After Prism & Tempora: How much monitoring is OK for CERN?
Edward Snowden’s revelations about the “Prism” and “Tempora” surveillance operations, run by the NSA in the US and GCHQ in the UK respectively, created quite a stir! Why has the witch hunt of a whistle-blower dominated newspaper headlines when there appears to have been no outcry over the fact that two countries have deeply penetrated our digital lives for so long?!
_image.jpg?subformat=icon)
With echoes of George Orwell’s 1984, the two agencies collected a huge amount of Internet traffic, tapping into as much data per day as the LHC produces per year (see here). How much privacy are we willing to give up in order to protect ourselves against terrorist attacks? How much monitoring of our Internet activity is justified in order to feel safer? And how much monitoring is OK in the academic environment of CERN?
As the world’s largest high-energy physics research lab and the home of the LHC, CERN is a target for hacktivists and cyber-attackers. CERN must pro-actively protect its assets in order to safeguard its operations and its good reputation. While this protection (and incident prevention) is mainly in your hands, since at CERN you are responsible for securing your computers, networks, data, systems and services in the first instance, the Computer Security Team is ready to help you assume this responsibility (see our Bulletin articles on ““Security” is YOU!” and “Why “Security” is not ME…”.
And protection is just one important facet: detection of abuse, attacks and infiltration is another. Therefore, the Computer Security Team also uses a series of automatic intrusion detection tools. Network-based intrusion detection systems such as “Snort” inspect all network traffic to and from the Internet in real time for malicious patterns. In particular, all web traffic is analysed live and logged for one year in order to facilitate retrospective incident forensics. Further real-time intrusion detection is based on statistical analysis of aggregated network traffic, so-called flows, which are also kept for one year. In parallel, DNS resolution calls, i.e. the process which converts domain names like “www.cern.ch” into machine-readable IP addresses, are compared to a list of malicious domains and, if they match, resolution is blocked automatically.
Aside from network monitoring, host-based intrusion detection tools run on all public Linux clusters, monitoring for suspicious activities like brute-force attempts, strange login patterns, or unusual or dangerous system calls and commands. Centrally provided anti-virus software is used to detect malicious files and programmes on centrally managed Windows PCs*. Finally, we constantly scan web pages and web servers for basic vulnerabilities (e.g. those on the “OWASP” list of the ten most critical web application security risks), file systems for unprotected credentials like unprotected private SSH keys or passwords stored in publicly readable files, and all devices connected to our networks for an up-to-date inventory of running computing services.
Although this monitoring gives the Computer Security Team lots of sensitive data, it does not imply that we constantly spy on you and your activities. We never have and never will. First of all, we highly value CERN’s Digital Privacy Statement and CERN’s planned Data Protection Policy. In addition, the CERN Computing Rules (OC5) strictly define the scope of our work. The aforementioned monitoring tools run completely autonomously and automatically inform the parties concerned. Only upon an initial trigger – a suspicious activity reported to us – will the Computer Security Team take up the baton and try to understand the details of an incident, assess its impact and start incident response procedures. Similarly, we only get involved if there are legitimate requests for access to mailboxes and private files stored on AFS or DFS. The corresponding procedures for accessing such data are precisely defined in a subsidiary rule to OC5.
Thus, we believe we have a good balance between the academic freedom at CERN and our protective monitoring measures. Still, we are interested in your opinion: how much monitoring is OK for CERN? Please write to us at Computer.Security@cern.ch, and check our website for further information, answers to your questions or help. If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
* You can get your personal copy for home use for Windows PCs here and for Macs here.
Access the entire collection of Computer Security articles here.
