We've been trying to fight a security auditor requirement to put antivirus on all of our amazon amis (including linux). It's insane that anyone thinks that improves security.
From experience many so called 'security auditor's tend not to have a clue what they're talking about technically, and operate from a playbook. They do however speak the the same language as management. Buzzword bingo, spreading FUD, selling snake oil.
This is so true. I worked for a small-time compliance software vendor where the domain expert was an incoherent mess (with all the buzzwords thrown in), the CEO couldn't discuss the software intelligibly, and the VP Engineering presented a demo video loop at a trade show booth showing theirself entering the company AWS credentials in clearly legible form.
The place had so many dysfunctions I'd not know how to start. I work for a much more professional outfit now with true appreciation for security and competence.
edit: there's a real gap in this non-glamorous compliance domain. if you address it and need to execute SCAP (OVAL, XCCDF) content, look to a very competent scanner vendor, jOVAL. The real challenges are in organizing and presenting consistent info across many compliance standards, OSs, cloud vendors, etc. ... and to scan entities that aren't OSs per se, and to analyze cross-domain conditions.
Use their same language back at them and talk about your "compensating controls". That's auditor lingo for I know A is the standard control but by doing B and/or C instead I have adequately addressed the risk.
Ran into this sort of thing at a .gov during audits for systems accreditation in 200x.
I made the mistake of using 'mitigation' in my
documentation and opened up a can of worms with the contracted auditing firm. They should have provided
a glossary of weasel words.
Took twice as long to get the system accredited because
of a common sense initial approach.
For a system in the scope of the audit, if you can demonstrate that the files coming in are checked for malware before they get on your critical systems, this is one example of a compensating control.
Further, if you can demonstrate in auditable fashion that there are no browsers or other network connections or other typical vectors for infection, that can be a compensating control.
[Edit]
Or if you can demonstrate that your email system will drop all attachments and links, that would be another (annoying) way.
So, in a typical SAAS cloud application environment, is ISO 27001 just off the table for anyone serious about security? As (in effect) the CSO for a bunch of decently-sized startups, I would have a hard time approving the deployment of any kind of antimalware tool, because the risk simply isn't worth the reward. Even when deployed on isolated systems and not every end system and server, they're still intrinsically dangerous systems: they're essentially most of the attack surface of a browser.
No, you just need to have some compensating control. For example: there is a very limited number of ways that I can get files to the ec2, I can audit how this happens and also there is no browser running there.
So to put it another way: can you set and enforce a policy as to how files get to your aws instance, set and enforce a policy as to how (that is with what programs) those files are accessed. And that there is a way to audit that such a policy is in place and enforced.
As an example Azure its own self is ISO 27001 (and a metric ton of other certs) and they don't run AV on their stuff. But you can be sure that they can tell you everything about each of the components that make up Azure itself up to the hypervisor level. I would presume that the same thing is true for AWS.
So now you put your stuff on top of this base service. If you can assure the auditors that you have somehow controlled that particular risk, then you won't need AV.
Also, of the 114 controls in ISO 27001, not all of the controls are relevant for the scope that you choose. You could say that "since we have total control of the character and nature files that land on each of our VMs, we don't need to have that control". Often you may need only 50 of the controls.
The thing about ISO 27001 is about understanding the risk that your systems in scope are subject to (e.g., loss of PCI-protected data, fire, downtime), building policies and procedures addressing those risks, and repeatedly auditing that those policies and procedures are in place and adjusting them when they are not.
Pro-Tip: don't take the approach of telling the auditors that AV is a fundamental risk. That conversation is not likely to be productive. Just demonstrate your control over the environment.
ISO 27001 is not that far removed from common-sense security.
Maybe you can convince him with the following arguments:
"Thinking that a huge program, written in C, with a code base from the 90ies, running as root or, even worst, in kernel space and parsing untrusted inputs by definition can improve security is kind of crazy."
From what I've seen in the Linux world, Anti-virus software tends to be pretty bad.
The Kaspersky one, last time I checked, looked a little better (proper packaging and integration) but it seemed somewhat neglected (no 64bits version, no support for newer debian/ubuntu/RedHat releases).
The only commercial one which seems to be properly maintained on Linux was Sophos, it even has an open sourced working kernel module for realtime scanning (and it also supports the dnotily API). But it had some scary security flaws in the past:
https://community.sophos.com/kb/en-us/118424
If you really have to use an AV, the least worst option is ClamAV, at least it's Open Sourced and packaged in most distributions. With the dnotify kernel API it can do realtime analysis.
Is that a requirement your security auditor has, or are vendors demanding this in vendor-specific security reviews? And is this for e.g. network segmentation in PCI, or more routine assessments?
Depending on what you mean, perhaps you want to get in touch if you'd like better technical due diligence :)
I have filled out a few applications for tech e&o and cyber liability insurance over the past week and they all had a question about antivirus on the servers, workstations, and phones. I answered truthfully (no) and wonder if that is going to hurt me.
The thing is that in most companies you're far more likely to fall victim to a simple and random malware emailed or ran by your employees, than you are to be carefully targeted by a worm based on AV vulnerabilities.
With that said I prefer to view security as, "You likely will be the victim of a planned attack, so plan from there", but still. Odds are not favourable.
If people understood those that were building the Cyber liability policies within the big firms, they'd realize few have a clue. Having worked with the big 5 for years now on this, many are so far behind on reality it hurts.
I'm in that same boat with both exploit and performance concerns. I'm trying ClamAV right now. For auditing and hardening I used Lynis. Any other tools you recommend? I need an external scanning tool.
You don't need an integral scanner, you need a scanner that can look through any persisted user files. You can write triggers for Amazon Lambda that trigger scans when a file is dropped on S3, for example.
Most certifications, and in particular, ISO 27001 asks if you have anti-malware running. Now, the thing about ISO and many of the other certifications, if you can demonstrate some mitigating control, say aggressive network monitoring, or pre-scanning files before they get loaded onto your target system, then you can pass. For example, http://www.iso27001security.com/html/27002.html on 12.2 mentions this, along with a vaguely-stated user awareness.
All auditors looking at you for this certification will ask this question.
The main disadvantage security companies have is the difficulty to integrate with the core operating system. This makes it easy to third parties (e.g. malware) to use the same software for malicious applications. They based their security products in a lot of system internals tricks to make them work (e.g. API hooking, reverse engineering, drivers). Microsoft has a clear advantage in this market because they can modify the OS "a piacere".
Disclosure: I provide this kind of solutions to Trend Micro, Symantec, and many other security vendors.
Yes, that is the reason I made the disclosure. Almost all of our work involves intercepting, modifying, and integrating third party applications with Windows when Windows doesn't provide APIs to do this.
I apologize for asking a bit of a leading question. But I am concerned that changes to undocumented APIs in windows could lead to blue screens upon rollout of updates, no?
Blue screens issues are for drivers but not for user mode applications. In general companies try to avoid doing Windows drivers. The solutions based on drivers are more stable and based on existing frameworks.
For example, in the case of companies like Trend Micro they sign a yearly support contract for supporting any OS app update.
I can answer any "extreme" public or private (via our website contact) question.
There's something fishy with the adblock detection at forbes.com. I have no adblocker at all in Chrome, but I can't get pass the landing page that tells me to disable the adblocker.
We got hit with the zepto virus a while back. It's resulted in a least 10x the inconvenience, since we have had to deal with a third party anti-virus, and all of the inconveniences and bugs those introduced
It doesn't mention this in the article, but I assume they got paid by Trend Micro for their work? Bug bounties, etc. If so, I wonder how much they made?
