Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel.

Slides:

Advertisements

Similar presentations

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.

Advertisements

How things go wrong. The lucky one and the unlucky one Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop, Grenoble (France)

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

3 rd Control System Cyber-Security Workshop A Summary of this year’s meeting Dr. Stefan Lüders (CERN Computer Security Officer) with contributions from.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Security+ Guide to Network Security Fundamentals

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

System and Network Security Practices COEN 351 E-Commerce Security.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Incident Response Updated 03/20/2015

Website Hardening HUIT IT Security | Sep

General Awareness Training

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Note1 (Admi1) Overview of administering security.

3.05 Protect Your Computer and Information Unit 3 Internet Basics.

Use of CERN’s Computing Facilities Why is security important? What are the rules? HR Induction Programme.

Chapter 2 Securing Network Server and User Workstations.

Cyber Security Awareness Why people are of N o 1 importance… CERN Computer Security Team (2009) L. Cons, S. Lopienski, S. Lüders, D. Myers “Protecting.

Network Security & Accounting

Operational Circular No 5 Use of CERN Computing Facilities.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Problems to Overcome Implementation Issues at CERN Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan) October 11th 2009.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.

Control System Cyber-Security Workshop A Summary of Yesterday’s Meeting Dr. Stefan Lüders (CERN Computer Security Officer) with slides from B. Copy (CERN),

Personal data protection in research projects

Role Of Network IDS in Network Perimeter Defense.

Woodland Hills School District Computer Network Acceptable Use Policy.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

3 rd Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop,

Control System Cyber-Security Workshop Exchanging ideas on HEP security Dr. Stefan Lüders (CERN Computer Security Officer) (CS) 2 /HEP Workshop, Kobe (Japan)

CERN Computing and Network Infrastructure for Controls (CNIC) Status Report on the Implementation Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop,

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Blogs How to use the bog safely and secure? Create new username. Create a strong password to your account. Create the password to your uploaded files.

Computer Security Sample security policy Dr Alexei Vernitski.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,

Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel.

Dr. Stefan Lüders CERN Computer Security Officer Sign into CERN: CERN IT Services for You!

ISSeG Integrated Site Security for Grids WP2 - Methodology

Control system network security issues and recommendations

Information Security 101 Richard Davis, Rob Laltrello.

Cyber Security Awareness

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

12 STEPS TO A GDPR AWARE NETWORK

Information Security Awareness

6. Application Software Security

Sign into CERN: CERN IT Services for You!

WTF… About the unsecurity of IoT

Presentation transcript:

Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel “Protecting Office Computing, Computing Services, GRID & Controls”

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Basics On Security Security is as good as the weakest link: ► Attacker chooses the time, place, method ► Defender needs to protect against all possible attacks (currently known, and those yet to be discovered) Security is a system property (not a feature) Security is a permanent process (not a product) Security cannot be proven (phase-space-problem) Security is difficult to achieve, and only to 100%-ε. ► At CERN, YOU define ε !!!

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Basics On Security Security is as good as the weakest link: ► Attacker chooses the time, place, method ► Defender needs to protect against all possible attacks (currently known, and those yet to be discovered) Security is a system property (not a feature) Security is a permanent process (not a product) Security cannot be proven (phase-space-problem) Security is difficult to achieve, and only to 100%-ε. ► At CERN, YOU define ε !!! BTW: Security is not a synonym for safety. YOU are responsible for securing your services & systems: ► As user, developer, system expert or administrator ► As a project manager or line manager ► As part of the CERN or your experiment hierarchy

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” CERN is under permanent attack… even now. Servers accessible from Internet are permanently probed: ► …attackers trying to brute-force passwords; ► …attackers trying to break Web applications; ► …attackers trying to break-in servers and obtain administrator rights. Users are not always aware/cautious/proactive enough: ► …attackers trying to harvest credentials outside CERN; ► …attackers trying to “phish” user passwords. Incidents happen: ► Web sites & web servers, data-base interfaces, computing nodes, mail accounts, … ► The office network is very liberal: free connection policy and lots of visitors. Thus, there are always devices being infected/compromised. Under Permanent Attack

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” CERN is under permanent attack… even now. Servers accessible from Internet are permanently probed: ► …attackers trying to brute-force passwords; ► …attackers trying to break Web applications; ► …attackers trying to break-in servers and obtain administrator rights. Users are not always aware/cautious/proactive enough: ► …attackers trying to harvest credentials outside CERN; ► …attackers trying to “phish” user passwords. Incidents happen: ► Web sites & web servers, data-base interfaces, computing nodes, mail accounts, … ► The office network is very liberal: free connection policy and lots of visitors. Thus, there are always devices being infected/compromised. Under Permanent Attack YOU are responsible for preventing incidents happening: ► As user, developer, system expert or administrator ► As a project manager or line manager ► As part of the CERN or your experiment hierarchy

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Be Vigilant & Stay Alert !!! addresses can easily be faked ! Stop “Phishing” attacks: No legitimate person will EVER ask for your credentials ! Do not trust your web browser !

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Do not trust your web browser ! What links to ? %2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d co_partnerid=2&usage=0&ru=http%3A%2F%2Fwww.ebay.com&rafId=0 &encRafId=default    This IS Not EVEN obvious FOR professionals !

