• esc27@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    5
    ·
    3 months ago

    It has been a few years, but I was once asked to implement 800-171. The document was aggressively vague and really the sort of thing that requires hiring a consultant to setup and probably at least one FTE to maintain. Thankfully our project was abandoned before I had to start looking for other employment just get away from the damn thing.

    So I emphasize with Georgia Tech for not perfectly implementing the rules to the governments confusing standards.

    However, the researchers refusal to run anti-virus even when required by the contract was just stupid. “Academic freedom” doesn’t mean anything when your grants are revoked or you get sued for millions over a breach. That said, they should have been able to work out some sort of “compensating control” to use instead of anti-virus and get that approved by the government.

    • harrys_balzac@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      2
      ·
      edit-2
      3 months ago

      I think you meant “empathize,” not “emphasize.”

      I agree, though - running without any sort of AV is just arrogant and foolish.

      • flying_sheep@lemmy.ml
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        edit-2
        3 months ago

        No, that’s not the take-away.

        Going without AV as a computer-savvy person is perfectly reasonable, as AV companies can’t be trusted, and AVs are notorious for having deep seated privileges and bad security themselves – therefore increasing your attack surface.

        The take-away is that if you’re deciding for an institution that’s contractually obligated to do a thing, you should do it.

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          8
          ·
          2 months ago

          I think it’s important to be clear about the difference between antivirus, and an in resident black box agent.

          An antivirus that you run on static files, is perfectly fine in any environment. t’s controllable it’s known you know the inputs you know the outputs. You know what you’re exposing to it. Even if the antivirus itself is a black box, you spin up a VM with the files you want to scan, you get the output of the scan, you destroy the virtual machine. So you don’t leak anything

          An agent that stays with privileged access to the machine, is basically a root kit, and they’re often black boxes. So a black box root kit is a huge security risk, especially if that black box needs to phone home to a service outside of your network. That’s just crazy. That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

          • flying_sheep@lemmy.ml
            link
            fedilink
            English
            arrow-up
            6
            ·
            edit-2
            2 months ago

            Very true. I doubt the researcher in question would object to use a virus scanner like you described.

            Every consumer antivirus software works like the black box rootkit you described, AFAIK.

          • stringere@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

            I think SIEM is what you’re looking for: Security Information and Event Monitoring

        • Ajen@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          Depending on how the contract was written, running a clamav scan periodically may have been sufficient.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    1
    ·
    3 months ago

    I think the security researcher has a valid point.

    In a secure environment you don’t want random things running in memory, sending samples to third parties.

    Would a static virus scanner run periodically on the volume itself been sufficient? If yes, then the researcher was being unreasonable.

    • corsicanguppy
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      2 months ago

      The last time I saw this, we debated hard around this fixation on running third-party admin-level agents on boxes. Especially since our side was running non-windows, we maintained that our setup adequately mitigated any issues. They were adamant, and the contractors they brought in were boneheads, and we were not friends.

      But. The brass said capitulate. Our terms:

      • they acknowledge they’re asking for unknown ‘black box’ third-party software into hosts to run with admin-level access. They hammered at that one hard but it’s not wrong.
      • they acknowledge that it poses an avoidable risk and it’s done entirely at their express and direct request.
      • they furnish a bond in an amount to cover the rebuild of the related hosts because it’s a risk.
      • with their link to the rest of the world, these hosts are declared non-sovereign, and no P-I can be near them.
      • the hosts live in a ring-fence to protect the rest of the organization from their non-sovereign selves
      • they furnish a team and a member standing-by like a regular stand-by team to respond to alerts related to potentially-spotted viruses on the hosts - even if not immediately considered a risk to the hosts.
      • they sign indemnity agreements stating this was all their decision, that we had consulted them about increased costs and reduced effectiveness, and risk, and they understood and accepted it.

      They signed readily.

      I think that was it. This isn’t my plan, since I’m just not that smart, but the guy who itemized the terms was really good.

      So we got machines, ring-fenced them, locked them away and got the scanner agent set up. Every day or so we’d have our stby wake their guys up - and they were bargain contractors so, no standby pay - and they’d get to go over an analysis of the suspected virus, decide it was nothing - suspected no risk, but inconclusive (no one says 100% in security) - and go back to bed.

      This went on for weeks; even after the machines were deemed unusable for the project. You see, it was a system that handled registrations … for something; names, numbers, times; P-I. And they couldn’t handle P-I because they were non-sovereign and we couldn’t violate our data sovereignty requirements.

      But we had to set it up. Someone paid good money for that hardware; which, because it had to be ring-fenced, couldn’t be part of our standard private-cloud (on prem) setup. Wow, but that budget went out the window.

      After only a few weeks of this comedy they begged for a meeting. “Kill the agents,” they said. But why? We paid for them and it’s in the plan. You agreed to support the agents for the life of the project!". Okay, we laid it on thick.

      They said please no; they’d go with our plan. “our plan? We like your plan. You want to do this other thing, we’re gonna need indemnity for the risks in the plan you call ours that you rejected but now you want to do.” And they could really only agree.

      Agents removed. Boxes rebuilt - on their dime because of the “inconclusive” above and the “bond” clause - as we can’t be sure what went on those boxes. We fulfilled the VM requirements from our genpop, and added the new boxes in as common hardware as the hardware was EOSL and the maker wanted to support it but never see it again. They took a penalty because what we called their bumbling ran them over the delivery timeline, but at least it was done. Project complete, brass pats themselves on the back, cheapo contractors stung and tired. Kinda less our friends at that point…

      And we got new hardware, which the CFO said was never gonna happen. Like a half-mil he signed-off on, and that went into genpop as mentioned. And every time they went to hire a cheap whore, we got to remind them of how this one ran over so poorly, and they get to explain themselves to the top brass. That was a gift that kept on giving, even if THEY reminded us how much the contractors didn’t earn via delivery penalties and how much they had to pay back on that “bond” clause, which was just labour we needed to spend anyway on fixing a delivery process.

      And we laughed like the end of a Bellisarius serial right before the freeze-frame.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        That’s a real roller coaster ride of a journey. Thanks for sharing it. Glad you got some bonus hardware out of it.

        • corsicanguppy
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          I’d like to say it was all masterfully done plan, but I’m sure it was 90% CYA and luck.

          Still, yeah, hardware budget was non-zero, and when FIN is pulling the strings, that’s always nice. ;-)

    • flying_sheep@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 months ago

      Totally reasonable to not do a dumb thing if you have no contractual obligation to do the dumb thing.

      Sadly they had that obligation, so they have to weigh the cost of doing the dumb thing with the cost of breaching contract.

  • Saik0@lemmy.saik0.com
    link
    fedilink
    English
    arrow-up
    7
    ·
    3 months ago

    But this “overall” plan was basically fictional—it was a model, and apparently not an accurate one. Georgia Tech doesn’t have a unified IT setup; it has hundreds of different IT setups, including a different one at most research labs.

    Yes… this is actually common. Your typical state school is actually made up of many different colleges working in tandem with each other. The nursing “school” is different than the law “school” at your university. Often even holding completely different names internally.

    • stoly@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Yep. Only private schools have things centralized. Public universities are a libertarian bastion.