Computer Security Report Stefan Lders GLM October 25

Computer Security Report Stefan Lüders GLM October 25 th, 2010 CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it

Business as usual Phishing ► Few users always reply (and then turn into SPAM bots or worse) Vulnerable OS: ► Still killing SLC 3 and Win XP SP 2 (collab’ with Michal & Jarek) ► CVE-2010 -3081 against SLC 4/5. Well done Gavin/Steve !!! GRID-SEC-001/003 ► More/new sites affected on a regular basis ► More problematic outside CERN, esp. on WLCG & EGI ► SSC 4 accomplished rather successful (failed on user blocking ) Vulnerable web applications ► AIS, Vistar, MAG, INDICO, WWWCOMPASS, e. Log, AB-DEP-… CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it Stuxnet (targeted SCADA/PLC worm) ► What a hype, but nothing at CERN (so far)

Statistics CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it

Top 5 Kernel rootkit detection ► APQI (Thx Lionel!) pending packaging in IT/OIS (ready soon? !), ideas for an improved rkhunter, but no free resources Central monitoring of log files ► LXPLUS/BATCH/ADM (should) report to FSLOGs (IT/PES) ► Still problems with head-nodes; FSLOGs moved to Security Team ► Central online analysis of all messages SSH 'receipts' for users ► Deployed. A few HEP-related compromises already found Temporary privileged access (for root) ► LX**ADM not accessible from LXPLUS anymore (Thx IT/PES!) ► Multi-factor (Yubikey) in discussion with IT/PES & GS/AIS CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it Tor usage at CERN ► Prohibited. Violations are detected and users are notified

Top 10 (or 11) – Priority 1 Review all information published in IT ► Partially done in groups; point has been taken by all Provide a secure IT web service ► Defaults adapted (Thx. Juraj!) ► Difficult to improve AFS service (waiting for migration to SLC 5) ► Some issues for Drupal, but solved by Juraj in the end Address web site vulnerabilities ► Vulnerability scanners ready (Skipfish, w 3 af, Wapiti) ► Full integration ready by end 2010 Audit IT software CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it ► Security Team regularly contacted for reviews: CMS online, service. now/SSO, Cluman, Kerberos/SSO, Boinc, Sindes, CDS/Invenio, CERN Global Network, Django/Shibboleth ► However, we depend on users contacting us…

Top 10 (or 11) – Priority 2 Harden IT-supported systems ► Comprehensive list produced with IT/PES ► Priorities defined ► Implementation progresses slowly (no complaint here) Provide central log server for all services ► (see Top 5) Provide net monitoring on Technical Network(s) ► IDS deployed on TN/GPN gate and actively monitored ► Still too many false positives. Will be addressed from Nov. 2010 Address authentication and authorization CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it ► FIM around the corner; discussions started for “v 2. 0” ► Evaluating multi-factor authentication for LXADM (& others? )

Top 10 (or 11) – Priority 3 Secure access control lists in AFS ► Permanent scans for clear text credentials in user space ► Upcoming ACL restrictions for user space (implemented by Arne) (see https: //cern. ch/security/rules/en/afs. shtml) ► Need to be careful here due to lots of particularities ► Thus, we go very slooowly here on purpose Divide LXPLUS for different use cases ► Done as far as reasonably possible: i. e. split off LXADM, LXTNADM, LXVOADM Support secure web browsers ► Browsers are as secure as these come shipped… ► Firefox yet not (officially) supported by IT/OIS ► Room for improvement; problems in BE with certificates on FF CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it

Training and Awareness Presentation ► First iteration done ~throughout CERN (but IT) ► Next iteration in 2011/2012 ► Part of induction presentations ► Integrated into CSC, openlab & summer student lectures Posters around the site Security Day ► June 10 th ► 125 people present/on Web. Cast ► Next time do this in winter CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it New Security Team homepage (cern. ch/security) ► Everything in one place, one look’n’feel, two languages

Training and Awareness Dedicated Security Courses ► About 250 people in 6 sessions for “Developing secure software” ► About 80 people for the “Secure coding…” courses ► New provider of Perl/Python/Java under evaluation (HR Training) CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it

Training and Awareness New Security Course ► Revised SIR Security Course ► Mandatory for all CERN users & to be redone every 3 years ► Mails already out to people who have done the course before; pending for ~12000 more who never had (Thanks Francois!) CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it

More… Static Code Tools ► Evaluation done and advertised to use: https: //cern. ch/security/recommendations/en/code_tools. shtml “Prodder” Device Scanning ► CERN-wide scanning for selected vulnerabilities (anonymous FTP, open shared folders, weak web applications) ► Role out started Security Baselines for every system & service ► First baselines in from ATLAS, LHCb, IT/GT --- backlog with us Security inventory for LHC control systems (BE/CO) ► Much more than just security: spare mgmt, dependencies, … Collaboration… CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it ► …with WLCG/EGI, ESA/ESO, FNAL/DESY, Etat/Police de Genève, ITU/IFRC/WIPO/UNHCR/ILO/WTO/WHO/GCSP, …

…to come. SEMS & service. now ► User Event Management System Firewall Lifecycle ► Regular reviews of firewall openings (Thx. Luna!) Webcam policy ► Draft in progress with Legal Service’ Kirsten Baxter Enhancement of Security Culture at CERN ► MBA of Sebastian: Promote security culture at CERN using HR processes CNIC 2012 ► Planning security enhancements for the 2012 shutdown ► List of issues and priorities being prepared by the CNIC CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it

Summary CERN did not face any major security event in the last year. Good ► (or we haven’t detected it yet. Bad ) Lots of progress on the Top 5+10(11) ► Implementations are progressing reasonably well (given the manpower and priorities) ► I believe next time the chart will be ~all green ► Thank you all !!!!! The Security Team is entering new areas and further improving old ones CERN IT Department CH-1211 Genève 23 Switzerland www. cern. ch/it ► Extending & automating detection capabilities ► Streamlining infrastructure & work flows ► Improvement of interaction with users; reducing God workload Thx to Giacomo, Oriol, Sebastien D. , Wojciech (who ~left) Kate, Pawel, Ryszard, Sebastien P. , Ulrich (who joined) !!!!!