Embed Size (px)
Citation preview
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
1
CERN’s Computer Security Challenge
Denise Heagerty,CERN Computer Security Officer
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
2
Overview
Incident Summary, 2001- 2003 (Sep) Examples of recent incidents CERN Site Security
Access restrictions into CERN Vulnerability Scanning Intrusion detection Actions in progress
Worrying trends What more can be done? Other suggestions
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
3
Incident Summary, 2001-2003
2001 2002 2003-Sep
Incident Type
59 31 26 System compromised (intruder has control) security holes in software (e.g. ssh, kernel, ICQ, IE)
42 25 27 Compromised CERN accounts sniffed or guessed passwords
11 21 305 Serious Viruses and worms Blaster/Welchia (290), Sobig (12) , Slammer(3)
13 21 119 Unauthorised use of file servers insufficient access controls, P2P file-sharing
15 16 1 Serious SPAM incidents CERN email addresses are regularly forged
11 9 6 Miscellaneous security alerts
151 123 484 Total Incidents
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
4
Examples of recent incidents
Windows systems used as SPAM relays Security hole in IE – no fix available (now MS03-40)
Welchia and Blaster worms ~300 PCs infected so far - new infections every day
IRC bots and Remote Shell Trojans found on compromised accounts
SucKIT root kits installed Used security hole in Linux Kernel and captured passwords
Unauthorised file-sharing P2P file-sharing is NOT permitted at CERN for personal use can spread viruses and install spyware
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
5
Site Security: Access into CERN
Internet access into CERN is restricted Low numbered TCP & UDP ports are protected by default Stateful firewall combined with packet filtering High throughput path for a few special application servers
Stronger restrictions for DHCP addresses Off-site sessions must be initiated by the clients Protects unintended/vulnerable servers & backdoors
VPN access into CERN for registered users Requires agreement to CERN’s VPN Security Requirements:
updated anti-virus, latest patches, incoming connections firewalled, essential applications only, password secured
Modem access into CERN for registered users Serious source of security problems - needs to be addressed
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
6
Site Security: Vulnerability Scanning
Site-wide vulnerability scans All networked systems must agree to be scanned Scans are regular & scheduled following security alerts Tools used depend on vulnerabilities being tested Scans are made as non–intrusive as possible Email sent to registered admins of vulnerable systems Insecure systems may be blocked from the network
System specific vulnerability scans Servers are scanned before firewall access is opened Based on Nessus vulnerability scanning tool (all ports) Requires a security expert to assess results Requests are mainly for SSH and Web servers
Scan results are stored in a database Provides status and evolution of site security
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
7
Site Security: Intrusion Detection
Network based Intrusion Detection Based on available software with local customisation Off-site “scanning” (excessive destinations) alerts Suspicious sites access alerts Non-standard SSH server access alerts (based on SNORT) IRC bots and backdoors detected by site-wide scanning
Host based Intrusion detection Implemented on central linux based servers TCP activity recorded and stored in a database Database is analysed daily for suspicious activity
Integrated Security Database IDS data is structured and stored in a database to aid
incident detection and follow up
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
8
Site Security: actions in progress
Hardware address registration enforced for computers using DHCP (wireless, portables)
Allows the user to be informed of problems Started for some buildings, rest of site before Xmas
Off-site FTP closure Firewall block planned for 20 Jan 2004
AFS password expiry enforcement Forced annual password changes + email warnings Already enforced for Windows/Mail passwords
Network connection Rules Defines acceptable network and security practice System admins must agree before connecting systems
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
9
Worrying Trends
Break-ins are devious and difficult to detect E.g. SucKIT rootkit
Worms are spreading within seconds Welchia infected new PCs during installation sequence
Poorly secured systems are being targeted Home and privately managed computers are a huge risk
Break-ins occur before the fix is out SPAM relays used a new hole before a patch and anti-virus
available People are often the weakest link
Infected laptops are physically carried on site Users continue to download malware and open tricked
attachments Intruders and worms can do more damage
When?
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
10
What more can be done?
Restrict/eliminate direct modem access Firewall protection has proved to be necessary Modem access is provided by ISPs
Reduce the need for VPN to access CERN services Offer popular services to the general Internet: mail,
authenticated web sites, file access, … Further enhance firewall protections
database driven and based on requirements Enhance system and application security
Some patches need deadlines and forced reboots Security & anti-virus updates should not rely on home site
access Personal firewalls can reduce risk and buy time
Improve security awareness Common messages across the HEP community would help
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
11
Other Suggestions
Your suggestions are welcome…
