Justin Beals and Sam Oberholtzer talk about antivirus and the role (and risk) it plays in security. Do you need to install it on all your computers? Why, or why not?

Please enjoy a transcription of the audio recording: 

Justin Beals (00:02)
Hi, Sam, it's great to see you again.

Sam Oberholtzer (00:06)
Hey, Justin. Absolutely. It's been always been a couple of weeks since we know exactly a couple of days, let's give ourselves some credit.

Justin (00:15) 
We're on a weekly scheduled with these things. But I do think we're a couple days over, but it's it's YouTuber time. So it doesn't really count. Right? Yeah. I love that. This is actually episode four of our opportunity conversations between a recovering CTO, and a just phenomenal audit expert, Sam, thanks for sitting in with me on these conversations. And last one, we had a really, really exceptional conversation, I learned a bunch about like the audit process, and some of the expectations around that. And today, it's my turn to bring I think a little bit of learning for us, right? We're going to talk about anti-virus today.

Sam (01:03
Absolutely yay.

Justin (01:10) 
Let's let's ground ourselves a little bit. I think that one of the one of the conceptions that I had a lot, before learning more and helping to develop strike craft was that antivirus was kind of a requirement of standards like SOC 2 or ISO 27001. So is there literally a statement in those standards that you should have an antivirus installed on all computers or something like that?

Sam (01:36)
So no, I think that right, there is a misconception in the first place a lot of these standards, especially if we're talking about SOC 2, they don't necessarily state that although, you know, a lot of auditors that we're starting to realize kind of force in that direction. But really, it's around the category: understanding what are we trying to achieve here. So the category is anti-malware. And so a point of focus could be anti-virus, because that's pretty much what everyone thinks about. But then we got to think about, okay, what are we actually again, trying to achieve with anti-malware? Do we, you know, does the organization understand what other controls they might have in place that might help mitigate that risk? So vulnerability scanning, do we have? Do we have any firewall protection IDS, IPS? Am I fit in a similar category? Um, but that's it's just not necessarily as talks about.

Justin (02:32)
I think, like, the one vulnerability that is probably the biggest for these types of issues is just email phishing scams, right? Where the, you know, you get a file, you double click on, it makes an installation onto your, your local system. Yeah,

Sam (02:47)
Yeah. And then, you know, kind of, that kind of brings me on to another topic, like, I can't believe how many of these standards don't even really discuss email. Or discuss any of these phishing scenarios where there could be a ransomware attack from an employee that might not be, you know, properly trained, or another attack that could lead to an incident. Um, yeah, so some around some kind of virus, whether it's ransomware or just another virus around, but typically, my brain just thinks, alright, like worries hackers trying to do trying to get money, of course.

Justin (03:33) 
So, it would be a true statement, then that there's not a hard requirement in especially the bigger standards that you and I discussed the most SOC 2, ISO 27001, HIPAA, of any virus being installed on all devices that the company is operating. So, what's absolutely interesting to me is that as someone that's managed technology for a while, there was a time when any virus was helpful. But lately, it's actually become a massive security risk. And Strike Graph ourselves, in discussion with our own auditors talked about that we don't install antivirus software, that there are other protections in place to keep an issue like that happening. And the reason, a number one reason is, is that I've had more issues with antivirus software causing problems on computing systems than I have with actual viruses. And so, you know, I, and we had a good discussion with our auditor, and I think that at the end of this session, they said, Well, I do know, they said, Okay, so this just doesn't seem, you know, we understand and we actually think that you have a good perspective on security. And let's pause there, right, like, I'm focusing on what I think is an important part of the relationship between a business and what's going on for it. And there's the audited security posture, which is you design it on some level, right? If someone dictates a checklist of security practices to you, I have to imagine that you're getting more than you need, and probably less than you need. And like all of that, like, that's not the best way to go about getting an audit accomplished.

Sam (05:20)
I agree. And then to your point, it kind of becomes mind-numbing, because you know, if you're, as an as you as an organization are not trying to help scope, your security posture and just take this checklist. It's almost like, okay, just install antivirus. But then who has an example? But then who's going to monitor that? Where are the action items, if a virus were to occur? How do we know that to actually configure it appropriately? And actually, in encompassing every single employee's device? What if it's the wrong antivirus, depending on your operating system, or the may not be the best fit? So there's a lot that still goes into account if you're going to force a certain control into someone's environment?

