Securing a SECURE system with antivirus
-
Once upon a time (ten years ago) I worked with classified information. The workstation was airgapped from the Internet as per protocol. Also per protocol, my daily tasks included installing antivirus updates on this system. This was for SECURITY REASONS.
And this was the process:
- Grab the TRANSFER STICK
- Walk to a PC with Internet connection
- Download antivirus updates from vendor via FTP
- Copy said updates to TRANSFER STICK
- Walk back to the shielded system and
- connect TRANSFER STICK
- Run the UPDATE*.EXE from the TRANSFER STICK
There. System SECURED.
-
-
@gleemonk that's... not how airgapping works.
-
@Arantor said in Securing a SECURE system with antivirus:
@gleemonk that's... not how airgapping works.
If your primary concern is infoleaks from the secured network to the unsecured network, that's totally how airgapping works.
I'm surprised that facility security let you guys use USB sticks to perform transfers. Were they single-use, or were they reused after touching the secure network?
-
@bugmenot no, no it really isn't.
The whole point of airgapping a machine is that you want it completely disconnected from the kind of environment that a USB stick is going to come into contact with. As in, you're concerned about infiltration of badware (hence the antivirus), but you're also probably concerned about exfiltration of sensitive data.
The infiltration problem is fucking hilarious because anything that's actually probably dangerous and infectious can get over the airgap by the very 'security' method used to prevent infection.
The exfiltration problem is usually solved on airgapped machines by the airgap and often disabling USB sockets. The fact that you can plug a USB stick in means that whatever protection against exfiltration you have is now essentially useless.
So, remind me what problem this airgap is supposed to solve again?
-
This is still very much the process, except the request for the transfer has to be approved by a security manager, a trained administrator makes the transfer into an isolated enclave on the high side, the data is examined, and then an administrator copies the files into the production zone. (And it goes into the Master Repository on the ePO server, which then distributes it to all the workstations. No workstations are allowed USB storage, of course).
I don't really see the problem when it's performed that way. What's the alternative? Retyping the signatures file into a hex editor?
-
@bugmenot said in Securing a SECURE system with antivirus:
@Arantor said in Securing a SECURE system with antivirus:
@gleemonk that's... not how airgapping works.
If your primary concern is infoleaks from the secured network to the unsecured network, that's totally how airgapping works.
I'm surprised that facility security let you guys use USB sticks to perform transfers. Were they single-use, or were they reused after touching the secure network?
"the TRANSFER STICK" was probably a USB stick with "TRANSFER STICK" written on it in permanent ink, and use of it for any other purpose was probably a sackable offense.
-
@anotherusername said in Securing a SECURE system with antivirus:
"the TRANSFER STICK" was probably a USB stick with "TRANSFER STICK" written on it in permanent ink, and use of it for any other purpose was probably a sackable offense.
Not just a sackable offense. Mishandling of classified information is a criminal offense.
-
@bugmenot also, if malware can use the USB stick to get itself onto the airgapped system, it can also use the same USB stick to get sensitive information off of the airgapped system and onto one that's connected to the internet. Stuxnet did that, IIRC.
-
@heterodox said in Securing a SECURE system with antivirus:
@anotherusername said in Securing a SECURE system with antivirus:
"the TRANSFER STICK" was probably a USB stick with "TRANSFER STICK" written on it in permanent ink, and use of it for any other purpose was probably a sackable offense.
Not just a sackable offense. Mishandling of classified information is a criminal offense.
Body bags are a kind of sack.
-
@Arantor said in Securing a SECURE system with antivirus:
The whole point of airgapping a machine is ... you're concerned about infiltration of badware (hence the antivirus)...
This is often a secondary concern. The antivirus software is often there to tick off a box on the STIG.
...you're also probably concerned about exfiltration of sensitive data.
Yes. Exactly this.
The fact that you can plug a USB stick in means that whatever protection against exfiltration you have is now essentially useless.
So, remind me what problem this airgap is supposed to solve again?If the USB transfer device is not reused on the unclassified network, then the airgap is working as intended. Data from the classified network can't leak out. If the USB device is reused on the unclassified network, then I don't see why this facility passed its security audits. Maybe it was a Government facility, rather than a contractor's facility?
