March 15, 2012 at 17:57Sysadmin and the way of the sword
Dear Khabrovites, in this article by our analyst Vyacheslav Medvedev, we would like to share with you a few thoughts about the specifics of the work of modern system administrators with antivirus software in medium and small businesses. Any comments are welcome. The issues that are discussed in the material are highly debatable.
The system administrator is a legendary and even mythical profession. Hero of epic stories and jokes. A person who can fix everything in the office that concerns him according to the job description (and, if necessary, that which does not concern him).
In most companies, the sysadmin is the only person versed in modern technology.
But in many cases, the post of system administrator is the peak of career growth, because these wonderful guys rarely become technical directors of companies. Moreover, sometimes people who do not understand anything in configuring and installing hardware and programs become the heads of IT departments. Why is this happening?
The main thing for any organization is the fulfillment of its tasks. Anything that impedes or slows down tasks should be ruled out.
This means that any business procedures and actions of company employees, its customers and partners should be carried out as conveniently as possible for them and no less quickly.
Naturally, this is not a complete list of requirements for business procedures - those interested in this can be sent, for example, to the standards of the ITIL family.
From the perspective of the above requirements, both viruses and antiviruses are evil. The first steal, destroy and distract from work. The second ones do not allow viruses to penetrate the network, but they themselves slow down the system.
Therefore, the task of the system administrator is to make sure that there are no viruses, and the system does not slow down.
As a rule, the task is solved "in the forehead." According to the recommendations, an antivirus is installed that does not slow down. But “does not slow down” and “catches all viruses” are two big differences.
Simply put, anti-virus databases are a set of signatures, malware detection procedures, and methods for unpacking various types of archives.
Searching for a virus (like any other malicious program) in this case is an enumeration of these methods and signatures. That is, a high scan speed does not always indicate a high quality search.
Naturally, the manufacturers of leading antiviruses, realizing the problem, optimize the detection algorithms, but if the size of the database is different at times, then this should lead to some thoughts.
Therefore, before installing an antivirus, you need to think about the possible ways for viruses to enter the company.
Ideally, this requires an audit of all business processes of the company, as well as an analysis of the significance of all IT threats, but within the framework of this article we simplify the task.
The most typical ways for viruses to enter the system are the Internet, mail correspondence, vulnerabilities in the software used, and removable media.
From the experience of my speeches at various conferences and seminars, it follows that for many, the significance of each of these channels is a mystery.
As the practice of surveys shows, in most cases, the most dangerous penetration channels for a company are called mail and the Internet.
Accordingly, the greatest means are allocated to protect these penetration paths. Moreover, in most cases the task is solved solely by technical means - the installation of anti-virus traffic control systems.
In fact, the bulk of viruses (or rather Trojans) enters the network through the employees themselves - on their removable media.
Thus, first of all, you need to configure the access system. Each employee should have access only to the information that he needs. The use of USB-drives should be limited to a minimum level (and for most employees their use should be completely prohibited).
These rules are subject to implementation without any objection, but ... All the same practice shows that in most small and medium-sized businesses everyone has access to everything. Truly, until the thunder strikes ...
And the reason for putting things in order in this area (as a rule) is not virus incidents, but problems with employees or the business as a whole.
And here we return to the beginning of the article. Who should restrict access? A system administrator is a technician who knows what to do to restrict or expand rights.
But he does not know to whom and what rights are supposed. This should be done by the specialists of the information security department (security officers) together with the quality manager.
But in most companies there is no information security department or quality department due to a lack of understanding of the need or lack of funds.
An additional intrigue is introduced by the requirement to appoint a responsible person, presented by the law on the protection of personal data.
As a rule, either a lawyer or a system administrator is appointed as the responsible person. Thus, in the burden on his job duties, the administrator gets actually the duty to describe business processes. You can, of course, complete this task formally - fill out all the papers required by Federal Law No. 152-FZ and forget about this obligation. But from the description to the optimization - one step.
Carry out an audit of the company (namely, this is required to describe business processes) and not offer to optimize them (but you still have to offer it, as there will probably be extra personal data)?
Remain a technical specialist, a significant employee of the company, but just an executor of tasks, or become a person who influences the choice of the company's path? What should be the way of a warrior? The path of the sword, which is guided by the hand, or the path of the hand, which decides where to direct the sword?
Back to antivirus protection.
Suppose we have selected and installed a product on all workstations that restricts access to where no one needs it, and prohibits removable media, and controls incoming and outgoing traffic. All set up, no viruses. What do we have in the end? Complaints about loading systems and complaints about the lack of access to your favorite sites (with your favorite viruses).
