1. Security Essentials for Fermilab System Administrators Wayne Baisley Computer Security Awareness Day 10 November 2015

2. Security Essentials for Fermilab System Administrators 11/10/15Security Essentials for Fermilab System Administrators2

3. Why Computer Security? 11/10/15Security Essentials for Fermilab System Administrators3

4. Why Computer Security? 11/10/15Security Essentials for Fermilab System Administrators4

5. The State Of All The Things 11/10/15Security Essentials for Fermilab System Administrators5

6. I Hear You Knocking 11/10/15Security Essentials for Fermilab System Administrators6

7. I Hear You Knocking 11/10/15Security Essentials for Fermilab System Administrators7

8. I Hear You Knocking 11/10/15Security Essentials for Fermilab System Administrators8

9. Who’s Not Answering Their Phone? 11/10/15Security Essentials for Fermilab System Administrators9

10. Gone Phishin’ 11/10/15Security Essentials for Fermilab System Administrators10

11. Gone To China 11/10/15Security Essentials for Fermilab System Administrators11

12. Large Takeout Order 11/10/15Security Essentials for Fermilab System Administrators12 This past summer, the Office of Personnel Management's computers were hacked in what investigators believe was a Chinese operation. Security clearance information on 21 million Americans was stolen. Including the kind of information that could be used to blackmail people with top-secret clearances.

13. Recent News Be very careful with Amazon AWS and EC2 account credentials. 11/10/15Security Essentials for Fermilab System Administrators13

14. Recent News Be very careful with Amazon AWS and EC2 account credentials. 11/10/15Security Essentials for Fermilab System Administrators14

15. Recent News Linux.Encoder.1 Ransomware AES with symmetric key Key asymmetrically encrypted with RSA Easily broken because ~1-bit entropy for AES key (REAMDE.TXT) 11/10/15Security Essentials for Fermilab System Administrators15

16. Recognize | Reduce | Recover 11/10/15Security Essentials for Fermilab System Administrators16 Risk And Our Responsibilities

17. Recognize | Reduce | Recover 11/10/15Security Essentials for Fermilab System Administrators17 Risk And Our Responsibilities

18. Recognizing Risks High Bandwidth Enormous Storage Posh.gov Location 11/10/15Security Essentials for Fermilab System Administrators18

19. Recognizing Risks High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable 11/10/15Security Essentials for Fermilab System Administrators19

20. Recognizing Risks IP & warez SPAM Malware Botnets DDoS attacks Website defacement 11/10/15Security Essentials for Fermilab System Administrators20

21. Recognizing Risks Stolen Credentials Destruction Of Data Waste Of Bandwidth Waste Of Time Frustration 11/10/15Security Essentials for Fermilab System Administrators21

22. Recognizing Risks Default root/admin privs Visiting malicious sites Watering Hole infections Visitor systems Promiscuous USB sharing Lack of gruntlement 11/10/15Security Essentials for Fermilab System Administrators22

23. TLAs Integrated Security Management (ISM) Defense In Depth (DID) 11/10/15Security Essentials for Fermilab System Administrators23

24. ISM: Reducing Risks “The security goes in before the service goes on.” 11/10/15Security Essentials for Fermilab System Administrators24

25. DID: Perimeter Controls Protocols blocked at border Proxies Transient blocks (from phishing campaigns, e.g.) Blackhole routes for systematic & scattershot probes Mail virus scanning Web malware scanning 11/10/15Security Essentials for Fermilab System Administrators25

26. DID: Central Authentication Primary passwords off the net Single turn-off point … well, dual-point … actually three … um, four … No visible services w/o Strong Auth Lab systems scanned for compliance 11/10/15Security Essentials for Fermilab System Administrators26

27. DID: Services Accounts Un-Kerberizable: Service Now Kronos FermiWorks Exchange … 11/10/15Security Essentials for Fermilab System Administrators27

28. Patch/Configuration Management Baselines: Linux, Mac, Windows All systems must meet their baseline All systems must be regularly patched Non-essential services should be off Windows, especially, must run AV (But especially Macs. But especially Windows.) 11/10/15Security Essentials for Fermilab System Administrators28

