Computer Security: Hacking CERN - a win-win for all

The first round of the CERN WhiteHat Challenge has finished (see here). At the end of March, CERN was "attacked" by a dozen students from the St. Pölten University of Applied Sciences, Austria.


 

These attacks were part of their Master's degree in computer science and computer security, where they study penetration testing and vulnerability scanning, i.e. finding weaknesses in computing systems: techniques, tools, approaches and ethics. Usually, such studies are done against mock-ups like “Google Gruyere”, the “Damn Vulnerable Web Application” or OWASP’s “WebGoat” and “Hackademic”. However, while those mock-ups are in principle useful, they rarely resemble the operational reality of the Internet.

CERN has offered computer security professors an alternative: the opportunity to use CERN’s web-ecosystem and all other systems open to the Internet as their playground. Their students can learn how to perform penetration tests and vulnerability scans against real, operational targets.

This is a win-win-win situation for all. Students win as they learn to develop strategies in a real-life environment - this brings with it both advantages and disadvantages, as real-life is not as easy as mock-ups and there is a chance that students will find nothing. In such a case, they “just” learn that the security level of the system they’ve tested is higher than their skills and expertise. For professors, this is also a win, as they don’t need to set up mock-ups and can concentrate instead on educating their students.

And CERN wins, too. CERN is under permanent attack anyhow - but the "evil" side never tells us what they’ve found. The students will have to. Formally, there is a Memorandum of Understanding (MoU) signed between the participating university, the supervising professor and CERN. Part of this MoU is a “Code of Ethics” providing the ground rules for performing tests against CERN. “Ethics” are also part of the classes taught before the penetration tests are performed.

About ten students from the University of Rotterdam also carried out penetration testing exercises earlier this month. HEIG VD in Yverdon-les-Bains is also preparing its students, and four more universities worldwide are currently in the process of signing the MoU. In parallel, 57 CERN staff and users have successfully passed the two half-day WhiteHat training courses, signed the same “Code of Ethics” and are now ready to poke around CERN's computing services. In-depth training sessions have also started. For more information, visit the CERN WhiteHat Challenge website or sign up to the WhiteHat candidate e-group.

If your service or system fails to withstand such a hack, it may be time to understand why it was not robust and resilient enough to survive. Any malicious person may take advantage of the vulnerability, but either didn’t bother or just didn’t spot it. Take advantage of the situation and talk to us about how to better secure and protect your service: Computer.Security@cern.ch.


For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team