kohlrak: My point being, the reason this stuff gets through AVs to begin with is because these viruses are encrypted and decrypted only at runtime after the AV has had a scan at them.
Magnitus: On immutable infra, the only "antivirus" you should need are programs that scan for ANY change on your filesystem other than very specific paths programs on the machine are expected to modify.
Metrics and centralised logging will make the system visible from the outside. Nobody should be sshing on it except if they need to troubleshoot when something goes horribly wrong and metrics/logs are insufficient to get to the root of the problem. Heck, the bastion to ssh into the machine should not even be there until you actually need to ssh into it (and it should be there only for the duration of your ssh session, you scrap it afterwards).
Most of the time, if somethings goes sideways, you just throw your vm in the thrash and provision a new one.
Immutable infra, that's what most people should be running in 2021. If they aren't, they should ask their ops team to get up to date.
Only notable exception to that should be databases and even then, if you're using a modern distributed database, you should be able to methodically destroy replicas and replace them with new ones, one by one.
Other possible mitigation point is if you are running things on baremetal and not vms (that's a bit more complicated to manage), but really, if you're using the cloud, which most people are at this point, then you're using vms and you'd better brush up your Terraform if you want to make the best us of your platform.
Don't get me wrong, i believe an argument should stand or fall independent of their speaker, but i really must ask of your familiarity with the subject matter. Indeed, the notion of keeping everything in a VM, doing constant scrubs and all that is great on paper and indeed idealistic. The problem, however, is that these computers are actually designed to do something. I'm sure you'd have a canary seeing the things i've seen passed off as "security" in things like hospitals (where you and i would certainly be in agreement as woefully inadequate). However, these machines serve a purpose outside of strictly being black boxes holding data. Removing SSH, for example, until you need it would require someone to man the office at all times just to enable or disable it. Moreover, VMs, even with hardware virtualization, still don't have the processing power necessary to accomplish the tasks most likely occurring: Cyberpunk 2077 isn't going to be debugged in a VM. Or are you talking about a gateway in particular, and not all the servers as a whole? Also, with all those precautions, you should be made aware that there exist viruses that target VMs, to bypass this kind of protection.
It's more reasonable to only give servers with specific purpose specific types of access. The fact that, supposedly, code and employee data were stored on the same servers shuold be highly queestioned. I only do it, because I don't have the money for such protection. A corporation should be expected to have more servers to dedicate these processes to. If they were properly distributed, how the hell was there a setup that allowed someone with access to the dev server get their hands on employee and investor databases? That's just asking for this kind of attack to happen by a disgruntled current or former employee.
Magnitus: To be fair, a lot of people are not doing it, it's horrible. They'd rather do 10 units of work than 2 units of work and 2 units of learning. work dumb, work harder.
Orkhepaj: i bet thats how most companies work , they think the old known ways are the best to continue with , the unknown is too dangerous or something
Not all old things and ideas are broken: we're still using printf in most CLI programs, at the end of the day. The problem is the bits that aren't safe, like gets. Some of the new stuff is more secure, and some of it is alot worse. Corporations are a slightly different beast than a common non-corporate company. Corporations are almost legally obligated to old ways.
kohlrak: EDIT: As for legally, probably not. If there is, they surely nullified it with some sort of contract. Waiving your rights is SOP, anymore.
Zrevnur: You are from US. In EU such things work differently. 'Waiving your rights' as a customer or lowly employee (in terms of the context being critical private information) is mostly impossible here - such parts of contracts are likely invalid.
And in parts of Europe (Poland too I think but dont know for sure) trade unions and such can be quite powerful and have major say in such things - but I dont know if that relates to CDPR.
Yet GOG and everyone else still pushes EULAs. I understand their enforce-ability is suspect, but the seem to have some degree of power if they find their origins in europe as well. Meanwhile, i'm not entirely opposed to the notion, but there needs to be some kind of limit on it, some immutable rights, while also making room for things like reasonable NDAs. I'm particularly worried about how selective enforcement of contracts can change existing contracts (especially things like marriage and prenups).
