Official IT Security

Government Level IT Security - while maintaining your sanity, your humanity, and some of your budget

Robin Laurén - Reaktor

Hello World! I’m Robin ツ

  • Mac & Linux and sysadmin at Reaktor
    • ~600 specialists: developers (~50%), designers, data scientists, graphics, usability, coaches, bizdev, support …
    • Finland, Netherlands, USA, Japan, Dubai
    • Teams > Hierarchies

Robin Laurén - Reaktor

Find me on the Interwebz

Robin Laurén - Reaktor

This is where you can find me on the Internet. I’m llauren on the Mac Admins slack, RobinLauren on Twitter and robin.lauren.fi on the world wide web, where i’ll also post the slides of this talk.

What’s “Official”?

  • Also known as The Public Sector
  • Government, state, Crown, border, police, military...
  • Paid with taxpayer money

Robin Laurén - Reaktor

So i’m going to talk to you about “Official security”. This isn’t an actual term, so i’d better explain myself a bit.

Spoiler alert!

  • I’m talking from a Finnish perspective
  • It’s yuge and complicated
  • Lot of work involved
  • Generally applicable, commercial and personal use
  • There’s an alternative to the top-down imperative

Robin Laurén - Reaktor

So here are a few spoilers for the next forty or so minutes.

Confidential? Restricted? Top secret?

  • In books and movies they look cool
  • Between friends it depends on the social context
  • In a company, lose business or get fined (or fired)
  • In official context these mean serious business
    • Restricted: “disadvantageous” if revealed
    • Confidential: personal security, public harm
    • (Top) Secret: national security at risk

Robin Laurén - Reaktor

Designations and considerations

  • Protection levels assigned by the Authorities
  • Management, Physical, Information systems
  • Documentation by committee but still pretty useful
  • Common sense is not only suggested but even recommended

Robin Laurén - Reaktor

- Designations are applied by the Gov or you if you are an accredited contractor

- You can’t just go and slap a “secret” label on whatever and think it’s a government secret after that.

- Again, leaking this will get you into a lot of trouble and can give you jail time (whistleblowers

take heed). In the UK, some of the corresponding laws only apply if you are or have ever been

working for the gov or the Crown.

- the CIA triad confidentiality, integrity and availability; of these Confidentiality seems

the most important

-

Why listen?

  • White hat or a black hat, a gray hat or no hat at all
  • Spoil your movies
  • Some of it is actually pretty good
  • It’s your money!

Robin Laurén - Reaktor

- You may or may not agree with your government, your police force or your communications authorities

but there are probably some pretty smart people working there and they have surely done a good

thing or two. Take this from the white hat or black hat position.

- Know what to do if you come across a classified steele dossier

- you might be working for the government and then you really should already know this

(though your office might just be sloppy :)

- Just watch the Colony on Netflix; good drama but boy, all that leaking

- to you? maybe it isn't, and that's okay too.

- just curiosity

- you might have a hacker mindset; know thy enemy

- your taxpayer money, in a sense, you are the owner and the customer

- learn how the other side is doing; be inspired?!

- be a better customer

- spilling company secrets can get you fined or fired; spilling national secrets can get you jailtime

So should you worry? Well, for the most part, no. If you’re not in the Serious Business, you probably

won’t ever be involved and you can view this talk as an academic exercise. Should you find a classified

(“stamped”) dossier at the back of a taxi or in a hotel lobby, just know that spreading the information

or even just reading it might get you into serious trouble.

Hello KATAKRI!

Robin Laurén - Reaktor

Here we come to the specifically Finnish part, and it’s got a name, KATAKRI.

Protection levels & Security classification

If unauthorised disclosure or use could ….

cause particularly grave prejudice to a public interest

(stuff that can lead to war)

1

Top Secret

cause significant prejudice to a public interest

(eg National security)

2

Secret

“cause prejudice to a public or private interest”

(eg undercover police name lists)

3

Confidential

Protection level

“be disadvantageous to a public or private interest”

(Stuff you need clearance to see)

4

Restricted

Decree 681/2010 § 11

Robin Laurén - Reaktor

- ST III Confidential

- ST II Secret

- ST I so secret it isn't even mentioned in KATAKRI :)

- Is there a "Cosmic Secret" level above this? `o_O` (Wear tin hat now)

And now, a deep dive into KATAKRI

Stay frosty, or have a 15 minute nap now

Picture by and of Scott Meyer

OK, so now we’ll take a deep dive into KATAKRI.

