Sysadmin and the path of the sword
Dear habrovchane, in this article of our analyst Vyacheslav Medvedev, we would like to share with you a few thoughts about the specifics of the work of modern sysadmins with antivirus software in companies of medium and small businesses. Any comments are welcome. The issues discussed in the material are very controversial.
System administrator is a legendary and even mythical profession. The hero of the epic stories and anecdotes. A person who can fix in the office all that relates to his job description (and, if necessary, that which does not concern him).
In most companies, the sysadmin is the only person who understands modern technologies.
But in many cases, the position of a sysadmin is the pinnacle of career growth, because these great guys rarely become technical directors of companies. Moreover, sometimes the heads of IT departments are people who do not understand anything in setting up and installing hardware and software. Why is this happening?
')
The main thing for any organization is the execution of its tasks. Anything that prevents the execution of tasks or slows them down should be excluded.
This means that any business procedures and actions of company employees, its customers and partners should be carried out as conveniently as possible for them and no less quickly.
Naturally, this is not a complete list of requirements for business procedures - those interested in this can be sent, for example, to the standards of the ITIL family.
From the standpoint of the above requirements, both viruses and antiviruses are evil. The first steal, demolish and distract from work. The latter do not allow viruses to enter the network, but they themselves inhibit the operation of the system.
Therefore, the task of the system administrator is to ensure that there are no viruses, and the system “does not slow down”.
As a rule, the problem is solved "in the forehead." According to the recommendations installed antivirus, which "does not slow down." But "does not slow down" and "catches all viruses" - two big differences.
Simply put, anti-virus databases - a set of signatures, procedures for detecting malicious files, methods for unpacking various types of archives.
Finding a virus (like any other malicious program) in this case is a search of these methods and signatures. That is, a high scan speed does not always indicate a high quality search.
Naturally, manufacturers of leading antiviruses, realizing the problem, optimize detection algorithms, but if the size of the database is different at times, this should be suggestive of some reflections.
Therefore, before you install an antivirus, you need to think about possible ways for viruses to enter the company.
Ideally, for this you need to conduct an audit of all business processes of the company, as well as analyze the importance of all IT threats, but in this article we simplify the task.
The most typical ways of virus penetration into the system are the Internet, mail correspondence, vulnerabilities of the software used and removable media.
From the experience of my speeches at various conferences and seminars, it follows that for many, the significance of each of these channels is a mystery.
As the practice of surveys shows, in most cases mail and the Internet are called the most dangerous penetration channels for a company.
Accordingly, to protect these routes of penetration and the most funds are allocated. Moreover, the problem is solved in most cases only by technical means - the installation of anti-virus traffic monitoring systems.
In fact, the main part of the viruses (or rather Trojans) gets into the network through the employees themselves - on their removable media.
Thus, first of all, you need to configure the access system. Each employee should have access only to the information that he needs. The use of USB-drives to the minimum level should be limited (and for most employees their use should be completely prohibited).
These rules are subject to implementation without any objection, but ... All the same practice shows that in most small and medium-sized businesses, everyone has access to everything. Truly, until the thunder clap ...
And the cause of restoring order in this area is (also as a rule) not virus incidents, but problems with employees or the business as a whole.
And here we return to the beginning of the article. Who should be involved in restricting access? A system administrator is a technician who knows what to do to limit or extend rights.
But he does not know who and what rights rely. This should be done by information security specialists (security officers) along with the quality manager.
But in most companies, neither information security departments, nor quality departments exist - due to a lack of understanding of the need or lack of funds.
Additional intrigue is introduced by the requirement of appointing a responsible person, imposed by the law on the protection of personal data.
As a rule, either a lawyer or a sysadmin is appointed as a responsible person. Thus, in the load of their duties, the administrator actually receives the duty of describing business processes. You can, of course, accomplish this task formally - issue all the documents required by Federal Law No. 152-FZ and forget about this obligation. But from the description to the optimization - one step.
Carry out an audit of the company (namely, this is required to describe business processes) and do not offer to optimize them (and you still have to offer, since there will surely be extra personal data)?
To remain a technical specialist, a significant employee of the company, but just an executor of the tasks set, or to become a person who influences the choice of the company's path? What should be the path of a warrior? The path of the sword that is guided by hand, or the path of the arm that decides where to point the sword?
Let's return to anti-virus protection.
Suppose we have chosen and installed a product on all workstations that restricts access to where it is not necessary for anyone, and prohibits removable media, and controls incoming and outgoing traffic. All set up, no viruses. What do we have in the end? Complaints about system loading and complaints about the lack of access to your favorite sites (with your favorite viruses).
