Official IT Security
Government Level IT Security - while maintaining your sanity, your humanity, and some of your budget
Robin Laurén - Reaktor
This is where you can find me on the Internet. I’m llauren on the Mac Admins slack, RobinLauren on Twitter and robin.lauren.fi on the world wide web, where i’ll also post the slides of this talk.
So i’m going to talk to you about “Official security”. This isn’t an actual term, so i’d better explain myself a bit.
So here are a few spoilers for the next forty or so minutes.
- Designations are applied by the Gov or you if you are an accredited contractor
- You can’t just go and slap a “secret” label on whatever and think it’s a government secret after that.
- Again, leaking this will get you into a lot of trouble and can give you jail time (whistleblowers
take heed). In the UK, some of the corresponding laws only apply if you are or have ever been
working for the gov or the Crown.
- the CIA triad confidentiality, integrity and availability; of these Confidentiality seems
the most important
- You may or may not agree with your government, your police force or your communications authorities
but there are probably some pretty smart people working there and they have surely done a good
thing or two. Take this from the white hat or black hat position.
- Know what to do if you come across a classified steele dossier
- you might be working for the government and then you really should already know this
(though your office might just be sloppy :)
- Just watch the Colony on Netflix; good drama but boy, all that leaking
- to you? maybe it isn't, and that's okay too.
- just curiosity
- you might have a hacker mindset; know thy enemy
- your taxpayer money, in a sense, you are the owner and the customer
- learn how the other side is doing; be inspired?!
- be a better customer
- spilling company secrets can get you fined or fired; spilling national secrets can get you jailtime
So should you worry? Well, for the most part, no. If you’re not in the Serious Business, you probably
won’t ever be involved and you can view this talk as an academic exercise. Should you find a classified
(“stamped”) dossier at the back of a taxi or in a hotel lobby, just know that spreading the information
or even just reading it might get you into serious trouble.
Here we come to the specifically Finnish part, and it’s got a name, KATAKRI.
- ST III Confidential
- ST II Secret
- ST I so secret it isn't even mentioned in KATAKRI :)
- Is there a "Cosmic Secret" level above this? `o_O` (Wear tin hat now)
OK, so now we’ll take a deep dive into KATAKRI.
- `T 06` Handling your "security events" (or rather, exceptions) so you have planned ahead,
trained the crew, documented the HOWTOs, practiced, have communication practices and responsibilities
- `T 07` All classified information should be labelled as such (tricky with source code)
- `T 08` "Life span" of crew, from hire to fire and beyond
- `T 09` Background checks as needed
- `T 10` NDA practice (why? when there's the law? psychological reasons, i suppose)
- `T 11` Security education and awareness, regularly; updated as needed
- `T 12` Need to know, who's who, who can access what, least privilege (documentation!)
Physical security is securing where you work
- `F 02` Secure and locked, escort guests at all times, storage for classified information. Entry and exit through perimeter, access only to those with authorisation and clearance.
- Intrusion detection, scan your areas visually at (random) intervals.
- `F 03` Security systems for physical protection are approved and in order, and tested.
- `F 04` Access rights management to deny unauthorised access. ID cards recommended. Somebody responsible for granting access.
- `F 05` Manage thy keyes, change thy codes from defaults and at least every 12 months (for common codes), or after maintenance or suspected compromise. Documentation again.
- `F 06` Protection against sneak peeking (unauthorised observation and overlooking), so windows have blinds, computers have privacy filters if needed, displays and video projectors are turned so that they don't shine out the window.
- `F 07` Enough sound isolation to prevent against eavesdropping.
- No unauthorised communication lines or equipment.
The next eight slides are all about different aspects information security
- You need a change management system (documentation, approval, whatever suits you) to document
who made a change, what, why, when. Document relentlessly. You'll do Future You a service.
- Note that "approved" and "documented" are kind of recurring themes?
Authorities love documentation to the degree that if it isn’t documented, it doesn’t exist.
- Using a wireless network is considered stepping into the "public" zone. Best to disable all of it.
Use approved VPN if you must (really, you don't want to).
- Disable Bluetooth while you're at it. Comes at a later stage, but i'll mention it now anyway.
- This may seem archaic and really restricted, but consider the opsec angle: you generally need to
be _on_ a wired network to sniff it.
- Effectively, this also means "no telephones". Later we get to No Microphones and No Cameras.
- Of course, you can always wallpaper with a mosquito net :)
- This shouldn't come as much as a surprise to anyone...