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Unpatched oscilloscope (running Win XP SP2) Security risks are everywhere !!! Lack of input validation & sanitization Confidential data on Wiki, webpages, CVS… Negligence of the “Rule of Least Privilege”

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” An Incident in September A defaced (new) web-page… Oops !!??? …a user listing

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Violation of Basic Principles ! Configuration well documented in Google… Neglected “Rule of Least Privileges”: Everyone could upload whatever he/she wants… Lack of input validation & sanitization

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Who owns the consequences ? How long does it take you to reinstall your system, if requested right now ? Are you prepared to take full responsibility? Are you in the position to really take it ? Can you allow for loss of ► functionality ► control or safety ► efficiency & beam time ► hardware or data ► reputation…?

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” YOU ► Patch immediately (manage centrally) ► Keep passwords secret & change them regularly ► “Rule of least privilege”: Control access to all your assets ► Apply proper coding & configuration practices YOU&US ► Do incident forensics ► Leave “ON”, disconnect & don’t touch ► Recover… ► Analyze causes & apply lessons learned ► Monitor traffic ► Deploy intrusion detection (host-, network-based) ► Maintain up-to-date anti-virus software ► Enable & monitor system logging ► Be vigilant & stay alert ► Deploy “Defense-in-Depth” ► Segregate networks ► Tighten down firewalls ► Be vigilant & stay alert Mitigation: A Permanent Process Budget & Resources YOU Response Prevention Protection Detection

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Operational Circular #5

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Stick to the “Rule of Least Privilege”: ► Protect accounts/files/services/systems against unauthorised access ► Passwords must not be divulged or easily guessable (your “toothbrush”) ► Protect access to unattended equipment users must not: ► Send mail bombs, SPAM, chain letters or forge or news articles PC users must: ► Run anti-virus software and upgrade/patch systems regularly ► Act immediately to contain and mitigate security incidents Network users must: ► Collaborate to investigate problems detrimental to CERN’s network ► Not make unauthorised changes to CERN’s network infrastructure Operational Circular #5

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Personal use is tolerated or allowed provided: ► Frequency and duration is limited and resources used are minimal ► Activity is not illegal, political, commercial, inappropriate, offensive, or detrimental to official duties ► Activity does not violate applicable laws in CERN's Host States ► Not allowed: the consultation of pornographic and other illicit material (e.g. paedophilia, inciting to violence, discrimination, racism) Restricted personal use: ► Applications known to cause security and/or network problems ► e.g. Skype, IRC, file sharing (eDonkey, BitTorrent, …) Respect confidentiality and copyrights ► Illegal or pirated data (software, music, video, etc.) is not permitted Operational Circular #5 (cont’d)

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Personal use is tolerated or allowed provided: ► Frequency and duration is limited and resources used are minimal ► Activity is not illegal, political, commercial, inappropriate, offensive, or detrimental to official duties ► Activity does not violate applicable laws in CERN's Host States ► Not allowed: the consultation of pornographic and other illicit material (e.g. paedophilia, inciting to violence, discrimination, racism) Restricted personal use: ► Applications known to cause security and/or network problems ► e.g. Skype, IRC, file sharing (eDonkey, BitTorrent, …) Respect confidentialty and copyrights ► Illegal or pirated data (software, music, video, etc.) is not permitted Operational Circular #5 (cont’d)

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Security is a permanent process and can only be achieved by 100%-ε. YOU are responsible for securing your service(s) (i.e. ε): ► As user, developer, system expert or administrator ► As a project manager or line manager Therefore: ► Be vigilant and stay alert ! ► Close vulnerabilities: prevent incidents from happening ► Check access rights and stick to the “Rule of Least Privilege” ► Make security a system property: Review configuration & coding practices ► Provide funding and resources The Computer Security Team can provide assistance. Summary

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Security is a permanent process and can only be achieved by 100%-ε. YOU are responsible for securing your service(s) (i.e. ε): ► As user, developer, system expert or administrator ► As a project manager or line manager Therefore: ► Be vigilant and stay alert ! ► Close vulnerabilities: prevent incidents from happening ► Check access rights and stick to the “Rule of Least Privilege” ► Make security a system property: Review configuration & coding practices ► Provide funding and resources The Computer Security Team can provide assistance. Summary

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Training Courses on Security

Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 — “Computer Security Awareness” Pierre Charrue (BE), Peter Jurcso (DSU), Brice Copy (EN), Folke Wallberg (FP), Timo Hakulinen (GS), Catharina Hoch (HR), Stefan Lüders (IT), Joel Closier (PH), Gustavo Segura (SC), Vittorio Remondino (TE) Peter Chochula (ALICE), Mike Capell (AMS), Giuseppe Mornacchi (ATLAS), Frans Meijers (CMS), Gerhart Mallot (COMPASS), Niko Neufeld (LHCb), Alberto Gianoli (NA62), Francesco Cafagna (TOTEM), Technical-Network Admins. More Information… CERN Computing Rules OC#5, subsidiary service rules & Computer Security information: Please report incidents to: Security contacts (Departments): Security contacts (Experiments):