Re: Linux Servers and Antivirus

[Blake Penn <BPenn () TRUSTWAVE COM>]

"5.1   For a sample of system components including all operating system types commonly affected by malicious software, 
verify that anti-virus software is deployed if applicable anti-virus technology exists."

If you are not using AV then you can either:

1)      Develop and implement compensating controls to address the intent of the requirement
2)      Demonstrate that the OS (and the particular configuration of that OS) is not "commonly affected by malicious 
software"


Here is the PCI SSC Guidance for this requirement:

"There is a constant stream of attacks using widely published exploits, often "0 day" (published and spread throughout 
networks within an hour of discovery) against otherwise secured systems. Without anti-virus software that is updated 
regularly, these new forms of malicious software can attack and disable your network.

Malicious software may be unknowingly downloaded and/or installed from the internet, but computers are also vulnerable 
when using removable storage devices such as CDs and DVDs, USB memory sticks and hard drives, digital cameras, personal 
digital assistants (PDAs) and other peripheral devices. Without anti-virus software installed, these computers may 
become access points into your network, and/or maliciously target information within the network.

While systems that are commonly affected by malicious software typically do not include mainframes and most Unix 
systems (see more detail below), each entity must have a process according to PCI DSS Requirement 6.2 to identify and 
address new security vulnerabilities and update their configuration standards and processes accordingly. If another 
type of solution addresses the identical threats with a different methodology than a signature-based approach, it may 
still be acceptable to meet the requirement.

Trends in malicious software related to operating systems an entity uses should be included in the identification of 
new security vulnerabilities, and methods to address new trends should be incorporated into the company's configuration 
standards and protection mechanisms as needed.

Typically, the following operating systems are not commonly affected by malicious software: mainframes, and certain 
Unix servers (such as AIX, Solaris, and HP-Unix). However, industry trends for malicious software can change quickly 
and each organization must comply with Requirement 6.2 to identify and address new security vulnerabilities and update 
their configuration standards and processes accordingly."



Blake Penn
CISSP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
Trustwave
bpenn () trustwave com
+1 (678) 685-1277
http://www.trustwave.com

DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not 
neccessarily reflect the opinions of Trustwave.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harry 
Hoffman
Sent: Friday, June 22, 2012 14:41
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Linux Servers and Antivirus

Hmm, I don't know about whether or not those requirements (5.1 and 5.2)
allow for compensating controls.

Let's ask a QSA, I expect no less then 3 answers ;-)

On 06/22/2012 02:12 PM, Valdis Kletnieks wrote:
> On Fri, 22 Jun 2012 13:11:21 -0400, Harry Hoffman said:
> > PCI standards require A/V on servers that process transactions... it's
> > more and more likely those servers are running a *nix variant.
>
> Does it *require* A/V, or is it "A/V or compensating controls"?


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format.