Educause Security Discussion mailing list archives
Re: Linux Servers and Antivirus
From: Blake Penn <BPenn () TRUSTWAVE COM>
Date: Mon, 25 Jun 2012 08:26:28 -0500
"5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists." If you are not using AV then you can either: 1) Develop and implement compensating controls to address the intent of the requirement 2) Demonstrate that the OS (and the particular configuration of that OS) is not "commonly affected by malicious software" Here is the PCI SSC Guidance for this requirement: "There is a constant stream of attacks using widely published exploits, often "0 day" (published and spread throughout networks within an hour of discovery) against otherwise secured systems. Without anti-virus software that is updated regularly, these new forms of malicious software can attack and disable your network. Malicious software may be unknowingly downloaded and/or installed from the internet, but computers are also vulnerable when using removable storage devices such as CDs and DVDs, USB memory sticks and hard drives, digital cameras, personal digital assistants (PDAs) and other peripheral devices. Without anti-virus software installed, these computers may become access points into your network, and/or maliciously target information within the network. While systems that are commonly affected by malicious software typically do not include mainframes and most Unix systems (see more detail below), each entity must have a process according to PCI DSS Requirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and processes accordingly. If another type of solution addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement. Trends in malicious software related to operating systems an entity uses should be included in the identification of new security vulnerabilities, and methods to address new trends should be incorporated into the company's configuration standards and protection mechanisms as needed. Typically, the following operating systems are not commonly affected by malicious software: mainframes, and certain Unix servers (such as AIX, Solaris, and HP-Unix). However, industry trends for malicious software can change quickly and each organization must comply with Requirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and processes accordingly." Blake Penn CISSP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor Principal Consultant Trustwave bpenn () trustwave com +1 (678) 685-1277 http://www.trustwave.com DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not neccessarily reflect the opinions of Trustwave. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harry Hoffman Sent: Friday, June 22, 2012 14:41 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Linux Servers and Antivirus Hmm, I don't know about whether or not those requirements (5.1 and 5.2) allow for compensating controls. Let's ask a QSA, I expect no less then 3 answers ;-) On 06/22/2012 02:12 PM, Valdis Kletnieks wrote:
On Fri, 22 Jun 2012 13:11:21 -0400, Harry Hoffman said:PCI standards require A/V on servers that process transactions... it's more and more likely those servers are running a *nix variant.Does it *require* A/V, or is it "A/V or compensating controls"?
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Current thread:
- Linux Servers and Antivirus Jim Furstenbrg (Jun 22)
- Re: Linux Servers and Antivirus Aaron Hockett (Jun 22)
- Re: Linux Servers and Antivirus Harry Hoffman (Jun 22)
- Re: Linux Servers and Antivirus Valdis Kletnieks (Jun 22)
- Re: Linux Servers and Antivirus Harry Hoffman (Jun 22)
- Re: Linux Servers and Antivirus Kerry Havens (Jun 22)
- Re: Linux Servers and Antivirus Blake Penn (Jun 25)
- Re: Linux Servers and Antivirus Valdis Kletnieks (Jun 22)
- Re: Linux Servers and Antivirus Brad Judy (Jun 22)
- Re: Linux Servers and Antivirus Louis APONTE (Jun 22)
- Re: Linux Servers and Antivirus Valdis Kletnieks (Jun 22)
- Re: Linux Servers and Antivirus Louis APONTE (Jun 23)
- Re: Linux Servers and Antivirus Valdis Kletnieks (Jun 22)