this post was submitted on 26 Aug 2024

56 points (100.0% liked)

Cybersecurity

5540 readers

108 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago

MODERATORS

[email protected]

After cybersecurity lab wouldn’t use AV software, US accuses Georgia Tech of fraud (arstechnica.com)

submitted 1 month ago by [email protected] to c/[email protected]

13 comments fedilink hide all child comments

all 15 comments

sorted by: hot top controversial new old

[–] [email protected] 17 points 1 month ago (1 children)

It has been a few years, but I was once asked to implement 800-171. The document was aggressively vague and really the sort of thing that requires hiring a consultant to setup and probably at least one FTE to maintain. Thankfully our project was abandoned before I had to start looking for other employment just get away from the damn thing.

So I emphasize with Georgia Tech for not perfectly implementing the rules to the governments confusing standards.

However, the researchers refusal to run anti-virus even when required by the contract was just stupid. "Academic freedom" doesn't mean anything when your grants are revoked or you get sued for millions over a breach. That said, they should have been able to work out some sort of "compensating control" to use instead of anti-virus and get that approved by the government.

[–] [email protected] 9 points 1 month ago* (last edited 1 month ago) (1 children)

I think you meant "empathize," not "emphasize."

I agree, though - running without any sort of AV is just arrogant and foolish.

[–] [email protected] 15 points 1 month ago* (last edited 1 month ago) (2 children)

No, that's not the take-away.

Going without AV as a computer-savvy person is perfectly reasonable, as AV companies can't be trusted, and AVs are notorious for having deep seated privileges and bad security themselves – therefore increasing your attack surface.

The take-away is that if you're deciding for an institution that's contractually obligated to do a thing, you should do it.

[–] [email protected] 8 points 1 month ago (2 children)

I think it's important to be clear about the difference between antivirus, and an in resident black box agent.

An antivirus that you run on static files, is perfectly fine in any environment. t's controllable it's known you know the inputs you know the outputs. You know what you're exposing to it. Even if the antivirus itself is a black box, you spin up a VM with the files you want to scan, you get the output of the scan, you destroy the virtual machine. So you don't leak anything

An agent that stays with privileged access to the machine, is basically a root kit, and they're often black boxes. So a black box root kit is a huge security risk, especially if that black box needs to phone home to a service outside of your network. That's just crazy. That's more than an antivirus, that is I don't even know the right word, but it's a lot.

[–] [email protected] 6 points 1 month ago* (last edited 1 month ago)

Very true. I doubt the researcher in question would object to use a virus scanner like you described.

Every consumer antivirus software works like the black box rootkit you described, AFAIK.

[–] [email protected] 2 points 1 month ago

That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

I think SIEM is what you're looking for: Security Information and Event Monitoring

[–] [email protected] 2 points 1 month ago

Depending on how the contract was written, running a clamav scan periodically may have been sufficient.

[–] [email protected] 12 points 1 month ago (2 children)

I think the security researcher has a valid point.

In a secure environment you don't want random things running in memory, sending samples to third parties.

Would a static virus scanner run periodically on the volume itself been sufficient? If yes, then the researcher was being unreasonable.

[–] [email protected] 4 points 1 month ago

Totally reasonable to not do a dumb thing if you have no contractual obligation to do the dumb thing.

Sadly they had that obligation, so they have to weigh the cost of doing the dumb thing with the cost of breaching contract.

[–] [email protected] 7 points 1 month ago (1 children)

But this "overall" plan was basically fictional—it was a model, and apparently not an accurate one. Georgia Tech doesn't have a unified IT setup; it has hundreds of different IT setups, including a different one at most research labs.

Yes... this is actually common. Your typical state school is actually made up of many different colleges working in tandem with each other. The nursing "school" is different than the law "school" at your university. Often even holding completely different names internally.

[–] [email protected] 1 points 1 month ago

Yep. Only private schools have things centralized. Public universities are a libertarian bastion.

[–] [email protected] 5 points 1 month ago* (last edited 1 month ago)

The imperial economy is approximately 95% people grifting off the fundamentally corrupt military state. It will never be fixed because it's a major point of its existence. These GT people are just dust in the wind relatively.