Computer Security: Agility for computers
I have just made an inventory of all the digital gadgets connected to my wireless network at home: two Windows laptops, two tablets of different generations, my two kids’ iPods , one iPhone, an Apple TV, an old iMac, the Wii U, a Sony TV, a Sony stereo, the Wi-Fi router (of course!), a Network Attached Storage and two IP telephones. I’m sure other people have many more...
In the future, I could even have an internet-connected car or coffee-machine or a smart meter (see “Hacking control systems, switching lights off!”), and I could eventually even connect my solar panels to my Wi-Fi network. That’s quite some phase-space for vulnerabilities waiting to be exploited by attackers!
Therefore, locking down my Wi-Fi router and blocking all incoming access was essential, but my kids randomly browsing the web still posed an insider threat… Thus, patching and keeping all systems up to date became important, too. But given the number of devices, how could anyone expect me to spend all of “Patch Tuesday” – the day each month when Microsoft publishes its newest updates – running around and keeping all our operating systems, firmware and applications up to date? I am already fed up with keeping my iPhone and its apps up-to-date – every second day, so it seems, I am forced to apply new updates to some apps… How would this scale up to a cacophony of devices at home? In short: it doesn’t, and it also doesn’t work well in a large computer centre like CERN’s. This month, Microsoft issued two critical patches: “MS14-066” and “MS14-068". You can imagine how extra-busy many system administrators were (twice!)!
So we need a change of paradigm. Enter: “agility”. In the near future, I expect security updates to sneak into my devices clandestinely (if I opt in) in order to keep them up to date and provide protection against exploitation. Patching must become “agile”, meaning that updates are automatically pushed and applied once ready*. And they have to be applied to everything: PCs, laptops, smartphones, embedded systems, control devices, and so on – fully independent of criticality. No need to wait for “Patch Tuesday”, no more hassle running around pushing buttons, and no more reboots that stop me from working.
We’re not there yet, but we should still at least try to become more agile. A good start is enabling services like “Windows Update”, Mac’s “Software Update” and Linux’s “yum auto-update” wherever possible. That means not only on office PCs, laptops and tablets, but also on control devices, SCADA systems, computing nodes, computer centre servers, etc. The more critical a system is, the more we should worry about it not being patched and the more we should invest in enabling prompt and agile patching. In certain, justifiable circumstances, other security protections could be used. We should talk to the vendors of those systems and deploy frameworks to make upgrade management easier. Using Puppet, as we do in CERN’s “Agile Infrastructure” for managing the Meyrin and Wigner computer centres, is a good start. Upgrade cycles have become shorter. However, there is still room for improvement as the security incidents connected with “Heartbleed”, “Shellshock” and “Poodle” have shown: while most of the servers used in the computer centre and for control systems were fixed quickly, many fringe systems remained vulnerable for another month! Better (and quicker) configuration management is important to prevent those systems from becoming insecure.
So, how agile are your systems? How quickly could you apply a security fix if you had to do it NOW? If the answer is “within a day”, congratulations! If the answer is “next summer”, we should talk.
*Normal updates for new features etc., however, would still need the consent of the user in order to prevent unwanted functions from being installed.
Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team