Information Security

Post Reply
User avatar
spot
Posts: 41336
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Information Security

Post by spot »

This is a puzzle to me.

Firstly, if anyone can recommend a site where I could discuss the issue and get good advice, I'd like to know.

I have, for the first time in a while, long-term frequently-updated information which I need to secure.

I'm keeping it in a dedicated virtual machine on my desktop. The virtual machine is encrypted at rest - that means if you power it down the secure information is encrypted. If you power it up then, from inside the virtual machine, the secure information is clear-text. You need a password to power it up.

There's no services running, all the ports are shut. No sshd, for example.

But, because the whole point is that I'm processing the information as it comes in off the Internet, there's an Internet connection. I'm sending none of the secure information offsite, but I'm acutely aware that anyone planting malware on the virtual machine will be able to steal the data. Stealing just a fraction is just as bad a prospect as having all of it stolen, and I can't easily work on the data unless it's clear-text. I think there's bound to be occasions when some of the data is readable.

My router is firewalled to block all unknown incoming requests. I'm sure it can be bypassed.

I'm sure my operating system has zero-day vulnerabilities which would allow root access, though I have no idea how it would be achieved. Anyone interfering with the process which applies security patches would have the capability.

Other than that I think I'm only open to someone stealing the physical desktop, having already acquired some of my passwords. I've upgraded my external doors and locks.

If I felt more confident about my router's firewall, I could block all outgoing connections to just a few specified IP addresses. My mail server, the security patch mirror. Nothing could then get out unless a malware process gets my email password and uses it to gain an outbound channel.

I'm considering wireshark outside of the virtual machine, logging non-email-related IO, and putting a cron job out there to intensive-scan the ports regularly to make sure they stay shut. I could check those logs manually every week.
Nullius in verba ... ☎||||||||||| ... To Fate I sue, of other means bereft, the only refuge for the wretched left.
When flower power came along I stood for Human Rights, marched around for peace and freedom, had some nooky every night - we took it serious.
Who has a spare two minutes to play in this month's FG Trivia game! ... My other OS is Slackware.
Bruv
Posts: 12181
Joined: Sat Aug 18, 2007 3:05 pm

Information Security

Post by Bruv »

Funny you say it's a puzzle to you, it's a puzzle to me also.

OK......how about an airlock ?

Isolate the data by having no connection, introduce new data by whatever is easiest DVD,CD.

I'll get my coat.
I thought I knew more than this until I opened my mouth
User avatar
spot
Posts: 41336
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Information Security

Post by spot »

Bruv;1488369 wrote: Funny you say it's a puzzle to you, it's a puzzle to me also.

OK......how about an airlock ?

Isolate the data by having no connection, introduce new data by whatever is easiest DVD,CD.

I'll get my coat.It's a perfectly valid suggestion, there's even a name for it - Sneakernet. My problem is that the data consists primarily of 10,000 updates a year and I obviously need to automate it as much as possible.

The other aspect is that the sensitive information just gets moved one machine further down the line. Everything I wrote about my problem machine would apply to the one I was loading the USB stick from. All the data would still be there at that step, before I take it to the stick and delete it from the intermediate machine. Whatever intrusion problems I'm anticipating would apply there, and need the same solution to the one I'm puzzled by.

We could solve that, in turn, by taking data from a third receiving machine onto a USB stick to transfer to the now-isolated second machine, which would then be secure and I could load my final USB stick safe in the knowledge that nobody could take the data while I was doing it. However long the chain of machines, the one at the beginning has the problem.
Nullius in verba ... ☎||||||||||| ... To Fate I sue, of other means bereft, the only refuge for the wretched left.
When flower power came along I stood for Human Rights, marched around for peace and freedom, had some nooky every night - we took it serious.
Who has a spare two minutes to play in this month's FG Trivia game! ... My other OS is Slackware.
Bruv
Posts: 12181
Joined: Sat Aug 18, 2007 3:05 pm

Information Security

Post by Bruv »

Use a variety of source PC's?

Have you you got the Talk Talk contract ?
I thought I knew more than this until I opened my mouth
Post Reply

Return to “Computers Internet”