Cybersecurity

5651 readers

119 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

After cybersecurity lab wouldn’t use AV software, US accuses Georgia Tech of fraud (arstechnica.com)

submitted 2 months ago by neme@lemm.ee to c/cybersecurity@sh.itjust.works

15 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] esc27@lemmy.world 17 points 2 months ago (6 children)

It has been a few years, but I was once asked to implement 800-171. The document was aggressively vague and really the sort of thing that requires hiring a consultant to setup and probably at least one FTE to maintain. Thankfully our project was abandoned before I had to start looking for other employment just get away from the damn thing.

So I emphasize with Georgia Tech for not perfectly implementing the rules to the governments confusing standards.

However, the researchers refusal to run anti-virus even when required by the contract was just stupid. "Academic freedom" doesn't mean anything when your grants are revoked or you get sued for millions over a breach. That said, they should have been able to work out some sort of "compensating control" to use instead of anti-virus and get that approved by the government.

[–] harrys_balzac@lemmy.dbzer0.com 9 points 2 months ago* (last edited 2 months ago) (5 children)

I think you meant "empathize," not "emphasize."

I agree, though - running without any sort of AV is just arrogant and foolish.

[–] flying_sheep@lemmy.ml 15 points 2 months ago* (last edited 2 months ago) (4 children)

No, that's not the take-away.

Going without AV as a computer-savvy person is perfectly reasonable, as AV companies can't be trusted, and AVs are notorious for having deep seated privileges and bad security themselves – therefore increasing your attack surface.

The take-away is that if you're deciding for an institution that's contractually obligated to do a thing, you should do it.

[–] Ajen@sh.itjust.works 2 points 2 months ago

Depending on how the contract was written, running a clamav scan periodically may have been sufficient.

load more comments (3 replies)