1 / 13

Computer Security Report

Computer Security Report. Stefan Lüders GLM October 25 th , 2010. Business as usual. Phishing Few users always reply (and then turn into SPAM bots or worse) Vulnerable OS: Still killing SLC3 and Win XP SP2 (collab’ with Michal & Jarek)

Download Presentation

Computer Security Report

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Computer Security Report Stefan Lüders GLM October 25th, 2010

  2. Business as usual Phishing • Few users always reply (and then turn into SPAM bots or worse) Vulnerable OS: • Still killing SLC3 and Win XP SP2 (collab’ with Michal & Jarek) • CVE-2010-3081 against SLC4/5. Well done Gavin/Steve  !!! GRID-SEC-001/003 • More/new sites affected on a regular basis • More problematic outside CERN, esp. on WLCG & EGI • SSC4 accomplished rather successful (failed on user blocking ) Vulnerable web applications • AIS, Vistar, MAG, INDICO, WWWCOMPASS, eLog, AB-DEP-… Stuxnet (targeted SCADA/PLC worm) • What a hype, but nothing at CERN (so far)

  3. Statistics

  4. Top 5 Kernel rootkit detection • APQI (Thx Lionel!) pending packaging in IT/OIS (ready soon?!),ideas for an improved rkhunter, but no free resources Central monitoring of log files • LXPLUS/BATCH/ADM (should) report to FSLOGs (IT/PES) • Still problems with head-nodes; FSLOGs moved to Security Team • Central online analysis of all messages SSH 'receipts' for users • Deployed. A few HEP-related compromises already found Temporary privileged access (for root) • LX**ADM not accessible from LXPLUS anymore (Thx IT/PES!) • Multi-factor (Yubikey) in discussion with IT/PES & GS/AIS Tor usage at CERN • Prohibited. Violations are detected and users are notified

  5. Top 10 (or 11) – Priority 1 Review all information published in IT • Partially done in groups; point has been taken by all Provide a secure IT web service • Defaults adapted (Thx. Juraj!) • Difficult to improve AFS service (waiting for migration to SLC5) • Some issues for Drupal, but solved by Juraj in the end Address web site vulnerabilities • Vulnerability scanners ready (Skipfish, w3af, Wapiti) • Full integration ready by end 2010 Audit IT software • Security Team regularly contacted for reviews:CMS online, service.now/SSO, Cluman, Kerberos/SSO, Boinc, Sindes, CDS/Invenio, CERN Global Network, Django/Shibboleth • However, we depend on users contacting us…

  6. Top 10 (or 11) – Priority 2 Harden IT-supported systems • Comprehensive list produced with IT/PES • Priorities defined • Implementationprogresses slowly(no complaint here) Provide central log server for all services • (see Top 5) Provide net monitoring on Technical Network(s) • IDS deployed on TN/GPN gate and actively monitored • Still too many false positives. Will be addressed from Nov. 2010 Address authentication and authorization • FIM around the corner; discussions started for “v2.0” • Evaluating multi-factor authentication for LXADM (& others?)

  7. Top 10 (or 11) – Priority 3 Secure access control lists in AFS • Permanent scans for clear text credentials in user space • Upcoming ACL restrictions for user space (implemented by Arne)(see https://cern.ch/security/rules/en/afs.shtml) • Need to be careful here due to lots of particularities • Thus, we go very slooowly here on purpose Divide LXPLUS for different use cases • Done as far as reasonably possible:i.e. split off LXADM, LXTNADM, LXVOADM Support secure web browsers • Browsers are as secure as these come shipped… • Firefox yet not (officially) supported by IT/OIS • Room for improvement; problems in BE with certificates on FF

  8. Training and Awareness Awareness Presentation • First iteration done~throughout CERN (but IT) • Next iteration in 2011/2012 • Part of induction presentations • Integrated into CSC, openlab &summer student lectures Posters around the site Security Day • June 10th • 125 people present/on WebCast • Next time do this in winter  New Security Team homepage (cern.ch/security) • Everything in one place, one look’n’feel, two languages

  9. Training and Awareness Dedicated Security Courses • About 250 people in 6 sessions for “Developing secure software” • About 80 people for the “Secure coding…” courses • New provider of Perl/Python/Java under evaluation (HR Training)

  10. Training and Awareness New Security Course • Revised SIR Security Course • Mandatory for all CERN users & to be redone every 3 years • Mails already out to people who have done the course before;pending for ~12000 more who never had (Thanks Francois!)

  11. More… Static Code Tools • Evaluation done and advertised to use: https://cern.ch/security/recommendations/en/code_tools.shtml “Prodder” Device Scanning • CERN-wide scanning for selected vulnerabilities(anonymous FTP, open shared folders, weak web applications) • Role out started Security Baselines for every system & service • First baselines in from ATLAS, LHCb, IT/GT --- backlog with us  Security inventory for LHC control systems (BE/CO) • Much more than just security: spare mgmt, dependencies, … Collaboration… • …with WLCG/EGI, ESA/ESO, FNAL/DESY, Etat/Police de Genève, ITU/IFRC/WIPO/UNHCR/ILO/WTO/WHO/GCSP, …

  12. …to come. SEMS & service.now • User Event Management System Firewall Lifecycle • Regular reviews of firewall openings (Thx. Luna!) Webcam policy • Draft in progress with Legal Service’ Kirsten Baxter Enhancement of Security Culture at CERN • MBA of Sebastian:Promote security culture at CERN using HR processes CNIC2012 • Planning security enhancements for the 2012 shutdown • List of issues and priorities being prepared by the CNIC

  13. Summary CERN did not faceany major security event in the last year. Good  • (or we haven’t detected it yet. Bad ) Lots of progress on the Top 5+10(11) • Implementations are progressing reasonably well(given the manpower and priorities) • I believe next time the chart will be ~all green  • Thank you all !!!!! The Security Team is entering new areasand further improving old ones • Extending & automating detection capabilities • Streamlining infrastructure & work flows • Improvement of interaction with users; reducing God workloadThx to Giacomo, Oriol, Sebastien D., Wojciech (who ~left)Kate, Pawel, Ryszard, Sebastien P., Ulrich (who joined) !!!!!

More Related