Don't tempt me!
Over your CERN career, have you ever changed activities, functions or responsibilities, but nevertheless kept the access to your “old” control systems or computing services? Accessing the systems for which you are no longer responsible seems innocent enough, because you just want to help by using your previous work and experience but… Does this sound familiar to you? Let’s think this one through because it may have bad consequences.
In my previous life, I worked as a software developer and system expert for the “Detector Safety System”, a control system used in the LHC experiments. After this system had been deployed and the project moved into maintenance mode, I was assigned new responsibilities which finally led me to the CERN Computer Security Team. My system was now in the care of a new team of excellent people. However, as my experience of the Detector Safety System didn't just disappear, I was kept on their expert list with all the access permissions needed. I was honoured by this, as I felt valued and needed. But with time, the fact that I still had access was forgotten. Meanwhile, I began to feel more and more uncomfortable: the system changed over time, the software was adapted, and additional requirements and hardware were added. What would have happened if I had called in and screwed up? In the end, I arranged for all of my access rights to be revoked…
But wasn’t it tempting? The more access, the better! I could have used my access to copy (parts of) my code and re-used it in another project; I could have accessed the PCs to conduct tests which can only be run on live systems; I could have been malicious and prevented the LHC experiments from working. Ergo, the more access, the WORSE(*)! If I had misused my access to those systems or software, and if I had screwed up, I am pretty sure that would have been considered a professional fault!
So please, do not tempt me or any of our colleagues! If you manage a service, system or software and want to be on the safe side, make sure that you have procedures in place on how to deal with the access rights of people leaving your team and then apply them! This is less of a question of your trust in them, but rather an act of due diligence: in the end it is you who bears the burden when problems happen. It might be your professional fault!
We are interested in your opinion! Please write to us at Computer.Security@cern.ch.
Check our website for further information, answers to your questions or help.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
* Note that this is also the reason why you ought to handle your password like your toothbrush: don't share it! Otherwise, you might tempt others…
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team