Configuring an anti-virus in an enterprise. You know how to do it, right?

Well, anti-virus is an ancient security control with long history and is considered a pretty mundane thing these days. Any security professional may think that he or she knows everything about them. But, probably, not "for the purpose of CISSP exam", lol.

Let's test your knowledge.

You are deploying anti-virus on your organization's network. All of the following are guidelines regarding anti-virus software, except:
A) install anti-virus software on all server computers, client computers, network entry points, and mobile devices.

configure anti-virus scans to occur automatically on a defined schedule.
C) configure the anti-virus software to automatically scan external disks.
D) update anti-virus signatures via a local server.

Your choice?

Find more posts tagged with

Comments

g33k3r

Great question "for the purpose of the CISSP exam". My 12 years of experience has been primarily focused on providing technical solutions. The value of the CISSP for me is that I am learning about the non-technical areas (Risk, Policy, Business Continuity, Legal....), which is productive and adds value to me and my company. Questions that test your ability to memorize semantics or obscure processes based on some "official" material offer very little value in my opinion. End of rant.

My choice is D since it specifies a local server and mobile devices may or may not have access to this server when not "local".

Thanks for posting this question. Although I ranted it still spurs discussion which is where people learn to apply these concepts.

gespenstern

I would agree with the suspicion that D may be off...

Regarding your logic... well, we don't know if guidelines really prescribe installing AV on mobile devices. It's just one of possible answers that could very well be wrong. Plus, even in the middle of 2015 installing AV on all mobile devices is something yet to be implemented in, IMO, majority of enterprises. Many vendors don't even have ones for mobile operating systems.

Local server... well, I've personally designed several anti-virus solutions, ALL of them used local servers for updates and ALL of them suggested a method for mobile clients to access this "local" server... If a mobile device has access to the Internet and therefore can update itself, then it's not any harder to implement a solution involving getting updates from a "local" server.

Main reasons why devices should be updated from a local server are
a) controllable updates. Believe it or not, some updates can ruin your enterprise. Not long time ago Kaspersky released an update to their anti-virus that banned whole Internet. So updates are tested first, especially in large enterprises.
b) updates are usually got along with configuration data plus anti-virus client software reports back on its status to your "local" server and assigning a control server to a client often does everything in bunch, i.e. it's harder to configure a client to update itself via vendor's website while retrieve config from your server and report back to it than configure everything at once to talk to your own "local" server. Which is, usually not a server, but a farm really.

And rant mode on, I'm yet to find a certification that doesn't have its own agenda. Maybe in a perfect world they exist, but here it is what it is. Some are better, some are worse and some are complete crap.

jt2929

C is raising a question for me. What is meant by "external disks?" Why do I care about external disks if they aren't on my network and I'm not responsible for them? External disk to me means not on my network, not under my control, and not my responsibility, so my answer would be C. Let's see if I get your quiz of the day question correct this time :P

digitheads

I am also going with C

BlackBeret

Network entry points? I can't say that I've ever put AV on a standalone firewall or switch. I'm going with A. Also a lot of enterprises are BYOD and installing software on someone's personal mobile device usually isn't an option.

jt2929

Remember that to (ISC)2, "mobile devices" does not mean cell phones, it means laptops.

Edit: I should have kept with the theme and said "for the purpose if CISSP", mobile devices are laptops, not cell phones.

NetworkNewb

I'm going with C as well.

5ekurity

I had a really well thought out response, and of course when posting it - boom, all deleted.

So now it's the condensed version.

I think the answer is A. In addition to the reasons BlackBeret gave, you may have instances where installing AV on a system causes degraded performance or provides no real benefit, in which other compensating controls can be implemented to secure that system without requiring the installation of an AV agent.

I don't think it's B for obvious reasons.

I don't think it's C because to me, an external disk is a USB thumb drive or external hard drive. Especially if brought from home into the corporate environment, who knows what is on that USB storage device - therefore it must be scanned before malicious software or other files can propagate the network.

I don't think it's D because a local update server is a best practice, and in addition to what gespenstern said, think of the bandwidth consumption if you have every person in a big office environment going out over the Internet to download updates from the AV vendor vs a local update server. Yes, you may have an instance where a system off-net needs to update definitions - configure a secondary profile to reach out directly to the AV vendor - this, however, is not the standard way a client should receive AV updates.

gespenstern

BlackBeret wrote: »

I can't say that I've ever put AV on a standalone firewall or switch. I'm going with A.

Good observation, BlackBeret! Really, nobody installs any AV software on cisco networking hardware, right?

However, not having an anti-virus there is questionable, especially after Snowden revelations that showed that NSA is more than capable of finding vulnerabilities in IOS, exploiting them and installing their own malicious software on IOS in order to do their surveillance things. As operating systems get more and more complicated, hidden vulnerabilities become more and more widespread, a special agent with AV functionality will eventually become more and more in demand even on IOS. But as of now nobody installs anti-virus software on IOS, that's right.

