• 4

During a recent audit we were requested to install antivirus software on our DNS servers that are running linux (bind9). The servers were not compromised during the penetration testing but this was one of the recommendations given.

  1. Usually linux antivirus software is installed to scan traffic destined to users, so what's the goal to install antivirus on a dns server?

  2. What is your opinion on the proposal?

  3. Do you actually run antivirus software on your linux servers?

  4. If so, which antivirus software would you recommend or you are currently using?


If this is for SOX compliance, they're telling you to install antivirus, most likely, because somewhere you have a policy that says all servers must have antivirus installed. And this one doesn't.

Either write an exception to the policy for this server, or install AV.

  • 0
Reply Report

DNS servers have become popular with PCI auditors this year.

The important thing to recognize is that while DNS servers do not handle sensitive data, they support your environments which do. As such, auditors are starting to flag these devices as "PCI supporting", similar to NTP servers. Auditors typically apply a different set of requirements to PCI supporting environments than they do the PCI environments themselves.

I would speak to the auditors and ask them to clarify the difference in their requirements between PCI and PCI supporting, just to make sure that this requirement didn't accidentally sneak in. We did need to make sure that our DNS servers met hardening guidelines similar to the PCI environments, but anti-virus was not one of the requirements we faced.

  • 0
Reply Report

One aspect of this is that recommending "anti-virus" to be on everything is a safe bet, for the auditor.

Security audits aren't entirely about actual technical safety. Often they are also about limiting liability in case of a lawsuit.

Let's say your company was hacked and a class action lawsuit was filed against you. Your specific liability can be mitigated based on how well you followed industry standards. Let's say the auditors did not recommend AV on this server, so you don't install it.

Your defense in this is that you followed the recommendations of a respected auditor and pass the buck so to speak. Incidentally, that's the PRIMARY reason we use third party auditors. Note that shifting of liability is often written into the contract you sign with auditors: if you don't follow their recommendations, it's all on you.

Well, attorneys will then investigate the auditor as a possible co-defendant. In our hypothetical situation the fact that they did not recommend AV on a particular server will be seen as not being thorough. That alone would hurt them in the negotiations even if it had absolutely no bearing on the actual attack.

The only fiscally responsible thing for an auditing company to do is to have a standard recommendation for all servers regardless of actual attack surface. In this case, AV on everything. In other words they recommend a sledge hammer even when a scalpel is technically superior due to legal reasoning.

Does it make technical sense? Generally no as it usually increases risk. Does it makes sense to attorneys, a judge or even a jury? Absolutely, they are not technically competent and incapable of understanding the nuances. Which is why you need to comply.

@ewwhite recommended you speak with the auditor about this. I think that's the wrong path. Instead you should speak with your company's attorney to get their opinion on notfollowing these requests.

  • 0
Reply Report