Embed Size (px)
DESCRIPTION
Computer Security Report. Stefan Lüders GLM October 25 th , 2010. Business as usual. Phishing Few users always reply (and then turn into SPAM bots or worse) Vulnerable OS: Still killing SLC3 and Win XP SP2 (collab’ with Michal & Jarek) - PowerPoint PPT Presentation
Citation preview
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Computer Security Report
Stefan Lüders
GLM October 25th, 2010
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Business as usual
Phishing►Few users always reply (and then turn into SPAM bots or worse)
Vulnerable OS:►Still killing SLC3 and Win XP SP2 (collab’ with Michal & Jarek)►CVE-2010-3081 against SLC4/5. Well done Gavin/Steve !!!
GRID-SEC-001/003►More/new sites affected on a regular basis►More problematic outside CERN, esp. on WLCG & EGI►SSC4 accomplished rather successful (failed on user blocking )
Vulnerable web applications►AIS, Vistar, MAG, INDICO, WWWCOMPASS, eLog, AB-DEP-…
Stuxnet (targeted SCADA/PLC worm)►What a hype, but nothing at CERN (so far)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Statistics
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Top 5Kernel rootkit detection►APQI (Thx Lionel!) pending packaging in IT/OIS (ready soon?!),
ideas for an improved rkhunter, but no free resources
Central monitoring of log files►LXPLUS/BATCH/ADM (should) report to FSLOGs (IT/PES)►Still problems with head-nodes; FSLOGs moved to Security Team►Central online analysis of all messages
SSH 'receipts' for users►Deployed. A few HEP-related compromises already found
Temporary privileged access (for root)►LX**ADM not accessible from LXPLUS anymore (Thx IT/PES!)►Multi-factor (Yubikey) in discussion with IT/PES & GS/AIS
Tor usage at CERN►Prohibited. Violations are detected and users are notified
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Top 10 (or 11) – Priority 1
Review all information published in IT►Partially done in groups; point has been taken by all
Provide a secure IT web service ►Defaults adapted (Thx. Juraj!)►Difficult to improve AFS service (waiting for migration to SLC5)►Some issues for Drupal, but solved by Juraj in the end
Address web site vulnerabilities►Vulnerability scanners ready (Skipfish, w3af, Wapiti)►Full integration ready by end 2010
Audit IT software►Security Team regularly contacted for reviews:
CMS online, service.now/SSO, Cluman, Kerberos/SSO, Boinc, Sindes, CDS/Invenio, CERN Global Network, Django/Shibboleth
►However, we depend on users contacting us…
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Top 10 (or 11) – Priority 2
Harden IT-supported systems►Comprehensive list produced with IT/PES►Priorities defined►Implementation
progresses slowly(no complaint here)
Provide central log server for all services►(see Top 5)
Provide net monitoring on Technical Network(s)►IDS deployed on TN/GPN gate and actively monitored►Still too many false positives. Will be addressed from Nov. 2010
Address authentication and authorization►FIM around the corner; discussions started for “v2.0”►Evaluating multi-factor authentication for LXADM (& others?)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Top 10 (or 11) – Priority 3
Secure access control lists in AFS►Permanent scans for clear text credentials in user space►Upcoming ACL restrictions for user space (implemented by Arne)
(see https://cern.ch/security/rules/en/afs.shtml)►Need to be careful here due to lots of particularities►Thus, we go very slooowly here on purpose
Divide LXPLUS for different use cases►Done as far as reasonably possible:
i.e. split off LXADM, LXTNADM, LXVOADM
Support secure web browsers►Browsers are as secure as these come shipped…►Firefox yet not (officially) supported by IT/OIS►Room for improvement; problems in BE with certificates on FF
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Training and Awareness
Awareness Presentation►First iteration done
~throughout CERN (but IT)►Next iteration in 2011/2012►Part of induction presentations►Integrated into CSC, openlab &
summer student lectures
Posters around the site
Security Day►June 10th
►125 people present/on WebCast►Next time do this in winter
New Security Team homepage (cern.ch/security)►Everything in one place, one look’n’feel, two languages
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Dedicated Security Courses►About 250 people in 6 sessions for “Developing secure software”►About 80 people for the “Secure coding…” courses►New provider of Perl/Python/Java under evaluation (HR Training)
Training and Awareness
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Training and Awareness
New Security Course►Revised SIR Security Course►Mandatory for all CERN users & to be redone every 3 years►Mails already out to people who have done the course before;
pending for ~12000 more who never had (Thanks Francois!)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
More…
Static Code Tools►Evaluation done and advertised to use:
https://cern.ch/security/recommendations/en/code_tools.shtml
“Prodder” Device Scanning►CERN-wide scanning for selected vulnerabilities
(anonymous FTP, open shared folders, weak web applications)►Role out started
Security Baselines for every system & service►First baselines in from ATLAS, LHCb, IT/GT --- backlog with us
Security inventory for LHC control systems (BE/CO)►Much more than just security: spare mgmt, dependencies, …
Collaboration…►…with WLCG/EGI, ESA/ESO, FNAL/DESY, Etat/Police de
Genève, ITU/IFRC/WIPO/UNHCR/ILO/WTO/WHO/GCSP, …
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
…to come.
SEMS & service.now►User Event Management System
Firewall Lifecycle►Regular reviews of firewall openings (Thx. Luna!)
Webcam policy►Draft in progress with Legal Service’ Kirsten Baxter
Enhancement of Security Culture at CERN►MBA of Sebastian:
Promote security culture at CERN using HR processes
CNIC2012►Planning security enhancements for the 2012 shutdown►List of issues and priorities being prepared by the CNIC
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Summary
CERN did not faceany major security event in the last year. Good
►(or we haven’t detected it yet. Bad )
Lots of progress on the Top 5+10(11)►Implementations are progressing reasonably well
(given the manpower and priorities)►I believe next time the chart will be ~all green ►Thank you all !!!!!
The Security Team is entering new areasand further improving old ones
►Extending & automating detection capabilities►Streamlining infrastructure & work flows►Improvement of interaction with users; reducing God workload
Thx to Giacomo, Oriol, Sebastien D., Wojciech (who ~left)Kate, Pawel, Ryszard, Sebastien P., Ulrich (who joined) !!!!!