Justin (06:08) 
Yeah. So in my mind, thinking about servers, anything with an operating system, right, that's where you might put an antivirus. So it could be servers in the cloud or it could be local devices. The problem with any virus software, it is the biggest backdoor access to the lowest tier of computing on every single device that you put it on. And so you literally open up a whole unmonitored, unwatched third party without good management, backdoor to all your systems. I think, when it was harder for us to get updates to operating systems or software on our platforms when we had to go out over a dial-up modem, or something way, way back in the day, you know, I can understand kind of why you might want it there. But today, so many of our systems are automatically updated to protect against particular hacks against those operating systems, that the first thing to know about antivirus is it's always a laggard. So it is never up to date with the current hacks. And it's nowadays, even running slower than say, Microsoft kitchen gets a new patch out. So especially for servers, when we think about antivirus, I think that what we think about more is the immediate redeploy ability of the software. Okay, so let's say you do get a virus, we just redeploy the cloud configuration, and it's wiped clean. So this is one of the big challenges with the antiviruses. It's a backdoor and it's laggard, like right off the bat. And it has been since the beginning. But that's becoming more apparent as we automate the deployment of patches or server software or things like that. And so that's a big part that all that change management stuff, getting those automatic updates. That's a big part of anyone's compliance practices day, I think, right? Absolutely. Yeah.

So the next challenge with the antivirus software, and so I'm starting to make my case here, why this is a security risk unto itself. The problem  is that there are plenty of examples of anti-virus software being turned into anti-malware. And, you know, we can identify some of the really bad actors in the tech ecosystem, like John McAfee, as someone to be terrified of, because while McAfee was purchased many of those other small Leander virus, software's wound up mining cryptocurrencies off of your system, or literally serving up the ads, you were trying to keep them from serving up, and they have immediate access to all your files. So every file processing that's going on, can have a massive drain to the computing resources. So if you have like a processing integrity, commitment, or a CPU commitment, or a memory commitment, you may be missing those control commitments, because you have installed any virus on those systems.

Sam (09:14)
Yeah, and as you were kind of going through, it's just funny, because as you were kind of going through almost your standpoint, or argument I was, I was thinking I'm like, Huh, I'm like, what other controls because again, this kind of goes back to the checklist and understanding what other preventable controls can we have in place? Before we even get to the configuration or giving, you know, access to the backdoor before opening your actual logical access landscape? It's like thinking about what else can we put in place that might not get to that risky approach that you want to initially just put in place without education?

Justin (09:47)
That's exactly right. Yeah. So I have a list of of antivirus software's that have gone rogue, anywhere between 2018 and 2020. And so even up to just a year ago, we had anti-virus software that's going rouge. Okay, here's some of the list of items. So Avast, EVG, BitDefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee Panda, Quick Heal, and Norton have all been hacked or made available hacks in an operating system for hackers to basically installed their virus or whatever malware they wanted on the platform. And so I have a distinct lack of trust in these systems to let alone provide protection, if not actually provide an opportunity for a hack to take place. And so we've really pushed back against this concept that any virus is a solution. I don't think it is. And I think it runs counter to good security practices. And I'd much rather see us automate patching, and clean updates of operating systems, and also kind of distributing your data in a well backed up cloud environment, that kind of reduces the risk of an executable actually getting run somewhere as much better protection. I mean, that an email phishing, just training on how to detect someone that's email phishing, than ever installing antivirus software and imagining that you've solved the problem.

Sam (11:33)
Yeah, I don't think I'm as so far maybe, again, says you may maybe not guess, but I just I think it's important for people in organizations to kind of think about the precautions and some questions they could probably ask themselves before just going ahead, and, you know, installing antivirus without even thinking about okay, like, what is the true meaning to why I want to either purchase this or use open source or whatever they're going wherever route? And I think it still comes back to okay, you know, understanding what are your services? What type of data? Does the company store process transmit? Are they even dealing with sensitive or confidential data? Are they a managed services provider where they use their own workstation, and they pretty much do all development or services within someone else's environment? It's understanding what type of operating system do they have? Do they have, you know, Mac OS for the workstations? Do they have windows? Do they have a Linux server? Like, what are we dealing with here before they go down that route? And then I guess really understanding? Okay, what are the preventative controls? Do we have in place like our training our employees? Where would viruses come from? Right Thinking about that? Is it the applications that we're installing on our employee workstations from the black? What? Like the black Web? Or, you know, what kind of policies are they in place? It kind of goes along the hierarchy of, okay, let's think about the governance around this, you can't just start configuring things in your systems without even thinking about, you know, any of the incidents that may happen. And then, if an incident were to occur, how are they containing that, like, what is the protocols? So I think there's definitely a lot more controls that we had, think about Bissette that could be in the same bucket, or just understanding the operations around antivirus sub just installing it and then calling it a day.

