Raise your defence: a baseline for security

It is an unfair imbalance: the (computer) security of a system/service is only as strong as the weakest link in the chain of protection. This provides attackers with an incredible advantage: they can choose when to attack, where and with which means. The defence side is permanently under pressure: they must defend at all times all assets against all eventualities. For computer security, this means that every computer system, every account, every web site and every service must be properly protected --- always.

 

In particular, at CERN, those services visible to the Internet are permanently probed. Web sites and servers are permanently scanned by adversaries for vulnerabilities; attackers repeatedly try to guess user passwords on our remote access gateways like LXPLUS or CERNTS; computing services, e.g. for Grid computing, are analysed again and again by malicious attackers for weaknesses which can be exploited. Thanks to the vigilance of the corresponding system and service experts, these attackers have not been too successful so far.

However, applying basic security measures is not easy, in particular when you are not familiar with security concepts and protection measures: certain aspects might be overlooked or omitted. This might render a system or service open to attack when the corresponding experts believe their system/service is secure! In order to provide better guidance, the Computer Security Team has published a series of so-called Security Baselines:

· Security Baseline for servers, PCs and laptops (EDMS 1062500)
· Security Baseline for file hosting services (EDMS 1062503)
· Security Baseline for Web hosting services (EDMS 1062502)
· Security Baseline for Industrial Embedded Devices (EDMS 1139163)

These Security Baselines define basic security requirements and are intended to be pragmatic and complete, but do not imply technical solutions. They should serve as guidelines for system/service experts. For all critical systems/services, however, the corresponding owner must produce a so-called “Security Implementation Document” and outline how their system/service meets the corresponding Security Baselines. The system/service must be implemented and deployed in compliance with this Implementation Document. Non-compliance ultimately leads to reduced network connectivity (i.e. closure of any outer perimeter firewall openings, ceased access to other network domains, or complete disconnection).

If you need assistance or consultancy to implement appropriate security measures, or if you have suggestions for additional Security Baselines, please contact us at Computer.Security@cern.ch. For further information, please see here.

P.S. These fine people have done it all right:  Paul Burkimsher (EN/ICE) and Yann Donjoux (DGS/RP). They are the winners of the “Security BINGO” series published in the last issues of the Bulletin.

by Computer Security Team