Garrett: Linux kernel lockdown, integrity, and confidentiality
Garrett: Linux kernel lockdown, integrity, and confidentiality
Posted Apr 23, 2020 7:56 UTC (Thu) by LtWorf (subscriber, #124958)In reply to: Garrett: Linux kernel lockdown, integrity, and confidentiality by diconico07
Parent article: Garrett: Linux kernel lockdown, integrity, and confidentiality
It can be tampered with, they need to assume they cannot trust anything that connects to their network instead.
Posted Apr 23, 2020 12:59 UTC (Thu)
by excors (subscriber, #95769)
[Link]
It's impractical to never trust anything, so I assume you mean "don't trust anything simply because it's connected to the private network - use some kind of 2FA to verify a legitimate user is there before trusting it (and then still only trust it to the extent necessary for the user to do their job)". But a legitimate user could sign in with 2FA on a computer that's riddled with malware, which subsequently steals data from the private network or sends malicious data into the network. Even if they don't sign in, the malware could steal sensitive information that's cached locally (e.g. emails discussing confidential matters). That's not good enough protection.
Most students and many employees are likely to willingly install dodgy software on the computers provided to them, and all will be vulnerable to targeted phishing attacks, so you can't rely on the user to avoid malware. If someone with expertise and accountability, like the company's IT department, can verify the computers are running the clean software they were originally provided with and have not been tampered with, then that's a significant extra layer of protection. And that requires technical features to either prevent or detect tampering, like this kernel lockdown stuff. (And of course they should still do 2FA and least privilege too.)
Garrett: Linux kernel lockdown, integrity, and confidentiality