Justin (13:35)
I think as, as someone that has, you know, put together a lot of these architectures and needed to manage the technology infrastructure for a digital organization, that by the time you go through the list of things that you could do without installing antivirus, you're going to wonder why you installed it in the first place. And I do think, you know, if I were designing a security posture, I think of two different things that I could do to mitigate that are like, that is very common today, that would have me say, we don't really need any virus, it causes more opportunity for harm than good. And the two things that we do today are (1) automated patching as much as possible. Second, (2) distributing data in such a way where if a system does get infected, it's not a ransomware thing, right, like, so let's say that I were in a situation where I had a system that was so critical that if ransomware happened on that computer, I would be willing to pay the money. I think in that situation, I don't want to, I still don't want to go install antivirus and say it's okay. I actually want to create a better technical architecture, right? I'm going to set up a virtual machine for you. Were going to secure the hard drive of that virtual machine in the cloud, you're only going to be logging into it VPN. I mean, colleagues that I know that work in the Department of Defense, they have air gap solutions or literal rooms where there's only paperwork, you can go because it's top secret, right? And, and that's their decision to protect, not be like, we're gonna install someone at the front of the door and make sure that, you know, they're gonna check all the pockets. The thing that's gonna work so well, you know. And also, I just I think reiterating for anyone that's that's enjoying these these sessions, this is supposed to be a discussion about what you want from security at your organization. And then really finding an auditor that can help grok your perspective on it, you know, all of these standards, it's, it's my under it's the way I have read them, Sam, they, they're not dictating to you technology, they don't want to dictate to you the security practices, actually, they just want to measure your security practice against a rubric, you know, a set of a set of measurements that they can be like, you know, are they trying to protect against malware? That doesn't mean any virus, right? Mm hmm. Yeah.

Sam (16:06)
Yeah, absolutely. And I think it's, I think it's important that you did kind of recap that and re-emphasize because, again, we're not trying to tell people what to do. But we're trying to give them kind of like, food for thought, like, want people to start thinking as security, something important for their business, but then just to not just, I guess, blindly follow a certain guidance, but kind of interpret it or work with somebody to help you interpret it that fits your business, but then it's also good security practices, and really thinking about as yourself in the greater scheme of things and understanding, okay, has this scenario happened to you? And what did you do? Or is sort of thinking about if we are going to break it down by like, systems? How are you actually, you know, if if a virus were to occur, if you are malware, like how are you containing it? And and how are you stopping it from happening again, in the future, whether it's through education, or actually configurations of some sort, or another tool. But I think it's just important that you don't just take a checklist, and you actually started thinking about what works and what is actually important to your business.

Justin (17:18)
Yeah, cuz you'll miss the things that matter. And yes, and you'll actually forget about the things that don't because you didn't want to do them, and you're like, This doesn't matter. I don't know why I'm doing it, and then stop doing it. I love these conversations, it was a really exciting one. This is, of course, one, that's kind of something I've contemplated a ton because I think, just like the rest of the operators out there trying to run a product or an organization. You know, we want to find the right balance between good habits that people want to stick to, and not like get involved in security theater, that doesn't actually make anything better for anyone. As a matter of fact, it makes it worse. Sam, always a treat to get a chance to chat about these things. Thanks for joining me once again.

Sam (18:08)
Yeah, absolutely. This one was particularly great, because it's a very specific topic. It's very specific control. So always, always looking forward to these items, especially, you know, when people think that hitting the easy button might act Oh, you know, is simple and easy, but really, it's not. And you could open up new gateways into you, I guess your crucial data so just really understanding your security posture and really understanding what you want and being a little bit more thought-provoking than just doing and executing.

Justin (18:43)
Yeah, antivirus is never an easy button. I mean, it's an easy decision but it's not an easy button.

Sam (18:50)
Exactly We don't want to make this an easy decision that you just really don't plan on either preventive or you know the the ladder of containment but still Yeah, always love these conversations, Justin.

Justin (19:06)
Have a great week, Sam,

Sam (19:09)
You as well.