We deal with the second quickly, presenting a list of viruses received by specific users from specific servers. The first, however, is more complicated.
Especially when demanding applications such as Cadoff systems are running on the machines. But do you need an antivirus on the machine if the paths of virus penetration to it are blocked (and especially if it is a machine with 256 MB of memory, which is not uncommon in our country and not only in our country)?
This option is quite real. Mail and Internet traffic can be checked on the corresponding servers. Receipt of viruses through users is blocked by reasonable restrictions on USB-drives and unnecessary access.
There are, of course, insiders and hackers, but the fight against them is a separate topic, not ending with the installation of a firewall on all workstations.
Naturally, it is impossible to completely remove the anti-virus scan (since there is always the likelihood of missing fundamentally new viruses unknown to antiviruses), but it can be performed periodically - by a schedule with an anti-virus scanner.
Few people know that checking with a scanner is carried out to a greater depth than checking with a background file monitor.
Minus? Naturally there is. Procurement cost will increase. But opportunities for protection will increase. Server products have much greater filtering capabilities than products for workstations (especially those implemented for the Unix platform — due to far less restrictions imposed by the products running on it).
Can I still speed up the work? Can. Introduce policies and limit file downloads by type. Check for spam from the mail server to the mail proxy.
Spam now takes about eighty percent in mail traffic and, by not allowing this muddy stream to the mail server, we significantly speed up message delivery (which is especially good for MS Exchange mail servers). However, checking for viruses from the mail server itself is not worth it - the probability of the spread of viruses through internal correspondence cannot be ruled out.
But all these measures can be taken only in view of their influence on the affairs of their company. It is necessary to compare not only the speed of work and the cost (without forgetting to add the cost of the purchase and the cost of maintenance) of the decision, but also the significance of the implemented solutions for the company. It is necessary to correlate the price and the need to eliminate threats. Speak the language of finance.
You can’t come to the CEO’s office and put two documents on the table: a list of the functionality to be purchased for software and hardware and their cost. The document should be one, and it should describe how profitable the company is to purchase, what are the options, and why the one on which the administrator stopped should be selected.
Thus, in order to grow out of a system administrator and go up to the next level, you need to not only perfectly know the technique and be guided by the alternatives of the software already used on the market.
One should look at any choice not only from the point of view of executing the procedure, but, and this is important, from the point of view of business, of the significance of any performed action for the company as a whole.
System administrator is a legendary and even mythical profession. The hero of the epic stories and anecdotes. A person who can fix in the office all that relates to his job description (and, if necessary, that which does not concern him).
In most companies, the sysadmin is the only person who understands modern technologies.
But in many cases, the position of a sysadmin is the pinnacle of career growth, because these great guys rarely become technical directors of companies. Moreover, sometimes the heads of IT departments are people who do not understand anything in setting up and installing hardware and software. Why is this happening?
')
The main thing for any organization is the execution of its tasks. Anything that prevents the execution of tasks or slows them down should be excluded.
This means that any business procedures and actions of company employees, its customers and partners should be carried out as conveniently as possible for them and no less quickly.
Naturally, this is not a complete list of requirements for business procedures - those interested in this can be sent, for example, to the standards of the ITIL family.
From the standpoint of the above requirements, both viruses and antiviruses are evil. The first steal, demolish and distract from work. The latter do not allow viruses to enter the network, but they themselves inhibit the operation of the system.
Therefore, the task of the system administrator is to ensure that there are no viruses, and the system “does not slow down”.
As a rule, the problem is solved "in the forehead." According to the recommendations installed antivirus, which "does not slow down." But "does not slow down" and "catches all viruses" - two big differences.
Simply put, anti-virus databases - a set of signatures, procedures for detecting malicious files, methods for unpacking various types of archives.
Finding a virus (like any other malicious program) in this case is a search of these methods and signatures. That is, a high scan speed does not always indicate a high quality search.
Naturally, manufacturers of leading antiviruses, realizing the problem, optimize detection algorithms, but if the size of the database is different at times, this should be suggestive of some reflections.
Therefore, before you install an antivirus, you need to think about possible ways for viruses to enter the company.
Ideally, for this you need to conduct an audit of all business processes of the company, as well as analyze the importance of all IT threats, but in this article we simplify the task.
The most typical ways of virus penetration into the system are the Internet, mail correspondence, vulnerabilities of the software used and removable media.
From the experience of my speeches at various conferences and seminars, it follows that for many, the significance of each of these channels is a mystery.
As the practice of surveys shows, in most cases mail and the Internet are called the most dangerous penetration channels for a company.