Management practices

  • Principles exist, and somebody’s responsible
  • Have enough expertise to actually be secure
  • Plan ahead: risk management, continuity plan, handling security events, communications plan…
  • Security education and awareness
  • Document and label everything

Robin Laurén - Reaktor

- `T 06` Handling your "security events" (or rather, exceptions) so you have planned ahead,

trained the crew, documented the HOWTOs, practiced, have communication practices and responsibilities

- `T 07` All classified information should be labelled as such (tricky with source code)

- `T 08` "Life span" of crew, from hire to fire and beyond

- `T 09` Background checks as needed

- `T 10` NDA practice (why? when there's the law? psychological reasons, i suppose)

- `T 11` Security education and awareness, regularly; updated as needed

- `T 12` Need to know, who's who, who can access what, least privilege (documentation!)

---

Physical security

  • Multi-level, complementing “onion design”
  • Structures, doors, locks and security systems
  • Access rights management
  • Manage your keys and codes
  • No eavesdropping
  • Document it all

Robin Laurén - Reaktor

Physical security is securing where you work

---

- `F 02` Secure and locked, escort guests at all times, storage for classified information. Entry and exit through perimeter, access only to those with authorisation and clearance.

- Intrusion detection, scan your areas visually at (random) intervals.

- `F 03` Security systems for physical protection are approved and in order, and tested.

- `F 04` Access rights management to deny unauthorised access. ID cards recommended. Somebody responsible for granting access.

Documented instructions.

- `F 05` Manage thy keyes, change thy codes from defaults and at least every 12 months (for common codes), or after maintenance or suspected compromise. Documentation again.

- `F 06` Protection against sneak peeking (unauthorised observation and overlooking), so windows have blinds, computers have privacy filters if needed, displays and video projectors are turned so that they don't shine out the window.

- `F 07` Enough sound isolation to prevent against eavesdropping.

- No unauthorised communication lines or equipment.

Network security

  • Separate different functions to different networks
  • Only allow specific traffic between networks
    (especially so if traversing protection levels)
  • High-sec nets can’t connect to the Internet
  • Document fiercely

Robin Laurén - Reaktor

The next eight slides are all about different aspects information security

- You need a change management system (documentation, approval, whatever suits you) to document

who made a change, what, why, when. Document relentlessly. You'll do Future You a service.

- Note that "approved" and "documented" are kind of recurring themes?

Authorities love documentation to the degree that if it isn’t documented, it doesn’t exist.

Wireless insecurity

  • Wireless = public
  • Wireless makes you visible
  • Public is bad opsec
  • Best to ban everything wireless

Robin Laurén - Reaktor

- Using a wireless network is considered stepping into the "public" zone. Best to disable all of it.

Use approved VPN if you must (really, you don't want to).

- Disable Bluetooth while you're at it. Comes at a later stage, but i'll mention it now anyway.

- This may seem archaic and really restricted, but consider the opsec angle: you generally need to

be _on_ a wired network to sniff it.

- Effectively, this also means "no telephones". Later we get to No Microphones and No Cameras.

- Of course, you can always wallpaper with a mosquito net :)

System Administration

  • Admins only
  • Use per-admin accounts
  • Only encrypted protocols
  • Enumerate thy hardware
  • Change management

Robin Laurén - Reaktor

Know thy users

  • Have an Identity and access management system
  • Separation of duties and Principle of least privilege
  • No shared accounts
  • Not all users are humans
  • Have a sensible password policy

Robin Laurén - Reaktor

- This shouldn't come as much as a surprise to anyone...

- Access control, groups, separation of duties

- Sometimes you’re the admin, sometimes a user, so don’t surf around as root. How many out there have separate accounts for themselves on their laptop? One for surfing and one for installing software? Do they have different passwords?

- LDAP is your friend (FreeIPA since Mac Server is going away)

- Apply Principle of Least Privilege (be aware of services!)