-
@heterodox said in Securing a SECURE system with antivirus:
Mishandling of classified information is a criminal offense.
Antivirus updates aren't classified, but I wouldn't want to test that in court
-
@wharrgarbl said in Securing a SECURE system with antivirus:
@heterodox said in Securing a SECURE system with antivirus:
Mishandling of classified information is a criminal offense.
Antivirus updates aren't classified, but I wouldn't want to test that in court
But that's coming from the outside into the secure area.
The main issue is bringing something from the secure area out to the rest of the world.
-
@bugmenot nobody would have cared if I'd used they fob on my keyring instead of the official TRANSFER STICK.
-
@heterodox said in Securing a SECURE system with antivirus:
Mishandling of classified information is a criminal offense.
[redacted... is - bz]
-
@heterodox said in Securing a SECURE system with antivirus:
I don't really see the problem when it's performed that way. What's the alternative? Retyping the signatures file into a hex editor?
Configuring Windows to not run any executable files aside from the whitelisted ones.
(that's possible, right?)
-
@Arantor said in Securing a SECURE system with antivirus:
The whole point of airgapping a machine is that you want it completely disconnected from the kind of environment that a USB stick is going to come into contact with. As in, you're concerned about infiltration of badware (hence the antivirus), but you're also probably concerned about exfiltration of sensitive data.
They weren't worried too much about exfiltration. I got SECURITY CLEARANCE after all.
@heterodox said in Securing a SECURE system with antivirus:
Not just a sackable offense. Mishandling of classified information is a criminal offense.
Military justice would have applied. But there wasn't much to mishandle.
@bugmenot said in Securing a SECURE system with antivirus:
Maybe it was a Government facility, rather than a contractor's facility?
Military facility. Quaint leftover of the cold war. These days everybody just assumes nothing bad will happen. That unit got disbanded since, I was there in its last years.
-
@wharrgarbl said in Securing a SECURE system with antivirus:
Antivirus updates aren't classified, but I wouldn't want to test that in court
Never said they were. Why wouldn't you want to test that in court? Maybe you should re-read the post to which I was replying.
@boomzilla said in Securing a SECURE system with antivirus:
[redacted... is - bz]
Ouch, should have known that'd make that discussion too easy. Let's not. :P
@anonymous234 said in Securing a SECURE system with antivirus:
Configuring Windows to not run any executable files aside from the whitelisted ones.
(that's possible, right?)What...? I assume you're replying to the OP running an EXE to update signatures; it's no longer done that way, and the newer way is the way to which I was referring. (And yes, systems are also configured with application whitelists now.)
@gleemonk said in Securing a SECURE system with antivirus:
Military justice would have applied.
If you were in the military, yes.
@gleemonk said in Securing a SECURE system with antivirus:
They weren't worried too much about exfiltration. I got SECURITY CLEARANCE after all.
@gleemonk said in Securing a SECURE system with antivirus:
These days everybody just assumes nothing bad will happen.
That may have been the amount of worry back then, but there's vastly more worry now. From one perspective, all threats on the high side are insider threats, and no one's immune from that threat.
Just saying, I wouldn't necessarily extend your WTF experience ten years ago to "these days".
-
@Arantor said in Securing a SECURE system with antivirus:
@gleemonk that's... not how airgapping works.
Of course. You set a PC in the DMZ to flash its display in a pattern encoding the data bits of virus signatures, and behind the airgap you set up the built-in camera of the airgapped PC to decode it.
Filed under : when in doubt, optocouple
-
@Maciejasjmj said in Securing a SECURE system with antivirus:
Of course. You set a PC in the DMZ to flash its display in a pattern encoding the data bits of virus signatures, and behind the airgap you set up the built-in camera of the airgapped PC to decode it.
It's like a deliberate backchannel. I love it.
-
@gleemonk said in Securing a SECURE system with antivirus:
I got SECURITY CLEARANCE after all.
So did Snowden...
-
@anonymous234 said in Securing a SECURE system with antivirus:
@heterodox said in Securing a SECURE system with antivirus:
I don't really see the problem when it's performed that way. What's the alternative? Retyping the signatures file into a hex editor?
Configuring Windows to not run any executable files aside from the whitelisted ones.
(that's possible, right?)
