One of the most common misconceptions we see during our post-breach investigations is the belief that a server running a Linux operating system does not require anti-virus software.

PCI DSS Requirement 5.1 mandates that anti-virus software is deployed on all systems commonly affected by malicious software. Whilst the threat landscape targeting Windows environments is considerably more extensive, malware designed for Linux systems is evolving at an ever-increasing rate. These malicious files range from basic PHP-based web shells we commonly see in our investigations into compromised e-commerce systems, to more sophisticated malware employed by advanced persistent threat (APT) actors.

As per PCI DSS Requirement 5.1.2, periodic evaluations of systems not commonly affected by malicious software should be carried out to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. As more threats targeting Linux systems emerge, these devices should no longer be considered exempt from the requirement for anti-virus.

In addition, greater care should be given to configuring and managing Linux servers in a secure way. Ensure that applications are only installed from trusted sources. Intrusion-detection and/or intrusion-prevention techniques should be employed to detect and/or prevent intrusions into the network, and the output from these tools should be monitored and any alerts acted upon. File integrity monitoring (FIM) can be used to identify any modifications to critical system files or configuration files. Critical security patches for both the operating system and applications should be installed within one month of release.

If you require any assistance with securing your Linux environment in a compliant fashion, or with testing the efficacy of your current controls, please contact 3B Data Security.