But the thing is, firewalls and routers aren't always Cisco or Juniper devices, some of them run on top of general-purpose operating systems, e.g. Microsoft Forefront TMG (RIP) on top of Windows Server or Linux with iptables or FreeBSD with ipfw, plus specialized products such as pfSense. Anti-virus software can be installed on them, however, it's rarely done. But, at least, it's proven that there are lot of various types of malware for both Linux and FreeBSD.

In addition to that majority of enterprises (at least that i've seen) install various MDM software on BYOD as long as BYOD devices are used to work with corporate e-mail and documents.

gespenstern

jt2929 wrote: »

What is meant by "external disks?" Why do I care about external disks if they aren't on my network and I'm not responsible for them?

Well...

You remember Conficker/Kido/DownAdUp, right? If not, let me remind you some facts... This particular piece of malware formed the biggest (so far) botnet on the Internet containing millions of infected PCs and servers. One of the infiltration techniques used by the virus was exploiting Windows autorun feature that was enabled by default on Windows OSes those days. Let's say that you don't scan external drive and an employee brings an infected flash thumb drive from home or from his friend and puts it into a corporate PC. BAMF, your PC is infected.

It was conficker who forced Microsoft to finally release a security patch that finally disabled this autorun functionality.

https://en.wikipedia.org/wiki/Conficker

Another attack vector would be infecting executables and documents such as pdf on thumb drives, so when a user tries to open them his or her system gets immediately infected. I'm currently reading Ross Anderson's "Security Engineering" and he cites one research on phishing, according to which some company has sent thumb drives packed in fancy envelopes via traditional mail to a bunch of executives of Fortune 500 companies with a note "your chance to attend a party of a lifetime". Guess what, 46% (AFAIR) of these dumbasses put these thumbdrives into their corporate PC. How dumb is that?

So, you'd better scan external drives. Many enterprises even go further and disable USB completely on their PCs.

jt2929

I guess I read the question wrong. I was thinking about installing on an external drive, not simply scanning one when connected. Of course we would scan a drive when connected. Given this enlightenment, I guess I would choose A. I think the question is poorly written though. Whose guidelines? I'd rather see something asking about best practices, since those are well documented in our study materials. All we really know about guidelines is that they can vary from company to company.

gespenstern

5ekurity wrote: »

I had a really well thought out response, and of course when posting it - boom, all deleted. So now it's the condensed version.

Sorry to hear that, what a pain!

When I put a lot of effort into typing something I usually copy my reply to a clipboard before pressing "post" button. In case it doesn't get posted I can paste it into a notepad or in another post form.

5ekurity wrote: »

I think the answer is A. In addition to the reasons BlackBeret gave, you may have instances where installing AV on a system causes degraded performance or provides no real benefit, in which other compensating controls can be implemented to secure that system without requiring the installation of an AV agent.

I agree, after a lot of thinking on this, I also tend to choose A and would argue that A SHOULD be the correct answer. That's where "for the purpose of CISSP exam" comes into play, lol. So I would appreciate if someone looked into their AiO or CBK to find out "official truth" regarding anti-virus deployment guidelines, because according to this practice exam quiz, the correct answer is D.

You are totally right, I'm yet to find a single enterprise, where AV gets installed on ALL servers, ALL network entry points and ALL mobile devices.

Clients are covered in many cases, at least on a policy level, there could be violations here and there but yeah, all clients should be covered, including all flavors of Linux and MacOS workstations. Because contrary to popular belief, there's lot of malware for them and if you deployed them in any meaningful quantities you almost certainly encountered malware on both Linux flavors and MacOSes.

Many servers do not have AV installed. Often these are database servers with MS SQL, some people still install AV on them but put a lot of paths into exclusion lists. Nothing usually gets installed on Oracle DBMS running on top of Solaris or AIX or RedHat Linux. Nothing AV-like gets installed on i/OS and z/OS. So "ALL servers" here would be clearly wrong. Majority of servers or some of servers would be proper wording.

Network entry points we already discussed so the same is true for them also. It would be wrong to state that ALL network entry points should be covered. Some of them -- maybe.

Mobile devices -- I'd argue that ALL of corporate or BYOD devices that are used to work with corporate documents and corporate e-mail should be covered, so I'm okay with that.

Despite all of that, "the correct" answer here, "for the purpose of CISSP exam" is D. Let's see if someone posts a passage or two from CISSP books to see their thinking on this.

gespenstern

jt2929 wrote: »

Whose guidelines?

(ISC)2 ones, apparently. They test our knowledge of their views on security, after all. Some other vendors or institutions or industry as a whole may think otherwise, but who cares, they control what questions do we get on the exam and they provide us with information on their view on security.

jt2929

gespenstern wrote: »

(ISC)2 ones, apparently. They test our knowledge of their views on security, after all. Some other vendors or institutions or industry as a whole may think otherwise, but who cares, they control what questions do we get on the exam and they provide us with information on their view on security.