- Access control, groups, separation of duties
- Sometimes you’re the admin, sometimes a user, so don’t surf around as root. How many out there have separate accounts for themselves on their laptop? One for surfing and one for installing software? Do they have different passwords?
- LDAP is your friend (FreeIPA since Mac Server is going away)
- Apply Principle of Least Privilege (be aware of services!)
- You need a list of your users which is *not* your `/etc/passwd`, with when they got access,
where and why. A good idm is your friend.
- No default passwords
- Have a sensible password policy (complexity, rotation frequency, lockout...)
- Encrypted passwords, of course
- Separate different kinds of secrets from each other
- Have a way (hey, logging!) to know who touched what (audit trail!)
- For PL III, 2FA and 801.2X or confined networks
- Handle your classified information according to its highest security component
HARDENING is the practice of making something more secure. Often this means applying all sorts of safeguards like having seve settings, engaging the firewall, having anti malware software in place.
Systematic and documented hardening process:
Systems are updated. `I 23` … Patch management
But in the words of french author Antonie de Saint-Exupéry, “Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away”, you should also remove everything you don’t expressly need in your environment.
Classified data at rest is encrypted using an accredited method (hah to FIPS and FileVault) or, exceptionally, protected by enough physical and logical access control.
Keep people informed what to do in case of an infection.
- `I 14` … no leaking of EM or acoustic waves. Level III and up.
This may be enough to send any admin into a curled up position, whimpering in the corner and hugging a fluffy Panda Bear in despair. And that’s not enough.
IN THE END, it’s still your customer who decides. Your auditors will give their report but they can just pass or accept you and the customer can decide what they want anyway.
The odd thing about KATAKRI is that it mostly lists that you should have secure principles in place, but doesn’t often tell you what these secure principles, or practices for that matter, should be. There are no hard limits on how long and complicated your password should be, how often it should be changed, how many times you can mistype it and what happens next. That’s actually up to you, the security administrator.
So KATAKRI tells you WHAT, but not HOW, and certainly not WHY.
Thankfully, there are some resources to help you out with how. The Finnish communications authorities have published a whole bunch of VAHTI guides, and both the Centre of Internet Security and the Defense Information Systems Agency in the US have their Security Technical Implementation Guides. There are, for example, STIG profiles for the macOS which you can import straight into your MDM.
- It's hard, security is not a checklist (but is it really a process?)
- Sit down with some colleagues, come up with twenty likely security threats, decide on which ten are most critical, fix five of them, then repeat
- A minimum of two admins
- the measures? are you protecting the right things?
- Throw more money at the problem? Security can be _really_ expensive so you need to
understand what you're solving (so it's actually also a money management problem).
- Thought the days of on site was over? Roll up your sleeves and get your admin hoodie on!
- Be meticulous about documenting things -- doesn't matter how, as long as you do
- It's okay to be incremental. Start with plain text documents in a git repo or a wiki, look at documentation systems later. Plain text is easy to grep.
- Get an UTM firewall and command line managed switches. Save your configs. Have sensible defaults that you can upload to new switches. I placed some on my blog that are still helpful, [here](https://robin.lauren.fi/posts/some-nice-hp-switch-settings/)
- Password management is your friend. I suggest `gopass`.
- Even if you start small, don't assume you'll be the only admin.
- Assume there will be growth, but start small. Don't use a rackfull of gear to solve what could be done with a couple of mac minis.
- Get a minimum of two servers, three if you can (for a small environment)
Security, especially public sector security, is often seen as a top-down mandated required forced-upon kind of thing where you have your big printed out folder of dos and don’ts, mostly don’ts, that you have to follow or be fired. You have no wiggle room and no room for discussion. This is something i would like to turn on its head.
- Culture, culture, culture
- Restrictions do not make your life easier but you can still make it bearable for you and your users
- you can't ever be perfect but you can always be better
- Things are going to break and you can't ask specific questions. You will learn.
- If you think that the public sector is important, then you want to make a job that matters for those who work there
- There are four types of threats to security i can think of. Ignorance, incompetence, malice
and mistakes. The outcome might be the same but the reasons and what you can do about them
Together, these may cause you despair, but don't get paralysed.
Most security training and documentation, including KATAKRI, emphasises malice. That threats originate from some evil actor.
Nobody likes to be called incompetent … until you realise it isn’t that bad, objectively.
- A minimum of two admins
- VAHTI, DISA STIG and CIS
- OSCAP, FIPS mode on Mac, DISA STIG Centos7
- KATAKRI tells you what, DISA tells you how, nobody tells you why
- preventing leaks
- you can't ever be perfect but you can always be better