At one point in my career, I was tasked with evaluating how to deploy Symantec Endpoint Protection on Red Hat. I put the brakes on as soon as I learned SEP required a Java runtime engine on Linux....
At one point in my career, I was tasked with evaluating how to deploy Symantec Endpoint Protection on Red Hat. I put the brakes on as soon as I learned SEP required a Java runtime engine on Linux. That's the definition of the cure being worse than the disease. IIRC SEP didn't have any signatures for viruses affecting Linux either. We'd be installing a JRE and AV client with signatures to detect Windows viruses just to check an "asset has AV installed" box. No thanks.
As an Infosec professional, I sympathise. I really do. I've worked in many places where Infosec had a degree of 'power' and used it badly. It's a shame every time I see it. But it's perhaps not as...
As an Infosec professional, I sympathise. I really do.
I've worked in many places where Infosec had a degree of 'power' and used it badly. It's a shame every time I see it. But it's perhaps not as simple as most people suppose.
The issue is based around the fact that it's really easy to be Chicken Little. And even when you're on a team that's trying to get away from that mindset, it's a big gamble to go against Chicken Little because it only takes a single example to prove them right vs your hundreds of examples that never quite suffice in proving them wrong. It takes a big cultural effort to overcome this - but the good news is that I've seen it done right in a bunch of places too.
OTOH, I've worked in places where I've tried to implement something like "this is my prod so it's my rules, this is your dev, so it's your rules". And this has worked well right up until the point that there's an 'edge case' that absolutely needs implementing and then the flood gates open to all sorts of crazy.
The best/worst of it was when I'd implemented a new monitoring solution on the corporate LAN and found:
open TOR exit nodes
Warez server
one machine that was aggressively mapping the network and trying to connect to any port it found
Something common between these three machines? Two things:
All 'dev' machines
All Linux.
So, to the point: is AV absolutely necessary? Maybe not - but not because it's Linux, more because of the context and the trade-offs. But equally, just because it's Linux doesn't mean it's low risk or should get a free pass.
A lot of InfoSec professionals are 'no' people. No you can't do that, think about the risk! No, you do what everyone else does. No exceptions. And then they complain about being left out of...
A lot of InfoSec professionals are 'no' people. No you can't do that, think about the risk! No, you do what everyone else does. No exceptions. And then they complain about being left out of discussions and shadow IT.
Yeah, it's a shitty attitude from what we broadly consider the 'old guard', but the problem is that it's a really easy route to follow - being 'the sky is falling' guy is easier than actually...
Yeah, it's a shitty attitude from what we broadly consider the 'old guard', but the problem is that it's a really easy route to follow - being 'the sky is falling' guy is easier than actually thinking something through in context. But also, unless the org and the culture is willing to support the infosec guys properly then there's no incentive for them to be anything other that Chicken Little.
It often lines up that if anything were to go wrong then Infosec would get the kicking, but equally they're supposed to be 'open' to new ideas. That's not something that can necessarily be solved within the infosec team - that needs a higher up vision that enables infosec to be part of the solution instead of 'the police'.
SELinux is not an anti-virus program, but is the main security software I hear recommended by my linux buddies. But they are also in the Red Hat ecosystem, so...shrugs
SELinux is not an anti-virus program, but is the main security software I hear recommended by my linux buddies. But they are also in the Red Hat ecosystem, so...shrugs
The only thing to ever get infested on my Linux installs was Google Chrome, but it did not impact the rest of the system. I do enable GUFW. That’s about it.
The only thing to ever get infested on my Linux installs was Google Chrome, but it did not impact the rest of the system. I do enable GUFW. That’s about it.
At one point in my career, I was tasked with evaluating how to deploy Symantec Endpoint Protection on Red Hat. I put the brakes on as soon as I learned SEP required a Java runtime engine on Linux. That's the definition of the cure being worse than the disease. IIRC SEP didn't have any signatures for viruses affecting Linux either. We'd be installing a JRE and AV client with signatures to detect Windows viruses just to check an "asset has AV installed" box. No thanks.
As an Infosec professional, I sympathise. I really do.
I've worked in many places where Infosec had a degree of 'power' and used it badly. It's a shame every time I see it. But it's perhaps not as simple as most people suppose.
The issue is based around the fact that it's really easy to be Chicken Little. And even when you're on a team that's trying to get away from that mindset, it's a big gamble to go against Chicken Little because it only takes a single example to prove them right vs your hundreds of examples that never quite suffice in proving them wrong. It takes a big cultural effort to overcome this - but the good news is that I've seen it done right in a bunch of places too.
OTOH, I've worked in places where I've tried to implement something like "this is my prod so it's my rules, this is your dev, so it's your rules". And this has worked well right up until the point that there's an 'edge case' that absolutely needs implementing and then the flood gates open to all sorts of crazy.
The best/worst of it was when I'd implemented a new monitoring solution on the corporate LAN and found:
Something common between these three machines? Two things:
So, to the point: is AV absolutely necessary? Maybe not - but not because it's Linux, more because of the context and the trade-offs. But equally, just because it's Linux doesn't mean it's low risk or should get a free pass.
A lot of InfoSec professionals are 'no' people. No you can't do that, think about the risk! No, you do what everyone else does. No exceptions. And then they complain about being left out of discussions and shadow IT.
Yeah, it's a shitty attitude from what we broadly consider the 'old guard', but the problem is that it's a really easy route to follow - being 'the sky is falling' guy is easier than actually thinking something through in context. But also, unless the org and the culture is willing to support the infosec guys properly then there's no incentive for them to be anything other that Chicken Little.
It often lines up that if anything were to go wrong then Infosec would get the kicking, but equally they're supposed to be 'open' to new ideas. That's not something that can necessarily be solved within the infosec team - that needs a higher up vision that enables infosec to be part of the solution instead of 'the police'.
SELinux is not an anti-virus program, but is the main security software I hear recommended by my linux buddies. But they are also in the Red Hat ecosystem, so...shrugs
The only thing to ever get infested on my Linux installs was Google Chrome, but it did not impact the rest of the system. I do enable GUFW. That’s about it.