cyber security awareness academic freedom vs. operations vs. security cern computer security team...
DESCRIPTION
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Basics On Security Security is as good as the weakest link: ► Attacker chooses the time, place, method ► Defender needs to protect against all possible attacks (currently known, and those yet to be discovered) Security is a system property (not a feature) Security is a permanent process (not a product) Security cannot be proven (phase-space-problem) Security is difficult to achieve, and only to 100%-ε. ► At CERN, YOU define ε !!! BTW: Security is not a synonym for safety. YOU are responsible for securing your services & systems: ► As user, developer, system expert or administrator ► As a project manager or line manager ► As part of the CERN or your experiment hierarchyTRANSCRIPT
Cyber Security AwarenessAcademic Freedom vs. Operations vs. Security
CERN Computer Security Team (2010)S. Lopienski, S. Lüders, R. Mollon, R. Wartel
“Protecting Office Computing, Computing Services, GRID & Controls”
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Basics On Security
Security is as good as the weakest link:►Attacker chooses the time, place, method►Defender needs to protect against all possible attacks
(currently known, and those yet to be discovered)
Security is a system property (not a feature)Security is a permanent process (not a product)Security cannot be proven (phase-space-problem)
Security is difficult to achieve, and only to 100%-ε.►At CERN, YOU define ε !!!
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Basics On Security
Security is as good as the weakest link:►Attacker chooses the time, place, method►Defender needs to protect against all possible attacks
(currently known, and those yet to be discovered)
Security is a system property (not a feature)Security is a permanent process (not a product)Security cannot be proven (phase-space-problem)
Security is difficult to achieve, and only to 100%-ε.►At CERN, YOU define ε !!!
BTW:Security is not a synonym for safety.
YOU are responsible for securing your services &
systems:
►As user, developer, system expert or administrator
►As a project manager or line manager
►As part of the CERN or your experiment hierarchy
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
CERN is under permanent attack… even now.Servers accessible from Internet are permanently probed:►…attackers trying to brute-force passwords;►…attackers trying to break Web applications;►…attackers trying to break-in servers and obtain administrator rights.
Users are not always aware/cautious/proactive enough:►…attackers trying to harvest credentials outside CERN;►…attackers trying to “phish” user passwords.
Incidents happen:►Web sites & web servers, data-base interfaces,
computing nodes, mail accounts, …►The office network is very liberal: free connection policy and lots of visitors.
Thus, there are always devices being infected/compromised.
Under Permanent Attack
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
CERN is under permanent attack… even now.Servers accessible from Internet are permanently probed:►…attackers trying to brute-force passwords;►…attackers trying to break Web applications;►…attackers trying to break-in servers and obtain administrator rights.
Users are not always aware/cautious/proactive enough:►…attackers trying to harvest credentials outside CERN;►…attackers trying to “phish” user passwords.
Incidents happen:►Web sites & web servers, data-base interfaces,
computing nodes, mail accounts, …►The office network is very liberal: free connection policy and lots of visitors.
Thus, there are always devices being infected/compromised.
Under Permanent Attack
YOU are responsible for preventing incidents
happening:
►As user, developer, system expert or administrator
►As a project manager or line manager
►As part of the CERN or your experiment hierarchy
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Be Vigilant & Stay Alert !!!
Email addresses can easily be faked !
Stop “Phishing” attacks:No legitimate personwill EVER ask foryour credentials !
Do not trust yourweb browser !
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
220-<<<<<<>==< Haxed by A¦0n3 >==<>>>>>>220- ¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸220-/220-| Welcome to this fine str0220-| Today is: Thursday 12 January, 2006220-|220-| Current througput: 0.000 Kb/sec220-| Space For Rent: 5858.57 Mb220-|220-| Running: 0 days, 10 hours, 31 min. and 31 sec.220-| Users Connected : 1 Total : 15220-|220^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^
Unpatched oscilloscope(running Win XP SP2)
Security risks are everywhere !!!
