Review your Computer Security Now and Frequently!

The start-up of LHC is foreseen to take place in the autumn and we will be in the public spotlight again. This increases the necessity to be vigilant with respect to computer security and the defacement of an experiment’s Web page in September last year shows that we should be particularly attentive. Attackers are permanently probing CERN and so we must all do the maximum to reduce future risks.

Security is a hierarchical responsibility and requires to balance the allocation of resources between making systems work and making them secure. Thus all of us, whether users, developers, system experts, administrators, or managers are responsible for securing our computing assets. These include computers, software applications, documents, accounts and passwords. There is no "silver bullet" for securing systems, which can only be achieved by a painstaking search for all possible vulnerabilities followed by their mitigation. Additional advice on particular topics can be obtained from the relevant IT groups or members of the security team, but we include here a basic list of items to be considered by all CERN computer users:

• Review access rights to your computers, documents (InDiCo, EDMS, TWiki, etc.), as well as files and directories on AFS, DFS and local disks. Don’t give write access if read access is sufficient and limit access only to those who need it.

• Protect web sites. Very few should be publicly accessible and those which are should not reveal details of system architecture and design, computer configurations or source code.

• Ensure that accounts have been closed for individuals who have left.

• Reduce the number of service accounts where possible.

• Harden computers by removing unnecessary applications, disable unneeded services such as for Web, FTP, etc., use automated update and patching services as well as up-do-date antivirus-software for PCs (but also for embedded devices like oscilloscopes), upgrade SLC3 to SLC5, use local firewalls to block both incoming and outgoing traffic which is not expected.

• Protect private SSH keys.

• For experiment networks, review central firewall openings and review whether devices need to be trusted or exposed.

Further information about how to improve computer security may be found on the Web sites http://cern.ch/security/ as well as www.ISSEG.eu which include material on risk analysis, training and recommendations for general users, developers and system administrators. As well as the many security awareness presentations which are given, training courses are also available on writing secure code and secure Web applications (see http://cern.ch/security/training ).

CERN Computer Security Team mailto:computer.security@cern.ch


by IT Department