This is amazingly concrete and understandable from a technical perspective for a government security document. Where can I find more like this?
Everything I’ve seen in ISO security standards, for example, is written at an abstract theoretical level about the design of security bureaucracy rather than the design of actual systems.
One bone to pick: basically all tech companies expect you to be oncall for your services via your laptop. They’re not paying anybody to sit in the office overnight, and commuting in when you get paged with seriously delay mitigation. Is “browsing down” even possible under those circumstances?
Is “browsing down” even possible under those circumstances?
From TFA:
There are many ways in which you can build a browse-down approach. You could use a virtual machine on the administrative device to perform any activities on less trusted systems. Or you could browse-down to a remote machine over a remote desktop or shell protocol. The idea is that if the dirty (less trusted) environment gets compromised, then it’s not ‘underneath’ the clean environment in the processing stack, and the malware operator would have their work cut out to get access to your clean environment.
Yeah, tech workers aren’t going to tolerate doing everything except admin consoles in a VM or RDP session. Maybe on a special purpose workstation but not the daily driver company Macbook.
Ideally you'd do the least amount of browsing and reading email possible on your work laptop and sandbox whatever is left if possible.
Something like Qubes OS (or maybe manually using containers or virtual machines) could be an option. Running snaps and flatpaks also ensures some level of sandboxing if I'm not mistaken. Using a separate user for riskier activities is also worth thinking about.
I think it's also true that all OSes are moving towards more sandboxing by default (permission to read files, permission to start at runtime, admin access, etc.) so it's less of a risk than it used to be.
> Ideally you'd do the least amount of browsing and reading email possible on your work laptop and sandbox whatever is left if possible.
Ideally.
How many people are posting here from their work laptops? And how many have SSH access to at least one "secure" system?
Granted, HN is unlikely to be a threat, but other sources may be. There has been progress in sandboxing, but dev machines are specially vulnerable, as in many cases you need people to be admin on them to do their jobs effectively.
> * Is "browsing down" even possible under those circumstances?*
Not a security expert, but based on their explanation of "browsing down," I think it's possible if the laptop is sufficiently locked-down. The issue isn't fundamentally with the management device being remote, it's being less-trusted. In the limit case, you could have separate management-only laptops that get passed around to the on-duty employee.
>Is “browsing down” even possible under those circumstances?
Seems like it could be done by having a mobile workstation that doesn't read email or browse the web, just acts as a secure 'satellite' administration device that does little more than VPN back into the administrative network. From there, you jump off to a terminal server if you need to browse or email.
The termination of that admin VPN would probably need to be a distinct endpoint from the general VPN access concentration, and have additional security/authentication measures in place.
At that high a level, getting too granular about actual systems just ends up with people throwing your standards out because their special snowflake of a use case cannot possibly work under it.
The reason it ends up focusing on the bureaucracy is because they hope if you can get the bureaucratic part right, the organization can have the relevant expertise in house to make informed decisions about risk, the minimization and mitigation of which is really the goal of the security function.
I agree, it's a great doc. Some more concrete examples.
For number 1, administering a Windows Active Directory domain controller from a desktop that is also used to browse the public Internet and check email.
For number 6, networking groups use this a lot as the reason to not patch routers.
Everything I’ve seen in ISO security standards, for example, is written at an abstract theoretical level about the design of security bureaucracy rather than the design of actual systems.
One bone to pick: basically all tech companies expect you to be oncall for your services via your laptop. They’re not paying anybody to sit in the office overnight, and commuting in when you get paged with seriously delay mitigation. Is “browsing down” even possible under those circumstances?