Stopping Man-in-the-Middle Attacks in the Fast-Growing Linux Server Market
By: Matthew Vulpis
Originally published in Cloud Computing Magazine
As the Linux Operating System and Server market continues to grow, driven by the mass adoption of cloud computing and expansion of data centers around the world, the ability to benefit from attacking the system and servers is also growing, leading to sophisticated cyber attackers who can steal data, hold organizations hostage, and take down entire networks.
The Linux open-source model has many benefits, including eliminating the risks of “vendor lock-in,” and companies including IBM, Ubuntu (Canonical), Linux Mint, Arch Linux, Debian, Majar, SUSE, CentOS, and of course Red Hat, continue to build healthy global business solutions on Linux.
The global Linux operating system market generated a revenue of $2.7 billion in 2017 and is expected to reach a market value of 7 billion by 2023, registering an 18.5% CAGR according to one industry analyst firm forecast.
In cryptography and computer security, a man-in-the-middle (MITM) attack happens when an adversary secretly relays and alters the communications between two parties who believe they are directly communicating with each other.
One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact, the entire conversation is controlled by the attacker.
The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is successful only when the attacker impersonates each endpoint sufficiently well to satisfy their requirements.
These attacks can be prevented by using a public key infrastructure, such as Transport Layer Security (TLS), where clients and servers exchange certificates that are issued and verified by a trusted third party called a certificate authority (CA). If the original key to authenticate this CA has not been itself the subject of a MITM attack, then the certificates issued by the CA may be used to authenticate the messages sent by the owner of that certificate.
Mohie Ahmed, Solutions Architect at Ironsphere, explained, “To protect against MITM attacks, a comprehensive ‘trust stack’ is required, and an important pillar of that stack is the use of Zero Trust Least Privileged Access Management.”
Ahmed said shared passwords and credentials left unmanaged have been known to contribute to successful MITM attacks and explained that adding a safeguard between attackers and access points can dramatically reduce the risk of accidental or intentional attempts to invade servers.
“Privileged user, direct access management, can be approached in 4 different ways,” Ahmed said. “Changing the owner of the privileged credentials (from users to a PAM system), blocking direct access at the network level, detecting and responding to direct access attempts, and deploying Access Control Agents on servers. These options can be used individually or combined in a single deployment. This decision will be primarily driven by the nature of the infrastructure and the desired level of control.”
Specifically, as it applies to Linux servers, taking a Zero Trust posture helps enterprises leverage the benefits of the Linux open-source while ensuring only those individuals who should have access do have access, automating the password and credentialing process, and detecting remote console access attempts, regardless of the source or type of attempt.
“Once the Access Control Agent detects a remote console access attempt on a Linux server, it manages whether or not the user is allowed to connect and limits the commands that user will be allowed to execute, via a centralized server,” Ahmed explained. “In addition to automating and tightly managing access permission and application isolation policies using a Policy Decision Server, enforced by the Access Control Agent on Linux servers, all activity can also be recorded and made available on-demand for audits and compliance requirements.”
All-access attempts, session details, and user activity are tracked by the Access Control Agent and sent to the central server, enabling unified visibility into user activity throughout all Linux servers in the organization’s technology infrastructure.
Access Control Agent-based deployment provides the following direct access capabilities to manage such exceptional or edge use cases:
- Segregation of duties: central management of which users have direct access to which servers
- Single-Sign-On: enable users to log in to Linux servers with their personal accounts on Active Directory
- Multi-Factor Authentication: additional security layer to ensure the person accessing Linux server is who they claim to be
- In-Session Least Privilege Management: central management of which users can or cannot execute which commands on remote Linux servers
- Role-based Privilege Management
- Unified Visibility and Audit Trails of all user activities during direct access sessions
Though not as common as ransomware or phishing attacks, MitM attacks are a pervasive security risk for organizations.
As the sophistication of man-in-the-middle attacks grows, detection of these events has become increasingly difficult. Organizations are actively enhancing their security through monitoring and detection capabilities while also setting stringent policies, for example, requiring network users to select strong passwords and change them on a regular basis, implementing multi-factor authentication (MFA) on all network assets and applications, developing and deploying strong encryption protocols, ensuring private networking is truly private, deploying threat monitoring and detection, segmenting the network, and hiring Managed Security Service Providers (MSSPs) to provide comprehensive cybersecurity services.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.