Why Learn Linux for Security?

In catching up on Reddit’s /r/linux subreddit forever ago, I saw a post (archived now) about ‘Is Linux Important for Network Security?’. My natural thought is immediately “Yes!” but I was interested to see what other responses might be, was there something I was immediately overlooking.

Overall, I am not surprised by the responses – in general, they hit on tooling, infrastructure and throw in some Windows’ security bashing (I am neither surprised nor alone). I’d like to expand on these points that they make and maybe wind up with some of my own pros to learning Linux, which are probably just as applicable to other technology disciplines. A quick note though – I use the term “Linux” here a lot but it is not just applicable to just Linux (or GNU/Linux if that’s your preferred term) but also encompasses BSD or other Unix-like variants. This was done for the sake of brevity and not intended to short-change or gloss over the unique features of those operating systems.

First, let’s cut through the initial snark about Windows’ security record. There are numerous articles about Windows boxes getting owned, the sheer amount of malware targeting Windows’ user base and the OS internals, it has a reputation for being insecure. Certainly, the wild west of “All Users Are Created Equal” philosophy compared with UNIX’s granular user permissions, wound up leading to more problems than it should have, when all of your software defaulted to requiring Administrator access to run, leaving people in the place of running as admin when they probably shouldn’t have. And then there’s logging: I was fortunate to cut my teeth on writing regular expressions when having to sort through and correlate Windows logs for analysis. Windows; however, can be secured – good security teams in the Enterprise space are tasked with it and are successful. If they weren’t, we probably would see more Enterprises adopt some UNIX-like system for their workers, either super cost-effective Linux machines or more expensive Macs.

But that leads into the infrastructure portion of why to learn Linux. The thread notes that Linux is still the OS of the Web – citing Linux’s much higher adoption in the server market; even Enterprises use it. While technology companies of all sizes, and even some Enterprises, are starting to discuss traditional on-premises versus “The Cloud” solutions for their infrastructure, Linux typically leads the way in these sorts of solutions, either through managed services like AWS, Google Cloud or Open Stack or even other micro-service solutions like Docker, CoreOS or Mesosphere. Microsoft is catching up with Azure and other cloud products, as well as AWS providing Windows images to run in their environment; however, when it comes to that sort of model, I still see more companies opt for the Linux solutions over a Microsoft solution. But that is just the serving/hosting infrastructure – ignoring the elephant on the raised floor: the network architecture. While still vendor dominated and closer to black-box than white-box, most networking gear is also UNIX based. Cisco, Juniper and the like’s OSes were written over BSD and some of their newer lines, as well as other networking companies like Arista or open/cloud routers use straight up GNU/Linux. This means having to know and work with UNIX-like environments are going to be critical to getting your firewalls configured in your environment to meet your needs. And not to mention that inevitable project need to stand up yourself – like an IDS/IPS – also arguably runs best with a UNIX-like OS, iptables and open source software like Snort.

Which leads to another reason – tooling. Snort is one of my personal favorites to tout because even in enterprise or regulated environments where open source software adoption can be tenuous, Snort was championed as being ‘enterprise grade’ and open source at the same time. But Snort probably wouldn’t have been like that if it were developed specifically for Windows or some other closed-source operating system. The thread notes a lot of full Linux distributions geared towards penetration testing tools, like Kali, BlackArch, and others. This provides a lot of flexibility to write software and tools to varying scales – a quick script to do XYZ, a command line utility for infrastructure, independent software like Snort or an entire operating system image for a specific purpose. The scale is up to you! And there is the added benefit that writing on Linux is all open-source is that you’re free to share, copy and review or audit the code.

But there the one thing that I’ve learned in my experience seems to be the one thing most people neglect to mention when it comes to learning Linux: salary. In my market, the difference between a comparable junior Windows administrator and junior Linux administrator is something like $15,000 US a year, with Linux commanding that higher salary. Linux has a perception of being harder, I guess, because Best Buy doesn’t sell laptops with Ubuntu installed on them? So when things are perceived as harder, that usually translates to dollars on the negotiating table. So, even if one is not interested in security, it would behoove them to take a look at and understand Linux to some degree. If anything, even if one wishes to stick with a Windows specialization, having a base understanding of Linux is another tool in your belt and might help make one a better administrator or engineer.

In short, Linux’s wide-spread usage as “the backbone of the Internet”, it’s flexibility and openness to be used by anyone and to create specific needs tooling by nearly anyone, Linux skills should be a must for any security professional. It’s proliferation in various technical environments means that it will be ever present, just as Microsoft Windows, in so many environments means that security staff will be touching and working with Linux systems and ultimately responsible for their risk. Looking specifically at Network Security, Linux and BSD forming the foundations of routers, switches, appliances and support devices (log/file servers, monitoring, etc.), understanding how these Unix-like operating systems work is just as essential as it is to work with their vendor shells (IOS, JunOS, EOS, etc) and understanding how ports and protocols all work.