Right now, in front of you as you read this, is a computer that can connect you to the whole wide world. You can read the news; see what your friends and family are doing on a number of social media platforms; make an online purchase with your credit card for those trainers you always wanted; you can read your emails including the one from a long lost Prince who has $1M for you. This computer can connect you to almost everything and everyone regardless of where they are on this planet or orbiting in our atmosphere.
Now you’ve checked the news; the weather; and expected delivery of your trainers you just ordered. Time to check some work emails, and the status board of the project you are currently working on, not forgetting your morning cup of tea/coffee (delete as applicable for your desired hot beverage). Are you this person?
This has almost become routine for us, it’s our warm-up for the day, like a runner getting ready for his race. Now we are all warmed up; who has fallen foul of this NCSC Anti Pattern? We open the Admin console of our cloud services / DevOps platform / Exchange servers / IdP / etc. Worse, we use our email address, the same one we use for all our business correspondence. We use our accounts and devices that have access to the whole wide world and all the threats that come with it like malware, and we then log in to the admin console of a trusted system with these devices. This is browsing-up - this is an anti-pattern.
Just imagine the damage an attacker could do if they go into your trusted systems with admins credentials. It’s never as simple as just changing your password, these guys now own you, they own all the accounts. It can take months and months to remove a hacker or worse they can leave with all the data they require, without tripping the monitoring alarms and remove all traces of them ever being in your system. Read this link for more information.
I hear you say, “it’s ok”, we use a VPN or a Bastion server to manage our systems. The problem is this doesn’t alleviate your security issues. According to the National Cyber Security Centre, “Bastion hosts are useful for helping monitor and analyse the actions that administrators are performing, and they can help you avoid exposing more than one protocol outside of your system for administration purposes. But they won’t help you be confident that the user on the device is the person you intended to allow access to.”
Instead of browsing-up, we need to browse-down. We need to remove the element of untrusted systems and accounts that are not natively secure by design.We need a system that doesn’t browse the internet or have email access, we need a hygienically clean operating system that is designed solely for administration tasks.
Drum-roll, please. Welcome “Paradox”, by Becrypt, built with collaboration from the NCSC. What is Paradox?
“Paradox - the most secure endpoint management platform for enterprise, is a highly resilient, secure Linux-based operating system that guarantees that endpoint devices remain in a healthy state, free from malware and ransomware, resistant to even targeted cyber-attacks.” https://www.becrypt.com/uk/products/paradox/
Here at Becrypt (and our other customers), we use Paradox for a number of tasks, but one role we use it for is to log into our customers trusted systems, giving us the confidence that the OS we are using, is clean, secure and trusted. Using this with individual admin accounts and security best practices, we have a clear separation of our daily cyber lives and our privileged admin access using a secure by design OS.