计算机的最高安全级别是气隙。这是将计算机被黑客入侵的可能性降低到尽可能接近零的唯一方法。任何(Anything)更少的东西和专门的黑客都会以某种方式进入它。
为什么我要为计算机设置气隙?(Why Would I Want To Air Gap a Computer?)
普通人不需要气隙计算机。这主要是公司和政府的领域。对于政府来说,它可能是一个敏感的数据库(database)、项目,或者可能是控制一个武器系统。对于公司而言,它可以存储商业机密、财务信息或运行工业流程。激进组织(Activist groups)也可能会这样做,以防止他们的工作被关闭。
如果您只运行家用计算机,您可能不会担心这些事情。尽管如此,仅实施其中一项或两项措施将显着提高您的安全性(increase your security)。
什么是气隙?(What’s An Air Gap?)
当您与计算机建立气隙时,计算机与世界其他地方之间除了空气之外什么都没有。当然,自从WiFi出现以来,它已经变成了与外界完全没有连接的意思。计算机上没有的东西应该能够得到它。电脑上的任何东西都不应该被删除。
如何气隙我的计算机?(How Do I Air Gap My Computer?)
(Air)将计算机隔开并不像拔掉网线(network cable)并禁用 wifi(disabling the wifi)那样简单。请记住(Remember),对于为外国政府工作的犯罪黑客(criminal hackers)和国家行为体 ( NSA(NSAs) ) 而言,这是一个高价值目标。他们有钱和时间。此外,他们喜欢挑战,所以追求气隙计算机对他们很有吸引力。
让我们从计算机的外部开始,然后在内部进行操作:
- 操作安全 ( OpSec ) 很重要。OpSec可以被过度简化为需要知道的基础。没有人需要知道房间里有什么,更不用说计算机的用途或有权操作它的人了。把它当作不存在一样。如果未经授权的人知道它,他们很容易受到社会工程攻击(social engineering attacks)。
- 确保(Make)它在一个安全的房间里。房间应该只有一个入口,并且必须始终上锁。如果你进去工作,把门锁在你身后。只有 PC 的授权操作员才能访问。你如何做到这一点取决于你。物理和电子智能锁(electronic smart locks)各有利弊。
小心吊顶。如果攻击者可以弹出天花板并翻过墙壁,那么锁着的门就没有任何意义。也没有窗户。房间的唯一目的应该是容纳那台电脑。如果您在其中存储东西,那么就有机会潜入并隐藏网络摄像头(web camera)、麦克风(microphone)或射频监听设备。
- 确保(Make)它是一个安全的房间。对计算机来说是安全(Safe)的,也就是说。房间应该为计算机提供理想的气候(ideal climate for the computer),使其尽可能长时间地使用。每当(Anytime)气隙计算机发生故障并进行处理时,就有机会从废弃的计算机中获取信息。
您还需要计算机安全的灭火装置。使用惰性气体或卤烃化合物的东西是合适的。它必须对计算机没有破坏性,否则黑客可能会尝试通过打开洒水器来破坏计算机。
- 将所有其他不必要的电子设备放在房间外。没有打印机(printers)、手机(cellphones)、平板电脑(tablets)、USB 闪存驱动器(USB flash drives)或密钥卡。如果它里面有电池或用电,它就不会进入那个房间。我们是不是偏执狂?不。看看Mordechai Guri 博士正在做的气隙研究(air-gap research Dr. Mordechai Guri),看看有什么可能。
- 说到USB,插入或移除任何不必要的USB 端口(USB ports)。您可能需要一个或两个用于键盘和鼠标的(keyboard and mouse)USB端口。这些设备应锁定到位且不可拆卸。任何其他USB端口都应使用USB 端口阻止(USB port blocker)器之类的工具移除或阻止。更好的是,使用带有PS PS/2 keyboard 2 键盘和鼠标的(mouse)USB to PS/2 keyboard and mouse converter adapter。那么您根本不需要任何外部 USB 端口。
- 消除所有可能的联网方法(methods of networking)。移除WiFi、以太网(Ethernet)和蓝牙(Bluetooth) 硬件,或者从没有这些硬件的计算机开始。仅仅(Just)禁用这些设备是不够的。任何(Any)必要的网络电缆都需要屏蔽。它可能是工业过程的控制器,因此可能需要一些电缆。
- 禁用计算机上的所有常用网络端口(common network ports)。这意味着像HTTP的 80 端口、 FTP的21端口和其他虚拟端口。如果黑客以某种方式物理连接到计算机,至少这些端口不会坐在那里等待。
- 加密硬盘。如果黑客仍然可以访问计算机,那么至少数据是加密的,对他们来说是无用的。
- (Shut)不需要时关闭计算机。拔掉它,甚至。
我的电脑现在安全吗?(Is My Computer Safe Now?)
