• esc27@lemmy.world
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    5
    ·
    3 months ago

    It has been a few years, but I was once asked to implement 800-171. The document was aggressively vague and really the sort of thing that requires hiring a consultant to setup and probably at least one FTE to maintain. Thankfully our project was abandoned before I had to start looking for other employment just get away from the damn thing.

    So I emphasize with Georgia Tech for not perfectly implementing the rules to the governments confusing standards.

    However, the researchers refusal to run anti-virus even when required by the contract was just stupid. “Academic freedom” doesn’t mean anything when your grants are revoked or you get sued for millions over a breach. That said, they should have been able to work out some sort of “compensating control” to use instead of anti-virus and get that approved by the government.

    • harrys_balzac@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      2
      ·
      edit-2
      3 months ago

      I think you meant “empathize,” not “emphasize.”

      I agree, though - running without any sort of AV is just arrogant and foolish.

      • flying_sheep@lemmy.ml
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        edit-2
        3 months ago

        No, that’s not the take-away.

        Going without AV as a computer-savvy person is perfectly reasonable, as AV companies can’t be trusted, and AVs are notorious for having deep seated privileges and bad security themselves – therefore increasing your attack surface.

        The take-away is that if you’re deciding for an institution that’s contractually obligated to do a thing, you should do it.

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          8
          ·
          3 months ago

          I think it’s important to be clear about the difference between antivirus, and an in resident black box agent.

          An antivirus that you run on static files, is perfectly fine in any environment. t’s controllable it’s known you know the inputs you know the outputs. You know what you’re exposing to it. Even if the antivirus itself is a black box, you spin up a VM with the files you want to scan, you get the output of the scan, you destroy the virtual machine. So you don’t leak anything

          An agent that stays with privileged access to the machine, is basically a root kit, and they’re often black boxes. So a black box root kit is a huge security risk, especially if that black box needs to phone home to a service outside of your network. That’s just crazy. That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

          • flying_sheep@lemmy.ml
            link
            fedilink
            English
            arrow-up
            6
            ·
            edit-2
            3 months ago

            Very true. I doubt the researcher in question would object to use a virus scanner like you described.

            Every consumer antivirus software works like the black box rootkit you described, AFAIK.

          • stringere@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 months ago

            That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

            I think SIEM is what you’re looking for: Security Information and Event Monitoring

        • Ajen@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          Depending on how the contract was written, running a clamav scan periodically may have been sufficient.