- You need a list of your users which is *not* your `/etc/passwd`, with when they got access,

where and why. A good idm is your friend.

- No default passwords

- Have a sensible password policy (complexity, rotation frequency, lockout...)

- Encrypted passwords, of course

- Separate different kinds of secrets from each other

- Have a way (hey, logging!) to know who touched what (audit trail!)

- For PL III, 2FA and 801.2X or confined networks

- Handle your classified information according to its highest security component

Log and monitor

  • Log everything, centrally
  • Monitor and have a baseline
  • Examine the logs regularly
  • Keep them secure

Robin Laurén - Reaktor

Hardening

  • Apply secure settings
  • Patch and update
  • Malware protection
  • Encrypt sensitive data
  • Remove anything that isn’t strictly necessary
  • Keep people educated

Robin Laurén - Reaktor

HARDENING is the practice of making something more secure. Often this means applying all sorts of safeguards like having seve settings, engaging the firewall, having anti malware software in place.

Systematic and documented hardening process:

Systems are updated. `I 23` … Patch management

But in the words of french author Antonie de Saint-Exupéry, “Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away”, you should also remove everything you don’t expressly need in your environment.

Classified data at rest is encrypted using an accredited method (hah to FIPS and FileVault) or, exceptionally, protected by enough physical and logical access control.

Keep people informed what to do in case of an infection.

Quality control

  • Only use approved security products
  • Take care of your secrets
  • Poke, test and audit
  • Be resilient

Robin Laurén - Reaktor

TEMPEST

  • No eavesdropping of electromagnetic waves
  • ...or any other kinds of waves

Robin Laurén - Reaktor

- `I 14` … no leaking of EM or acoustic waves. Level III and up.

Information security: Everything else

  • Treat your copies and backups like originals
  • Security over lifespan
  • Store and handle stuff only where allowed
  • Travelling with secrets

Robin Laurén - Reaktor

Phew!

This may be enough to send any admin into a curled up position, whimpering in the corner and hugging a fluffy Panda Bear in despair. And that’s not enough.

IN THE END, it’s still your customer who decides. Your auditors will give their report but they can just pass or accept you and the customer can decide what they want anyway.

What’s not in KATAKRI?

  • Actual hard requirements
  • HOW to actually create a secure environment *)
  • WHY you should do these things

*) For that, consult VAHTI, IT-Grundschutz, CIS, or DISA STIG

Robin Laurén - Reaktor

The odd thing about KATAKRI is that it mostly lists that you should have secure principles in place, but doesn’t often tell you what these secure principles, or practices for that matter, should be. There are no hard limits on how long and complicated your password should be, how often it should be changed, how many times you can mistype it and what happens next. That’s actually up to you, the security administrator.

So KATAKRI tells you WHAT, but not HOW, and certainly not WHY.

Thankfully, there are some resources to help you out with how. The Finnish communications authorities have published a whole bunch of VAHTI guides, and both the Centre of Internet Security and the Defense Information Systems Agency in the US have their Security Technical Implementation Guides. There are, for example, STIG profiles for the macOS which you can import straight into your MDM.

A fair warning

  • Cheap, easy, good: pick one
  • Security is not a checklist
  • The return of the on-prem or in-org engine room
  • You will need to be agile
  • Requires money, personnel, time, dedication
    (and your soul)

Robin Laurén - Reaktor

- It's hard, security is not a checklist (but is it really a process?)

- Sit down with some colleagues, come up with twenty likely security threats, decide on which ten are most critical, fix five of them, then repeat

- A minimum of two admins

- the measures? are you protecting the right things?

- Throw more money at the problem? Security can be _really_ expensive so you need to

understand what you're solving (so it's actually also a money management problem).

- Thought the days of on site was over? Roll up your sleeves and get your admin hoodie on!

- Be meticulous about documenting things -- doesn't matter how, as long as you do

Get your gear together

  • Start small and grow as needed
  • Get a proper firewall and managed switches
  • No recycling
  • Save your configs and … document fiercely

Robin Laurén - Reaktor

- It's okay to be incremental. Start with plain text documents in a git repo or a wiki, look at documentation systems later. Plain text is easy to grep.

