I know I’ve made several promises about picking up my previous threads, and I’m breaking them again by switching to a new topic. I’m out with a client this week, and I need say something. Standards is a means to an end, not the goal.
This is simple enough to say, but this is a major point I find that many administrators, developers, and auditors miss. Let me take the PCI DSS standard as an example: the antivirus requirement specifically. I know this is something we all argue about on forums and around the coffee machine endlessly, but I think we’re approaching the conversation wrong. This mindset is why we have people forcing the installation of ClamAV to scan /tmp. This is exactly the sort of failure I am talking about. It accomplishes nothing, it wastes resources, and it provides a false sense of security.
Let’s dig into this requirement as we examine the situation. Why is this requirement so often misunderstood and improperly “satisfied”? Well, it isn’t hard to figure out. Why do we use antivirus? To mitigate attacks. It’s that simple. It’s not about the signature recognition. It’s not about the heuristic behavior analysis. All of that is just the technology to mitigate attacks. Thus, we can define antivirus as applications and configurations that help mitigate attacks. Ok, cool. So, what is the standard’s requirement actually saying, or what should it say? Well, it really boils down to making sure we implemented industry recognized security measures to mitigate attacks.
Why do we have failure around meeting this requirement? Take the common Linux administrator’s response to being told they need to install antivirus. Often the response is, “We don’t need antivirus. We’re already secure.” Well, this means nothing to the layperson. The layperson isn’t familiar with our jargon. They don’t understand the difference between viruses, worms, ransomware, trojans, and man-in-the-middle. Not any more then we understand whatever accounting or legal terms they spew back at us. The fact that I don’t even know what to use as an example here illustrates my point. This isn’t their fault. We’re using the wrong vocabulary. We’re missing the point of the requirement when we respond.
When a board request an admin install antivirus software, casually dropping that they don’t need to install antivirus software is a failure of communication. It makes the admin a failure as an employee and as a professional. They failed because they’re confusing the technical meaning we apply to the term antivirus with the colloquial meaning laypeople apply to antivirus. By arguing with them about the need for antivirus, the admin has failed by missing the point. An admin’s job is to handle and TRANSLATE the technical details of duties for laypeople so the business people can make intelligent decisions. Yes, the standard is poorly written. We can argue why it’s written that way but it doesn’t matter. What does matter is our duty to meet the standard and explain we’ve met it in a way laypeople can understand.
So, what should we be doing? Well, we stop arguing about the standard because it isn’t wrong. What’s wrong is the lay concept that antivirus is only products that use signature recognition or heuristic analysis. Don’t argue with that. They’ll fight you. Agree and expand on it. Explain that antivirus are tools that help identify and prevent attacks. Explain how to arrive at a better solution. Explain how those practices address what to do after you’ve been infiltrated. AFTER. They do little to prevent initial infection. In simple terms, they can’t do their job until the attack is far enough into the system to identify, which is too late. By the time the attack is recognized, they likely already had the chance to pivot to another vulnerability. This is like securing a building with internally patrolling security guards, while leaving the doors unlocked.
Now, I think I’ve focused a little too much on this antivirus issue. Let me wrap that point up with my recommended response to the antivirus requirement. I tell my clients:
“We already have antivirus. Linux (RHEL specifically since most of my work is with Red Hat) has integrated antivirus in the form of file, process, and network access whitelists that only allow users to execute the operations they are approved for in the form of inherent fill access permissions, SELinux, and iptables. Unlike other antivirus tools, Linux antivirus foregoes attack identification after infiltration and focuses on preventing unauthorized access. This is why some of the biggest hacks in the news have been on Linux-based systems. The security wasn’t configured properly and the systems weren’t patched to remove vulnerabilities. We will use industry respected tools to validate our security configuration before providing user access and automated tools to alert us of available patches and apply them automatically.”
This is simple and appropriately communicative. I didn’t argue that we don’t need antivirus. Because that argument is stupid. In the past, I’ve certainly been guilty of making it. I’m ashamed of myself. It was myopic and egotistical. I was trying to force my depth of knowledge on other people. They don’t need that. They need to know that the responsibility that they delegated to me is respected and will be met to the best of my ability. By arguing with them, I’m failing to validate a concern and I’m telling them that I don’t respect them. So why should they respect me or my opinion on the proper solution?
When doing our jobs we need to consider the goal of a requirement. We need to translate what laypeople want into a technical reality, and when we implement that, we need to translate our results into words the laypeople will understand. If they get some bit of minutiae wrong in what they ask for, overlook it. Ask questions about what they are trying to achieve. Explain in simple words. If the explanation contains words with more than three syllables or any acronyms without explanation, it’s too complicated and the audience will get lost. Above all, don’t argue with them. Just drop the righteous indignation and give them what they actually want, even if they don’t know how to ask. They’ll be happier. You’ll be happier. You won’t have that meeting where you have to explain why you thought it was acceptable to install a Windows focused antivirus to scan /tmp when they asked for a secure system. It’s not a question of intelligence; it’s a question of differing backgrounds.