Yup. The
powerabuse of Group Policy.
-
@Maciejasjmj said in Securing a SECURE system with antivirus:
@Arantor said in Securing a SECURE system with antivirus:
@gleemonk that's... not how airgapping works.
Of course. You set a PC in the DMZ to flash its display in a pattern encoding the data bits of virus signatures, and behind the airgap you set up the built-in camera of the airgapped PC to decode it.
Filed under : when in doubt, optocouple
Better make it more secure: Should print it out and take a photo of it, send the printed photo over for encryption, print that, move it over the air gap, and reverse.
-
@Tsaukpaetra said in Securing a SECURE system with antivirus:
Should print it , put it on a wooden table out and take a photo of it,
-
@Luhmann said in Securing a SECURE system with antivirus:
@Tsaukpaetra said in Securing a SECURE system with antivirus:
Should print it , put it on a wooden table out and take a photo of it,
I KNEW I was forgetting something!
Oh dear, who are these sharply-dressed men with shades coming up behind me...
-
@Tsaukpaetra are they ZZ Top? https://m.youtube.com/watch?v=7wRHBLwpASw
-
@heterodox said in Securing a SECURE system with antivirus:
@gleemonk said in Securing a SECURE system with antivirus:
These days everybody just assumes nothing bad will happen.
That may have been the amount of worry back then, but there's vastly more worry now. From one perspective, all threats on the high side are insider threats, and no one's immune from that threat.
Just saying, I wouldn't necessarily extend your WTF experience ten years ago to "these days".
I referred to cold war worries that dominated the unit I was assigned to. People forget what world we're living in when prattling about the tactical use of nuclear weapons is not reserved to crank generals anymore. Sadly, that was already true ten years ago.
If we don't think about the consequences of a nuclear war it won't happen. Better not keep those guys around planning for the time after. In some way I can even agree. If you're not prepared for the consequences, it would be even more irresponsible to do it. So we won't, right?
I'M NOT BITTER I'M JUST SAD.
-
@Maciejasjmj said in Securing a SECURE system with antivirus:
You set a PC in the DMZ to flash its display in a pattern encoding the data bits of virus signatures, and behind the airgap you set up the built-in camera of the airgapped PC to decode it.
Data Diodes are a thing, FWIW.
-
@Tsaukpaetra said in Securing a SECURE system with antivirus:
Better make it more secure: Should print it out and take a photo of it, send the printed photo over for encryption, print that, move it over the air gap, and reverse.
My first experience with secure systems was when as a support guy I asked for a configuration file (wanted to auto-compare it to one of ours) and got an image PDF; the file had been printed then scanned in to the only machine with Internet access. Me: "Whaaat the fuck is this; I can't compare this!"
-
@Arantor said in Securing a SECURE system with antivirus:
@Tsaukpaetra are they ZZ Top?
Can't be, he said sharply-dressed
-
@TimeBandit check the video, it said "sharp dressed man" ;)
-
@Arantor said in Securing a SECURE system with antivirus:
@TimeBandit check the video, it said "sharp dressed man" ;)
I know, but the ZZ top guys on the other hand
-
@Tsaukpaetra said in Securing a SECURE system with antivirus:
Yup. The
powerabuse of Group Policy.Is it really abuse? That's exactly what AppLocker is designed for. (Or McAfee HIPS/Application Control.)
-
@heterodox said in Securing a SECURE system with antivirus:
@Tsaukpaetra said in Securing a SECURE system with antivirus:
Yup. The
powerabuse of Group Policy.Is it really abuse? That's exactly what AppLocker is designed for. (Or McAfee HIPS/Application Control.)
Depends on who you're asking.
-
@gleemonk said in Securing a SECURE system with antivirus:
@heterodox said in Securing a SECURE system with antivirus:
@gleemonk said in Securing a SECURE system with antivirus:
These days everybody just assumes nothing bad will happen.
That may have been the amount of worry back then, but there's vastly more worry now. From one perspective, all threats on the high side are insider threats, and no one's immune from that threat.
Just saying, I wouldn't necessarily extend your WTF experience ten years ago to "these days".
I referred to cold war worries that dominated the unit I was assigned to. People forget what world we're living in when prattling about the tactical use of nuclear weapons is not reserved to crank generals anymore. Sadly, that was already true ten years ago.
