IanaIO's Security Standard ICSS - Isolating Critical Systems Standard

July 21, 2024 · 3 min read

Maintainer of IanaIO - security

Use cases with different scenarios

`How to keep kernel systems up to date with the latest critical patches across a 10k server farm`

Scenario:

Some will say this is a wake up reminder that it's not possible to keep kernel systems up to date with the latest critical patches across a 10k server farm ... without some sort of privileged binary that can install updates. The problem the "do it all at once" default behavior.

Direct access to the internet is a bad idea.

Solution:

You can patch systems without them having direct internet access. This doesn't meant you can’t have privileged binaries, that wouldn’t make sense.

`Super critical systems should be isolated.`

Scenario:

If you have code that connects to a specific address, verifies the cert, verifies the binary is signed. Should be as good as some staging area. The problem is the lack of a rolling schedule. Default should be 2%, wait X hours, 10%, wait, etc.

Solution:

When I say to the internet, I mean outside of your network. Anytime you open your network to the outside world, even with certs, checks, etc - you open the door. Super critical systems should be isolated. I also agree with rolling updates.

System Hacks

Scenario:

`Direct internet access to a host allows for command and control as the alternative option does not.`

Solution:

there's not a huge meaningul difference between downloading a binary to a staging area and then installing it, or downloading it "more directly". it's not safer because you put it in a folder first.

it's safe because you rolled the updates and verified the binary

(although i do staging areas, because i run virus scanners on all binaries that enter my network)

`Hack scenario with solution`

Let's say I ship you a binary with a command/control in it, you install it. It's just slower.

How do you control a system remotely if it doesn’t have access to the internet?

'Hack'

Scenario:

Let say that I know you're going to install binary updates, and i've hacked the sigs, i nicely put a signed binary in the place you expect to find it, and wait for you to install it. It's definitely slower, but really not different.

`Supply chain attacks`

This is how all "supply chain" attacks happen by the way. People don't stuff binaries into other people's machines. They upload them to a package repo and wait for someone to pull them.

Temporary Solution:

IanaIO does staging areas, because we run virus scanners on all binaries that enter our network.