How would you implement computer security configuration for intelligence agencies?
What OS to use?
Airgap and VPN in/out both ways?
Set up Red and Blue teams to keep everyone else honest. Enpower an inspector general to make sure corruption is kept at bay.
Build highly controlled and audited sources of high quality random bits, well isolated from all other computing infrastructure. Generate one time pads at the rate of terabytes per day for physical distribution in tightly logged and controlled distributions.
Centralization and tight onsite audited management of sensitive data in air-gapped environments.
Data ingress only allowed in tightly controlled formats (to prevent ingress of control), via data diodes.
All bulk data outgress to use one time pads. All other access through deliberately low bandwidth channels with multiple logging platforms to prevent exfiltration.
Heavy use of append only filesystems. All data at rest to be cryptographically check summed and verified on a regular basis.
Hardened windows 10/11 or Macos. My threat model will be for persistent threat actors so aside from hardening, I will collect a ton of edr and network data and couple it with purpleteaming+threathunting.
Believe it or not windows can be locked down tight and macos can get pwned easily as well.
I will of course ban email as first order business unless you have an exemption and you don't access a secure network. Basically what they do now by having a separate dedicated machine for accesing a secure network with usb ports soldered off. Admins will use MS recommended privileged access workstations for admin activity which is separate by policy from secure and insecure workstations.
No layer 3 lan traffic. Each workstation gets a routed vlan , restricts traffic on the host and router acl to an internal vpn terminator that will also act as a firewall to implement MAC to resources. EAP-TLS where required.
Secure network is not connected to any other network but not airgapped either. Airgapping is for data storage/processing dedicated nodes not user workstations.
What they do now with smartcards sounds good for logins.
JEA, Cred guard, wdac whitelisting, blah blah hardening like I said before but hardening is the start as is "all patches are emergency patches". Detection, Detection ,Detection (includes both types of hunts); shut up and give me all your logs. TLS decryption and packet capture device on every router interface (netwitness?).
Of course Top secret//SC, codeword clearance and above will never touch a computer and Printers, came, iot,etc... will also be monitored very closely and hardened even with segregation. Of course you can't take a secure computer off premises and insecure computers get wiped if they stay off prem too long and are all subject for quarterly firmware and hardware integrity inspection just like secure computers. No builtin cams or mics on any computer period.
I am sure I missed a lot but for workstations this comes to mind. Servers, cloud, mobile are a whole other beast.
Sell it to anarchist buddies as ensuring that these evil arms of government oppression are shackled by the antiquated systems. Reap rewards of regard for helping subvert the effectiveness of the authoritarian State.
Sell it to authoritarian buddies as elegant, focused, and effective systems that help filter out people not truly committed to the Mission. Enjoy the recognition of a faithful Enabler of Order.
Probably a pretty complex network topology where specific Ethernet ports/terminals have access to specific networks/applications for the most sensitive things. MAC address from the NIC is part of the authentication in addition to user login/2FA. Physical security to those rooms with keycard plus biometric access. Apply this concept to varying degrees appropriately for each system/team/room. Similarly complex application permissions/security would be needed as well.
* Why Windows? PCs are cheap, after all this is the government we're dealing with here. If they are dumb terminals to apps then they are even cheaper when ordering thousands of them. And the gov wants easy support/training so Linux is likely a non-starter with non-tech people. They're not going to spend $1200+ on Apple laptops per person either.
Or at least that's what I'd tell myself, with a wry grin on my face and RATM playing in my head until they caught on to my obvious shenanigans and black-bagged me.
The hardest parts in these kind of projects is educating their staff and discovering the edge cases before they get shipped out.
I have no idea what the CIA is using.
What I would do is probably something similar to what the NSA is/was doing and include multiple certified 3rd party code reviewers and penetration testers that would not just look for bugs and vulnerabilities but also vulnerable platform concepts, i.e. anything that lends itself to Instrumental Convergence [1]. I would ensure all hardware is using CoreBoot BIOS/firmware and have teams pentest that code. I would hire teams of document writers to ensure everything is documented and has the correct security classification annotations. I would also hire investigation firms to look into everyone that has ever contributed code to OpenStack and RHEL/CentOS. I would require IBM/Redhat to de-obfuscate any obfuscated code and use an NSL to order them to provide technical details on any undocumented weaknesses or intentional lawful intercept code. I would have them also contribute to the upstream kernel more sysctl and /sys tunables that can improve anti-tampering and prevent changing capabilities on the fly. I would also use NSL's to get the firmware of all hardware in the servers. Any applications used by the organization would also have to be retrofitted with instrumentation that can be monitored real time by machine learning to determine if anything suspect is afoot. The monitoring would use short dictionary coded signals vs. verbose English to reduce transmission time, being entirely documented in the man pages.
I would ensure that change control while strict would also be semi-agile in that one could make changes quickly if they, their supervisors and their peer reviewers have the appropriate security clearances. Their security clearance would map to one or more security levels and categories in SELinux. If they are DENIED then security guards would rush into the room with cans of silly string, assuming that is still a thing.
I would repeat the entire process non stop and ensure any fixes are implemented up-stream so that all businesses may also benefit from improvements and full transparency.
There are many more things that would have to be done but I don't think even a summary would fit on HN.
[1] - https://en.wikipedia.org/wiki/Instrumental_convergence
For tighter control of reduced attack surface:
- libmusl instead of glibc
- pre-2013 CPU
- no UEFI
- no Management Engine (ME)
- replace BIOS with an open-source variety
- disable Write-Execute (relegate JIT to emulated VM; that’s web browsers too)
- a RADIUS server
- a LDAP server
- an encrypted MAC layer via PKI
- a default-deny firewall (absolutely no VPN/DNSm/DoH/DoT pinholes)
- a transparent HTTPS proxy server with various ICAP servers scrubbing bad things
- a waterfall router (randomized packet jitters)
- a bastion DNS resolver
- internal authoritative DNSSEC servers (including cloned Root servers)
- personalized workstations run on QubeOS
- test workstations on pre-prepared hardened OS
- VM servers run in strict software-emulated mode.
- disable JavaScript on all hosts’ OSes (guest VM and guestnet could have ‘em)
- VMs can only run Whonix Linux OS
- an intensive alerting system via heavily-sanitized SMS and email (but no public-facing, like Twitter)
of course, then there is so many more security enhancements for Linux, on top of SELinux, Toyo, GRSecurity mostly in form of Linux kernel configuration tweaking.
Isn’t job security awesome?
# Reference #
* https://github.com/a13xp0p0v/linux-kernel-defence-map/blob/m...
* https://en.wikipedia.org/wiki/IEEE_802.1X
* https://en.wikipedia.org/wiki/Wi-Fi_6