I get that (ISC)2 is the one testing us, but have they published guidelines for deploying AV on an enterprise network?

gespenstern

jt2929 wrote: »

I get that (ISC)2 is the one testing us, but have they published guidelines for deploying AV on an enterprise network?

I believe so, usually when I find a quiz question that drives me nuts I eventually discover that the question and the answer are properly aligned with official course. That's why I'm waiting here for someone to look into their CBK and/or AIO to tell their official stance on anti-virus deployment guides. I expect them to confirm that D is right according to (ISC)2.

5ekurity

gespenstern wrote: »

Despite all of that, "the correct" answer here, "for the purpose of CISSP exam" is D. Let's see if someone posts a passage or two from CISSP books to see their thinking on this.

Really, I'm not surprised that ISC2 said the answer is D. Just like Microsoft exams, there is the difference between what <insert certifying body> says is the right answer on their test, and then the 'real world' answer (which in our example here, is A). If I saw that question on the test, A&D would be my 50/50 answers - thinking in the context of "which one is more 'correct' than the other". Also, I think there is something to be said for the test question banks and who creates them - specifically surrounding practice tests.

jt2929

looks like i'm 0-2 on the question of the day so far....

gespenstern

Don't worry. I usually post here only the ones that are really contra intuitive. If you can't answer them right then it's actually good, because your thinking may be structured according to best industry practices instead of ISC point of view. Often they are the same, but I post only those when they differ and that could be confusing.

I mean, if you are preparing you'd better know their official stance through reading their books because otherwise it would be hard to pass relying solely on general security knowledge, even if it is top-notch. If you are totally awesome I guess you still be able to pass without preparation, because majority of questions are still okay. You will miss only this type of questions that I post here...

gutbrodj

I agree the answer is D.

A. Antivirus should be on every device that can run Antivirus and is commonly infectable. Installation on Network entry points is almost/should be a standard. If you don't have it get it! On NGFW firewalls (redundant I know) AntiVirus in your firewall scans traffic for viruses before they reach the PC preventing the some viruses from ever reaching the PC. The PC scans the file on creation, and checks memory, servers should do the same. It's basic defense in depth.

B. Scheduled Scans are a must, as new definitions are rolled out all of your files need to be checked against the new definitions, you don't want something that was infected lurking in a document to blow up on you later.

C. External Disks are USB devices, attachable storage media, anything that is not inside a computer case that acts like a disk interface. These should be scanned when they are attached, and at the same time as scheduled scans.

D. Having your antivirus only update from a local server can allow an attacker to find, disable, and push out bad signatures and allow a complete compromise of all of your systems, as well as leading to issues with server/software failure, out of date signatures, and numerous other issues, at the very least, your anti-virus should fall back to the vendor, or check the vendor as a backup on a regular schedule.

gespenstern

gutbrodj wrote: »

I agree the answer is D.

I disagree, but am too lazy to repeat all the arguments that were already articulated.

nk_vn

BlackBeret wrote: »

Network entry points? I can't say that I've ever put AV on a standalone firewall or switch. I'm going with A. Also a lot of enterprises are BYOD and installing software on someone's personal mobile device usually isn't an option.

There are antivirus solutions that inspect the data in transit much like an IPS does. "Network entry points" does not mean the devices that terminate the links.

!nf0s3cure

Never mind it is ISC2. Read the CBK and you can pull your hair out.

On the topic of AV, even in large enterprise AV is not dead. It has fallen behind in few ways for the enterprise but for average user it is as meaningful as ever.

I must say when you read too much you do see things that can evade AV but for most parts it is still there. I heard of a banking portal that checks if you have an active and updated AV before it will let the session through. So it is being enforced upon user by the enterprise.

Falasi

I'd go with (D) as I can see the all A B and C in a antivirus guidelines, how to update/patch is mainly on patch management related documents. for me - at least - a guideline will have something like "update antivirus signatures" or "check current antivirus signatures".

That how I'd solve it on an exam , I could be wrong

You are deploying anti-virus on your organization's network. All of the following are guidelines regarding anti-virus software, except:
A) install anti-virus software on all server computers, client computers, network entry points, and mobile devices.

configure anti-virus scans to occur automatically on a defined schedule.
C) configure the anti-virus software to automatically scan external disks.
D) update anti-virus signatures via a local server.

5ekurity

I'm going to ask my network architects to apply AV to all network 'entry points' today per ISC2 best practices. Then I'll have all clients go over the Internet to get AV updates. And when we have bandwidth spikes, I'll just point them to the ISC2 CBK.

We'll see how well all this goes over...on second hand, I value my intellectual integrity too much.

!nf0s3cure

Remember the exam may also ask best of the all incorrect answer questions as well. This question is not the worst question on selecting the best negative or the least negative of all.

I'll be happy with D.