Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel.

Slides:

Advertisements

Similar presentations

Incident Response Managing Security at Microsoft Published: April 2004.

Advertisements

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Project Management Methodology Procurement management.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Chapter 12 Network Security.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Network security policy: best practices

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

HEPiX Catania 19 th April 2002 Alan Silverman HEPiX Large Cluster SIG Report Alan Silverman 19 th April 2002 HEPiX 2002, Catania.

Information Systems Security Computer System Life Cycle Security.

CERN’s Computer Security Challenge

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

DISCOVER IT PEACE OF MIND Staying HIPAA-Compliant Revised: April 13, 2015.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Doc.: IEEE ai Submission Paul Lambert, Marvell Security Review and Recommendations for IEEE802.11ai Fast Initial Link Setup Author:

TECHNOLOGY GUIDE THREE Protecting Your Information Assets.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

PLUG IT IN SIX Protecting Your Information Assets.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.

Firewall Security.

Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.

Topic 5: Basic Security.

Chapter 13: LAN Maintenance. Documentation Document your LAN so that you have a record of equipment location and configuration. Documentation should include.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Introduction TO Network Administration

Proposed UW Minimum Computer Security Standards From C&C 28 Jan 2005 Draft.

Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.

MIS323 – Business Telecommunications Chapter 10 Security.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Managing Windows Security

ISSeG Integrated Site Security for Grids WP2 - Methodology

Working at a Small-to-Medium Business or ISP – Chapter 8

Instructor Materials Chapter 7 Network Security

TECHNOLOGY GUIDE THREE

Joe, Larry, Josh, Susan, Mary, & Ken

Integrated Site Security for Grids

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Chapter # 3 COMPUTER AND INTERNET CRIME

Agenda The current Windows XP and Windows XP Desktop situation

G061 - Network Security.

Using Software Restriction Policies

Presentation transcript:

Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel Jouanigot, Alberto Pace

Intrusion Trends Break-ins are devious and difficult to detect Determined individuals targeting specific systems Rootkits found on Linux and Windows systems Worms are spreading within seconds Infections during installation sequence (before patches applied) Poorly secured systems are being targeted Weak passwords, unpatched software, insecure configurations Break-ins occur before the fix is out Systems compromised before a patch and/or anti-virus available People are increasingly the weakest link Attackers target users to exploit security holes Infected laptops are physically carried on site Users download malware and open tricked attachments

Security Goals Keep the site working effectively and able to assure the organisation's mandate Prevent/Limit the impact of incidents based on their risks. Specifically: Pro-actively alert/protect against common and likely attacks Rapidly isolate systems placing the site at risk For services, ensure that security incidents do not adversely affect the service definition levels (availability, privacy,...) Balance the cost of an incident against the cost of the ability to prevent it Ensure the ability to record, measure and control risks (human, financial, image,...)

Summary of Proposals Maximise use of centrally managed services and groups Adapt security levels based on groups of devices or users Provide connectivity management for network devices Reduce the ability for worms to spread inside CERN’s networks Promote the use of “gateways” Protect sensitive equipment and critical services Strengthen authentication and access controls Prevent intruders gaining access to CERN resources Strengthen computing rules Balance academic freedom with its risks and costs Ensure security training and clear responsibilities For each part of a software/product life cycle (specification, design, development, deployment, maintenance, purchase, use, …)

Provide Connectivity Management Restrict network access based on connectivity needs: Implement default firewall filtering that protects networked systems from common Internet threats Prevent Internet access for server applications by default with a procedure for handling exceptions Provide coarse-grained network connectivity management for devices reduce the ability for worms and intruders to reach a device permit access to only pre-defined groups e.g. “static devices”, ”DHCP devices”, “off-site” Allow fine grained connectivity management implemented by system specific firewalls

Strengthen Authentication Enhance the security of the existing password management process Includes account management and authenticated applications Provide two-factor authentication for users needing additional security Something you have plus something you know, e.g. a One Time Password generator protected by a PIN code Prevent that discovered passwords can be re-used Provide the ability for users and/or service managers to limit the scope for sharing a master credential across services Different services may have different security risks Allow Single Sign On, but with possibility to “opt out” for some services

Feedback Your feedback is required and can be sent to A draft document describing Proposed mid-term Security Strategies for CERN is at:

Licence Monitoring on Windows and Mac Clients Alan Silverman DTF, 14 th April 2005

The Problems 1.Although for some products we have site licensing (e.g. Windows client and Office), for many we need to estimate a usage count (Microsoft Visual Studio, Adobe products, Labview, Exceed, etc). Too low a value could leave us exposed to legal challenges, too high and we would be wasting resources. 2.On the Mac side, the situation is -- except for the OSX bundle and the Microsoft site licence – not transparent. Estimates made until now (for example as presented to the November 2004 DTF) are not thought to be realistic, based largely on feedback to mailed queries.

The Solution Licence monitoring obviously exist for both platforms. It would be preferable to use the same tool on both platforms. The Software Licence Office has already a scheme to gather and present usage statistics, the data largely based on the use of FlexLM and similar licensing tools. But the products we want to add mostly use different tools.

The Implementation On NICE (SMS already installed), we will collect the usage information on commercial tools which are centrally licensed. Owners of non-NICE Windows PCs wishing to use centrally-licensed software should contact us. On Mac, users wishing access to centrally-licensed software will be requested to install K2 (which will be set to monitor those packages – and only those packages) Users on Windows or Macs who refuse to install SMS or K2 respectively will not be granted access to centrally- licensed software. And FI Purchasing will need special justification to purchase individual licences of such centrally-licensed software for CERN users.