What's the worst virus protection blooper that you've seen in the field? What were the results? How was the damage
repaired? Linux viruses are far and few between these days. Much has to do with the fact that the popularity of Microsoft systems makes Windows a more attractive platform for virus writers, and Linux systems make it harder for malicious code to propagate since root access should be limited.
That said, we can still learn lessons from past viruses that affected Microsoft platforms. For example, an organization was so hard hit with Nimda that they had to revert back to backed-up copies of their systems. What they didn't realize is that the backed-up copies were not patched, and they were infected again with the virus.
The lesson here is that we should have strong recovery and backup procedures that take into account vulnerabilities and exploits in the world. Also, we may see more well-crafted viruses that can damage Linux systems in the future, especially with the link to the Windows world with things like Samba and NFS. What are some common mistakes that administrators make in implementing and managing antivirus measures?
Not making sure that signatures are updated, discovering new assets in the organization or knowing all the vulnerabilities on those assets.
Antivirus packages are definitely not enough. The mantra of security professionals these days is the concept of defense in-depth. This can be directly applied to Linux systems. Antivirus is not enough, and patching can be an onerous task. Understanding the vulnerabilities on a system and quickly fixing them is one method to stay ahead of hackers and malicious code.
A second option is to be more proactive. Prevention methods have gained much airtime in the industry lately, but it really comes down to better access controls and enforcement of system functions. Ensuring the right person or process has access to the right resources and denying all other operations are proactive ways to protect your Linux systems. What enterprise-level security applications have been missing from Linux? Is this gap being closed?
As Linux starts playing on the enterprise stage, management becomes important. Central administration of Linux security (different versions and different platforms) needs to be addressed to ensure consistent and timely protection of systems. Asset-based vulnerability management has been lacking on most Linux platforms and needs to be addressed to accurately assess the exploit status of Linux systems.
The gap is narrowing. When we see articles and tips for securing Linux systems today, we run into a plethora of open source tools. These tools each provide a function like root control, log enhancements, policy monitoring, etc. These functions tactically fill a security checkmark, but in practice are difficult to manage. The fragmentation of tools makes it almost impossible to ensure consistency as Linux deployments become more pervasive.
It still has to be the lack of asset management that IT administrators have. If queried, most people still do not have an accurate inventory of the systems they have and what applications and other software they are using on those platforms. Without this information, you can never know what needs to be secured and what may be vulnerable.
Another common mistake is using bad and easy-to-crack passwords. All too often, I have walked into companies and noticed their systems have the user ID of 'root' and a password of 'password.' Making sure that the keys to the kingdom are not easy to find is an obvious, but often overlooked task.