- Get an UTM firewall and command line managed switches. Save your configs. Have sensible defaults that you can upload to new switches. I placed some on my blog that are still helpful, [here](https://robin.lauren.fi/posts/some-nice-hp-switch-settings/)

- Password management is your friend. I suggest `gopass`.

- Even if you start small, don't assume you'll be the only admin.

- Assume there will be growth, but start small. Don't use a rackfull of gear to solve what could be done with a couple of mac minis.

- Get a minimum of two servers, three if you can (for a small environment)

Essential software

  • Learn to love the command line
  • Password management
  • Version management
  • Virtualisation
  • Open source software
  • Configuration management

Robin Laurén - Reaktor

Security is about people

  • Turn top-down security on its head
  • You are the enabler
  • Make everybody’s life bearable
  • Encourage a secure culture and behaviour
  • It gets lonely in a bubble, but on-site is social

Robin Laurén - Reaktor

Security, especially public sector security, is often seen as a top-down mandated required forced-upon kind of thing where you have your big printed out folder of dos and don’ts, mostly don’ts, that you have to follow or be fired. You have no wiggle room and no room for discussion. This is something i would like to turn on its head.

- Culture, culture, culture

- Restrictions do not make your life easier but you can still make it bearable for you and your users

- you can't ever be perfect but you can always be better

- Things are going to break and you can't ask specific questions. You will learn.

- If you think that the public sector is important, then you want to make a job that matters for those who work there

An alternative to despair

  • Plan
  • Protect and prevent
  • Monitor, test and audit
  • Mitigate and be resilient
  • Educate
  • Iterate and improve!

Robin Laurén - Reaktor

Four sources of threats

  • Ignorance
  • Incompetence
  • Malice
  • Mistakes

Robin Laurén - Reaktor

- There are four types of threats to security i can think of. Ignorance, incompetence, malice

and mistakes. The outcome might be the same but the reasons and what you can do about them

are different.

Together, these may cause you despair, but don't get paralysed.

Malice is the obvious threat

  • Most people are usually nice, some just have a different agenda
  • Rational, on-purpose, clever attacks
  • Social engineering
  • Educate yourself
  • Wear a black hat

Scott Meyer drew this picture

Robin Laurén - Reaktor

Most security training and documentation, including KATAKRI, emphasises malice. That threats originate from some evil actor.

Ignorance prevents bliss

  • Those too lazy, too busy, or too important
  • Beware of Broken Windows and Slippery Slopes
  • Teach why security is important and for everyone (This includes yourself)
  • Make it possible to do “important” things securely

Robin Laurén - Reaktor

Incompetence can be cured

  • Stop feeling ashamed that you don’t know
  • Incompetence is temporary and can be cured by education
  • Teach those who don’t know they don’t know

Robin Laurén - Reaktor

Nobody likes to be called incompetent … until you realise it isn’t that bad, objectively.

To errr is human

  • Everybody makes mistakes
  • Design for secure behaviour
  • Create a culture where making mistakes is allowed
  • Learn from mistakes
  • Make sensible security

Robin Laurén - Reaktor

Foster a secure culture

  • Understand why it’s important
  • It’s everybody’s responsibility
  • Be honest to yourself, your peers and your customer
  • Don’t hide your mistakes, learn from them
  • Teach the people to be resilient

Robin Laurén - Reaktor

Any practical advice?

Practical hardening

  • KATAKRI tells you what
  • VAHTI, CIS, DISA STIG tells you how
    (but nobody tells you why)

Robin Laurén - Reaktor

- A minimum of two admins

- VAHTI, DISA STIG and CIS

- OSCAP, FIPS mode on Mac, DISA STIG Centos7

- KATAKRI tells you what, DISA tells you how, nobody tells you why

- preventing leaks

- you can't ever be perfect but you can always be better

Thank you!

(#) llauren

(@) Robin.Lauren@reaktor.com

(w) robin.lauren.fi /talks

(t) @RobinLauren

Pictures in this presentation

by and © Scott Meyer

Basicinstructions.com

Macaduk 2019 Robin Laurén - Google Slides