We deal with the second quickly by presenting a list of viruses received by specific users from specific servers. The first, however, is more complicated.
Especially when resource-intensive applications such as Kadov systems are running on machines. But do you need an antivirus on the machine if the pathways for viruses to penetrate it are blocked (and especially if it is a machine with 256 MB of memory, which is often found in the open spaces of our and not only our country)?
This option is quite real. Checking mail and Internet traffic can be carried out on the corresponding servers. The flow of viruses through users is blocked by reasonable prohibitions on USB-drives and unnecessary access.
Of course, insiders and hackers remain, but the fight against them is a separate issue, which does not end with the installation of a firewall on all workstations.
Naturally, it is impossible to completely remove the anti-virus scan (since there is always the possibility of skipping fundamentally new viruses unknown to anti-viruses), but it can be performed periodically - according to a schedule, by an anti-virus scanner.
Few people know that scanning with a scanner is carried out to a greater depth than scanning with a background file monitor.
Minus? Naturally there is. The purchase price will increase. But the opportunities for protection will increase. Server products have much greater filtering capabilities than products for workstations (especially those implemented for the Unix platform, due to the much lower restrictions imposed by products running on it).
Can I speed up the work? Can. Introduce policies and restrict file downloads by type. Make spam check from the mail server to the mail proxy.
Spam now occupies about eighty percent of mail traffic and by not allowing this muddy flow to the mail server, we significantly speed up message delivery (which is especially good for MS Exchange mail servers). However, you should not take out a virus scan from the mail server itself - the probability of spreading viruses through internal correspondence cannot be ruled out.
But all these measures can be taken only taking into account their influence on the affairs of your company. It is necessary to compare not only the speed of work and the cost (not forgetting to add the purchase cost and the cost of maintenance) of the solution, but also the significance of the implemented solutions for the company. It is necessary to correlate the price and the need to eliminate threats. Speak the language of finance.
You can’t come to the CEO’s office and put two documents on his desk: a list of the functionality of the software and hardware proposed for purchase and their cost. The document should be one, and it should describe how beneficial the company is for the purchase, what options are available, and why the one on which the admin is staying should be selected.
Thus, in order to grow from a system administrator and rise to the next level, you need not only to know the technique perfectly and navigate the alternatives to the software already used on the market.
You need to look at any choice, not only from the point of view of the procedure, but, and most importantly, from the point of view of business, the significance of any action performed for the company as a whole.
The system administrator is a legendary and even mythical profession. Hero of epic stories and jokes. A person who can fix everything in the office that concerns him according to the job description (and, if necessary, that which does not concern him).
In most companies, the sysadmin is the only person versed in modern technology.
But in many cases, the post of system administrator is the peak of career growth, because these wonderful guys rarely become technical directors of companies. Moreover, sometimes people who do not understand anything in configuring and installing hardware and programs become the heads of IT departments. Why is this happening?
The main thing for any organization is the fulfillment of its tasks. Anything that impedes or slows down tasks should be ruled out.
This means that any business procedures and actions of company employees, its customers and partners should be carried out as conveniently as possible for them and no less quickly.
Naturally, this is not a complete list of requirements for business procedures - those interested in this can be sent, for example, to the standards of the ITIL family.
From the perspective of the above requirements, both viruses and antiviruses are evil. The first steal, destroy and distract from work. The second ones do not allow viruses to penetrate the network, but they themselves slow down the system.
Therefore, the task of the system administrator is to make sure that there are no viruses, and the system does not slow down.
As a rule, the task is solved "in the forehead." According to the recommendations, an antivirus is installed that does not slow down. But “does not slow down” and “catches all viruses” are two big differences.
Simply put, anti-virus databases are a set of signatures, malware detection procedures, and methods for unpacking various types of archives.
Searching for a virus (like any other malicious program) in this case is an enumeration of these methods and signatures. That is, a high scan speed does not always indicate a high quality search.
Naturally, the manufacturers of leading antiviruses, realizing the problem, optimize the detection algorithms, but if the size of the database is different at times, then this should lead to some thoughts.
Therefore, before installing an antivirus, you need to think about the possible ways for viruses to enter the company.
Ideally, this requires an audit of all business processes of the company, as well as an analysis of the significance of all IT threats, but within the framework of this article we simplify the task.
The most typical ways for viruses to enter the system are the Internet, mail correspondence, vulnerabilities in the software used, and removable media.
From the experience of my speeches at various conferences and seminars, it follows that for many, the significance of each of these channels is a mystery.