Lack of inputvalidation & sanitization
Confidential data onWiki, webpages, CVS…
Negligence of the“Rule of Least Privilege”
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Operational Circular #5
http://cern.ch/ComputingRules
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Stick to the “Rule of Least Privilege”:►Protect accounts/files/services/systems against unauthorised access►Passwords must not be divulged or easily guessable (your “toothbrush”)►Protect access to unattended equipment
E-Mail users must not:►Send mail bombs, SPAM, chain letters or forge e-mail or news articles
PC users must:►Run anti-virus software and upgrade/patch systems regularly►Act immediately to contain and mitigate security incidents
Network users must:►Collaborate to investigate problems detrimental to CERN’s network►Not make unauthorised changes to CERN’s network infrastructure
Operational Circular #5
http://cern.ch/ComputingRules
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Personal use is tolerated or allowed provided:►Frequency and duration is limited and resources used are minimal ►Activity is not illegal, political, commercial, inappropriate, offensive, or
detrimental to official duties ►Activity does not violate applicable laws in CERN's Host States►Not allowed: the consultation of pornographic and other illicit material
(e.g. paedophilia, inciting to violence, discrimination, racism)
Restricted personal use:►Applications known to cause security and/or network problems►e.g. Skype, IRC, file sharing (eDonkey, BitTorrent, …)
Respect confidentiality and copyrights►Illegal or pirated data (software, music, video, etc.) is not permitted
Operational Circular #5 (cont’d)
http://cern.ch/ComputingRules
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Personal use is tolerated or allowed provided:►Frequency and duration is limited and resources used are minimal ►Activity is not illegal, political, commercial, inappropriate, offensive, or
detrimental to official duties ►Activity does not violate applicable laws in CERN's Host States►Not allowed: the consultation of pornographic and other illicit material
(e.g. paedophilia, inciting to violence, discrimination, racism)
Restricted personal use:►Applications known to cause security and/or network problems►e.g. Skype, IRC, file sharing (eDonkey, BitTorrent, …)
Respect confidentialty and copyrights►Illegal or pirated data (software, music, video, etc.) is not permitted
Operational Circular #5 (cont’d)
http://cern.ch/ComputingRules
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Security is a permanent process and can only be achieved by 100%-ε.
YOU are responsible for securing your service(s) (i.e. ε):►As user, developer, system expert or administrator►As a project manager or line manager
Therefore:►Be vigilant and stay alert !►Close vulnerabilities: prevent incidents from happening►Check access rights and stick to the “Rule of Least Privilege”►Make security a system property: Review configuration & coding practices►Provide funding and resources
The Computer Security Team can provide assistance.
Summary
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Security is a permanent process and can only be achieved by 100%-ε.
YOU are responsible for securing your service(s) (i.e. ε):►As user, developer, system expert or administrator►As a project manager or line manager
Therefore:►Be vigilant and stay alert !►Close vulnerabilities: prevent incidents from happening►Check access rights and stick to the “Rule of Least Privilege”►Make security a system property: Review configuration & coding practices►Provide funding and resources
The Computer Security Team can provide assistance.
Summary
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
Training Courses on Security
https://cern.ch/security/training/en/index.shtml
Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar [email protected] — “Computer Security Awareness”
http://cern.ch/security
Pierre Charrue (BE),Peter Jurcso (DSU), Brice Copy (EN), Folke Wallberg (FP),
Timo Hakulinen (GS), Catharina Hoch (HR), Stefan Lüders (IT), Joel Closier (PH), Gustavo Segura (SC), Vittorio Remondino (TE)
Peter Chochula (ALICE),Mike Capell (AMS), Giuseppe Mornacchi (ATLAS),Frans Meijers (CMS), Gerhart Mallot (COMPASS),
Niko Neufeld (LHCb), Alberto Gianoli (NA62),Francesco Cafagna (TOTEM), Technical-Network Admins .
More Information…
CERN Computing Rules OC#5, subsidiary service rules &Computer Security information:
Please report incidents to:
Security contacts (Departments):
Security contacts (Experiments):