习惯(Get)可接受风险和合理安全的条款。只要有黑客,无论是白帽还是黑帽(white hat and black hat),都会不断开发出新的跨越空隙的方法。您可以做的只有这么多,但是当您与计算机隔离时,这至少是一个好的开始。
How To Air Gap a Computer
The highest level of securіty for a computer is for іt to be air-gapped. It’s the only way to reduce the chance of the сomputer being hacked to as close to zero as possiblе. Anything less and a dedicated hacker will get into it ѕomеhоw.
Why Would I Want To Air Gap a Computer?
The average person doesn’t need to air gap a computer. This is mostly the domain of corporations and governments. For a government, it could be a sensitive database, project, or maybe controlling a weapons system. For a corporation, it could house trade secrets, financial information, or running an industrial process. Activist groups might also do this to prevent having their work shut down.
You’re probably not worried about those things if you’re only running a home computer. Still, implementing just one or two of these measures will increase your security dramatically.
What’s An Air Gap?
When you air gap a computer there’s nothing between the computer and the rest of the world but air. Of course, since WiFi came along it has changed to mean no connection to the outside world at all. Nothing that isn’t already on the computer should be able to get on it. Nothing on the computer should be able to be taken off of it.
How Do I Air Gap My Computer?
Air gapping a computer is not as simple as just unplugging the network cable and disabling the wifi. Remember, this is a high-value target for criminal hackers and Nation-State Actors (NSAs) who work for foreign governments. They’ve got money and time. Plus they love a challenge, so going after an air-gapped computer is enticing to them.
Let’s start from the outside of the computer and work our way inside:
- Operational security (OpSec) is important. OpSec can be oversimplified as being on a need-to-know basis. No one needs to know what’s in the room, let alone what the computer is for or who is authorized to operate it. Treat it as if it didn’t exist. If unauthorized people know about it, they’re susceptible to social engineering attacks.
- Make sure it’s in a secure room. The room should have just one entrance and it must be locked at all times. If you go inside to work, lock the door behind you. Only authorized operators of the PC should have access. How you do this is up to you. Physical and electronic smart locks each have their pros and cons.
Be cautious of drop ceilings. If an attacker can pop out a ceiling tile and go over the wall, the locked door means nothing. No windows, either. The room’s sole purpose should be to house that computer. If you’re storing stuff in there, then there’s an opportunity to sneak in and hide a web camera, microphone, or RF listening device.
- Make sure it’s a safe room. Safe for the computer, that is. The room should provide the ideal climate for the computer so that it lasts as long as possible. Anytime an airgap computer breaks down and there’s disposal, there’s a chance to get information off the discarded computer.
You’ll need computer-safe fire suppression as well. Something using inert gases or halocarbon compounds is appropriate. It has to be non-destructive to the computer, or the hacker may try to destroy the computer by turning on the sprinklers if they can.
- Keep all other unnecessary electronic devices out of the room. No printers, cellphones, tablets, USB flash drives, or key fobs. If it has a battery in it or uses electricity it doesn’t go in that room. Are we being paranoid? No. Check out the air-gap research Dr. Mordechai Guri is doing and see what’s possible.
- Speaking of USB, plug or remove any unnecessary USB ports. You might need a USB port or two for the keyboard and mouse. Those devices should be locked in place and not removable. Any other USB port should be removed or blocked using something like a USB port blocker. Better yet, use a USB to PS/2 keyboard and mouse converter adapter, with a PS/2 keyboard and mouse. Then you don’t need any external USB ports at all.
- Eliminate all methods of networking possible. Remove the WiFi, Ethernet, and Bluetooth hardware or start with a computer that doesn’t have any of that. Just disabling those devices isn’t enough. Any necessary network cable needs to be shielded. It might be a controller for an industrial process so some cables may be necessary.
- Disable all common network ports on the computer. This means the ports like 80 for HTTP, 21 for FTP, and other virtual ports. If the hacker somehow gets physically connected to the computer, at least these ports won’t be sitting there ready and waiting.
- Encrypt the hard drive. If the hacker still gets to the computer, at least the data is encrypted and useless to them.
- Shut the computer down whenever it isn’t needed. Unplug it, even.
Is My Computer Safe Now?
Get used to the terms acceptable risk and reasonably secure. As long as there are hackers, both white hat and black hat, new ways to jump the air gap will continue to be developed. There’s only so much you can do, but when you air gap your computer it’s at least a good start.