As the practice of surveys shows, in most cases, the most dangerous penetration channels for a company are called mail and the Internet.
Accordingly, the greatest means are allocated to protect these penetration paths. Moreover, in most cases the task is solved solely by technical means - the installation of anti-virus traffic control systems.
In fact, the bulk of viruses (or rather Trojans) enters the network through the employees themselves - on their removable media.
Thus, first of all, you need to configure the access system. Each employee should have access only to the information that he needs. The use of USB-drives should be limited to a minimum level (and for most employees their use should be completely prohibited).
These rules are subject to implementation without any objection, but ... All the same practice shows that in most small and medium-sized businesses everyone has access to everything. Truly, until the thunder strikes ...
And the reason for putting things in order in this area (as a rule) is not virus incidents, but problems with employees or the business as a whole.
And here we return to the beginning of the article. Who should restrict access? A system administrator is a technician who knows what to do to restrict or expand rights.
But he does not know to whom and what rights are supposed. This should be done by the specialists of the information security department (security officers) together with the quality manager.
But in most companies there is no information security department or quality department due to a lack of understanding of the need or lack of funds.
An additional intrigue is introduced by the requirement to appoint a responsible person, presented by the law on the protection of personal data.
As a rule, either a lawyer or a system administrator is appointed as the responsible person. Thus, in the burden on his job duties, the administrator gets actually the duty to describe business processes. You can, of course, complete this task formally - fill out all the papers required by Federal Law No. 152-FZ and forget about this obligation. But from the description to the optimization - one step.
Carry out an audit of the company (namely, this is required to describe business processes) and not offer to optimize them (but you still have to offer it, as there will probably be extra personal data)?
Remain a technical specialist, a significant employee of the company, but just an executor of tasks, or become a person who influences the choice of the company's path? What should be the way of a warrior? The path of the sword, which is guided by the hand, or the path of the hand, which decides where to direct the sword?
Back to antivirus protection.
Suppose we have selected and installed a product on all workstations that restricts access to where no one needs it, and prohibits removable media, and controls incoming and outgoing traffic. All set up, no viruses. What do we have in the end? Complaints about loading systems and complaints about the lack of access to your favorite sites (with your favorite viruses).
We deal with the second quickly by presenting a list of viruses received by specific users from specific servers. The first, however, is more complicated.
Especially when resource-intensive applications such as Kadov systems are running on machines. But do you need an antivirus on the machine if the pathways for viruses to penetrate it are blocked (and especially if it is a machine with 256 MB of memory, which is often found in the open spaces of our and not only our country)?
This option is quite real. Checking mail and Internet traffic can be carried out on the corresponding servers. The flow of viruses through users is blocked by reasonable prohibitions on USB-drives and unnecessary access.
Of course, insiders and hackers remain, but the fight against them is a separate issue, which does not end with the installation of a firewall on all workstations.
Naturally, it is impossible to completely remove the anti-virus scan (since there is always the possibility of skipping fundamentally new viruses unknown to anti-viruses), but it can be performed periodically - according to a schedule, by an anti-virus scanner.
Few people know that scanning with a scanner is carried out to a greater depth than scanning with a background file monitor.
Minus? Naturally there is. The purchase price will increase. But the opportunities for protection will increase. Server products have much greater filtering capabilities than products for workstations (especially those implemented for the Unix platform, due to the much lower restrictions imposed by products running on it).
Can I speed up the work? Can. Introduce policies and restrict file downloads by type. Make spam check from the mail server to the mail proxy.
Spam now occupies about eighty percent of mail traffic and by not allowing this muddy flow to the mail server, we significantly speed up message delivery (which is especially good for MS Exchange mail servers). However, you should not take out a virus scan from the mail server itself - the probability of spreading viruses through internal correspondence cannot be ruled out.
But all these measures can be taken only taking into account their influence on the affairs of your company. It is necessary to compare not only the speed of work and the cost (not forgetting to add the purchase cost and the cost of maintenance) of the solution, but also the significance of the implemented solutions for the company. It is necessary to correlate the price and the need to eliminate threats. Speak the language of finance.
You can’t come to the CEO’s office and put two documents on his desk: a list of the functionality of the software and hardware proposed for purchase and their cost. The document should be one, and it should describe how beneficial the company is for the purchase, what options are available, and why the one on which the admin is staying should be selected.
Thus, in order to grow from a system administrator and rise to the next level, you need not only to know the technique perfectly and navigate the alternatives to the software already used on the market.
You need to look at any choice, not only from the point of view of the procedure, but, and most importantly, from the point of view of business, the significance of any action performed for the company as a whole.