, was forced to take itself offline after being attacked by a criminal cyber gang. The Colonial Pipeline, which carries 2.5 million barrels a day, nearly 50% of the East Coast supply of diesel, gasoline, and jet fuel, is still working to restore service and gain access to its systems after the malicious cyberattack while its four mainlines remain offline.
As Infrastructure Week Begins in the US, A Massive Ransomware Attack Drives the US Government to Enact Emergency Legislation
The US government issued emergency legislation earlier this week after the largest fuel pipeline in the US was hit by a ransomware cyberattack.
Buy it Wholesale, Sell it Retail: How MSPs and MSSPs can Benefit from Multitenancy Cyber Security Solutions
Managed Service Providers (MSPs) and Managed Security Service Provider (MSSPs) have a stressful job. They must provide cybersecurity solutions to their clients, protecting them from a broad and growing range of threats, and ensure their customers’ networks, equipment, data, systems, people, and reputations are insulated from malicious forces.