Accordingly, to protect these routes of penetration and the most funds are allocated. Moreover, the problem is solved in most cases only by technical means - the installation of anti-virus traffic monitoring systems.
In fact, the main part of the viruses (or rather Trojans) gets into the network through the employees themselves - on their removable media.
Thus, first of all, you need to configure the access system. Each employee should have access only to the information that he needs. The use of USB-drives to the minimum level should be limited (and for most employees their use should be completely prohibited).
These rules are subject to implementation without any objection, but ... All the same practice shows that in most small and medium-sized businesses, everyone has access to everything. Truly, until the thunder clap ...
And the cause of restoring order in this area is (also as a rule) not virus incidents, but problems with employees or the business as a whole.
And here we return to the beginning of the article. Who should be involved in restricting access? A system administrator is a technician who knows what to do to limit or extend rights.
But he does not know who and what rights rely. This should be done by information security specialists (security officers) along with the quality manager.
But in most companies, neither information security departments, nor quality departments exist - due to a lack of understanding of the need or lack of funds.
Additional intrigue is introduced by the requirement of appointing a responsible person, imposed by the law on the protection of personal data.
As a rule, either a lawyer or a sysadmin is appointed as a responsible person. Thus, in the load of their duties, the administrator actually receives the duty of describing business processes. You can, of course, accomplish this task formally - issue all the documents required by Federal Law No. 152-FZ and forget about this obligation. But from the description to the optimization - one step.
Carry out an audit of the company (namely, this is required to describe business processes) and do not offer to optimize them (and you still have to offer, since there will surely be extra personal data)?
To remain a technical specialist, a significant employee of the company, but just an executor of the tasks set, or to become a person who influences the choice of the company's path? What should be the path of a warrior? The path of the sword that is guided by hand, or the path of the arm that decides where to point the sword?
Let's return to anti-virus protection.
Suppose we have chosen and installed a product on all workstations that restricts access to where it is not necessary for anyone, and prohibits removable media, and controls incoming and outgoing traffic. All set up, no viruses. What do we have in the end? Complaints about system loading and complaints about the lack of access to your favorite sites (with your favorite viruses).
We deal with the second quickly, presenting a list of viruses received by specific users from specific servers. The first, however, is more complicated.
Especially when demanding applications such as Cadoff systems are running on the machines. But do you need an antivirus on the machine if the paths of virus penetration to it are blocked (and especially if it is a machine with 256 MB of memory, which is not uncommon in our country and not only in our country)?
This option is quite real. Mail and Internet traffic can be checked on the corresponding servers. Receipt of viruses through users is blocked by reasonable restrictions on USB-drives and unnecessary access.
There are, of course, insiders and hackers, but the fight against them is a separate topic, not ending with the installation of a firewall on all workstations.
Naturally, it is impossible to completely remove the anti-virus scan (since there is always the likelihood of missing fundamentally new viruses unknown to antiviruses), but it can be performed periodically - by a schedule with an anti-virus scanner.
Few people know that checking with a scanner is carried out to a greater depth than checking with a background file monitor.
Minus? Naturally there is. Procurement cost will increase. But opportunities for protection will increase. Server products have much greater filtering capabilities than products for workstations (especially those implemented for the Unix platform — due to far less restrictions imposed by the products running on it).
Can I still speed up the work? Can. Introduce policies and limit file downloads by type. Check for spam from the mail server to the mail proxy.
Spam now takes about eighty percent in mail traffic and, by not allowing this muddy stream to the mail server, we significantly speed up message delivery (which is especially good for MS Exchange mail servers). However, checking for viruses from the mail server itself is not worth it - the probability of the spread of viruses through internal correspondence cannot be ruled out.
But all these measures can be taken only in view of their influence on the affairs of their company. It is necessary to compare not only the speed of work and the cost (without forgetting to add the cost of the purchase and the cost of maintenance) of the decision, but also the significance of the implemented solutions for the company. It is necessary to correlate the price and the need to eliminate threats. Speak the language of finance.
You can’t come to the CEO’s office and put two documents on the table: a list of the functionality to be purchased for software and hardware and their cost. The document should be one, and it should describe how profitable the company is to purchase, what are the options, and why the one on which the administrator stopped should be selected.
Thus, in order to grow out of a system administrator and go up to the next level, you need to not only perfectly know the technique and be guided by the alternatives of the software already used on the market.
One should look at any choice not only from the point of view of executing the procedure, but, and this is important, from the point of view of business, of the significance of any performed action for the company as a whole.
Source: https://habr.com/ru/post/140055/
All Articles