If we don't think about the consequences of a nuclear war it won't happen. Better not keep those guys around planning for the time after. In some way I can even agree. If you're not prepared for the consequences, it would be even more irresponsible to do it. So we won't, right?
I'M NOT BITTER I'M JUST SAD.
This is possibly the greatest achievement in the history of cinema. With their frank, starkly bleak depiction of the realistic consequences of a nuclear war, these filmmakers managed to freak out President Reagan so badly that he got serious about disarmament and nuclear limitation treaties.
-
There should be a second airgapped system, with a stripped-down/specialized/etc. OS, with the sole purpose of reformatting the TRANSFER STICK after it was inserted in the main airgapped one.
(in addition to AppLocker making sure to only execute files digitally signed by their antivirus vendor)
-
@Medinoc said in Securing a SECURE system with antivirus:
There should be a second airgapped system, with a stripped-down/specialized/etc. OS, with the sole purpose of reformatting the TRANSFER STICK after it was inserted in the main airgapped one.
Well, next to the airgapped system was a system encased in metal shielding. We used that one for SECRET stuff. It would shut down (as in physically losing power) when you opened the hatch to connect a USB stick. Only after closing the hatch would the power come back. So you couldn't connect usb cables that would bridge somewhere. That one didn't have anti-virus though, it wasn't based on Windows and the disc was read-only. It couldn't format the TRANSFER STICK though.
That box was real shit to work with because it forgot everything on every reboot. I did try having a shell script on a usb stick which I could run after login to automate some stuff. Couldn't get the script to run at all. The system prevented running scripts and my skillz were lacking. It was point & click for me.
-
@gleemonk said in Securing a SECURE system with antivirus:
Once upon a time (ten years ago) I worked with classified information. The workstation was airgapped from the Internet as per protocol. Also per protocol, my daily tasks included installing antivirus updates on this system. This was for SECURITY REASONS.
And this was the process:
- Grab the TRANSFER STICK
- Walk to a PC with Internet connection
- Download antivirus updates from vendor via FTP
- Copy said updates to TRANSFER STICK
- Walk back to the shielded system and
- connect TRANSFER STICK
- Run the UPDATE*.EXE from the TRANSFER STICK
There. System SECURED.
AFAIK, lots of government systems here also works like that.
-
We used to use CD-R's for this. We'd burn the AV updates or MS patches or whatever to the CD, transfer it to SIPRNet, and then destroy the CD.
SIPRNet machines would have their USB ports hot glued shut- keyboards and mice were glued in pace, and almost impossible to replace.
-
@bugmenot said in Securing a SECURE system with antivirus:
If the USB transfer device is not reused on the unclassified network, then the airgap is working as intended.
As long as the device itself wasn't malicious, yes. You don't want it depositing malware on the secure machine even if you never use the USB stick again.
If the USB device is reused on the unclassified network, then I don't see why this facility passed its security audits.
Yeah, this. When I worked at a facility that handled classified information, it was more floppies than USB drives that were in question, but the rule was that any disk which had been used on the secure network had to permanently be treated as the highest level of classification available on the secure network, and could never ever be used on the unsecured network again.
I don't know what they did about AV though.
-
@gleemonk said in Securing a SECURE system with antivirus:
Once upon a time (ten years ago) I worked with classified information. The workstation was airgapped from the Internet as per protocol. Also per protocol, my daily tasks included installing antivirus updates on this system. This was for SECURITY REASONS.
And this was the process:
- Grab the TRANSFER STICK
- Walk to a PC with Internet connection
- Download antivirus updates from vendor via FTP
- Copy said updates to TRANSFER STICK
- Walk back to the shielded system and
- connect TRANSFER STICK
- Run the UPDATE*.EXE from the TRANSFER STICK
There. System SECURED.
It tickles me when the WTF is so obvious that even I get it.
-
@jinpa I guess reviving a 3 year old topic just to say this isn't obvious enough.
-
@Gąska said in Securing a SECURE system with antivirus:
@jinpa I guess reviving a 3 year old topic just to say this isn't obvious enough.
Doesn't follow. According to what you're saying, if I had not revived it, it would not have been obvious.