29. Patch/Configuration Mgmt Exceptions/Exemptions: Document case on why OS is "stuck" Patch and manage as securely 11/10/15Security Essentials for Fermilab System Administrators29

30. Grid Security Training Grid Sysadmin GUMS/VOMS Admin Griddleware Developer 11/10/15Security Essentials for Fermilab System Administrators30 Security Essentials for Grid System Administrator Security Essentials for Grid System Administrator

31. Major Applications Critical to the mission of the Laboratory Most things do not fall in this category Very stringent rules & procedures You'll know if you're in this category 11/10/15Security Essentials for Fermilab System Administrators31

32. Minor Applications Important to the mission of the Laboratory Most things do not fall in this category Stringent rules & procedures You'll know if you're in this category 11/10/15Security Essentials for Fermilab System Administrators32

33. Central Logging Use clogger Attackers will sanitize local logs Aids forensic investigations Problems may get noticed earlier, esp. full /var 11/10/15Security Essentials for Fermilab System Administrators33

34. Critical Vulnerabilities Active exploits declared critical Pose a clear and present danger Must patch by a given date, or be blocked Handled via TIssue events Similarly, OS End-Of-Life 11/10/15Security Essentials for Fermilab System Administrators34

35. AV Alerts & Automatic Blocking Some bad viruses cause an immediate block May require a Wipe+Reinstall If not, an offline scan is performed May be returned to service, if successful Inconvenience is unavoidable, alas 11/10/15Security Essentials for Fermilab System Administrators35

36. Computer Security Incidents Report suspicious/urgent events to x2345 or email computer_security@fnal.gov Follow FIR instructions during incidents Leave the systems running, but Keep infected machines off the network Preserve system for expert investigation Not to be discussed! 11/10/15Security Essentials for Fermilab System Administrators36

37. Fermi Incident Response (FIR) Triage initial reports Coordinate investigation Work with local sysadmins and experts May take control of affected systems Maintain confidentiality 11/10/15Security Essentials for Fermilab System Administrators37

38. Software Licensing Fermilab is strongly committed to respecting intellectual property rights. Use of unlicensed commercial software is a direct violation of lab policy. 11/10/15Security Essentials for Fermilab System Administrators38

39. Prohibited Activities “Blatant disregard” of computer security Unauthorized or malicious actions Damage of data, unauthorized use of accounts, denial of service, etc., are forbidden Unethical behavior Same standards as for non-computer activities Restricted central services May only be provided by approved service owners Security & cracker tools Possession (and use) must be authorized See http://security.fnal.gov/policies/cpolicy.htmlhttp://security.fnal.gov/policies/cpolicy.html

40. Activities to Avoid Large grey area, but certain activities are “over the line” – Illegal Prohibited by Lab or DOE policy Embarrassment to the Laboratory Interfere with performance of job Consume excessive resources Example: P2P (peer-to-peer) software like Skype and BitTorrent: not explicitly forbidden but very easy to misuse!

41. Licensed or Copyright Material Using Fermilab resources to obtain, possess, or distribute without a license to do so is in most cases a violation of several laws and Fermilab policy. This includes but is not limited to Video, Audio, Images and Software Do not download it via BitTorrent, newsgroups, the web, email, or any other means. Do not borrow physical media and use Fermilab resources to copy it. The Laboratory can be held legally and financially liable for these actions.

42. 11/10/15Security Essentials for Fermilab System Administrators42 Bit Piracy

43. Computing Policy Violation Consequences Forfeiture of computing equipment for analysis and reporting Loss of computing privileges (accounts, network access, etc.) Supervisory / Senior Management notification for adjudication Legal ramifications Possible punitive actions

44. Mandatory Sysadmin Registration All Sysadmins must be registered Primary Sysadmin responsible for configuring & patching http://security.fnal.gov -> "Verify your node registration" 11/10/15Security Essentials for Fermilab System Administrators44

45. Sysadmins Get Risk-Roled System manager for security Assist and instruct users to do it right Vigilant observer of your systems (and sometimes users’) behavior 11/10/15Security Essentials for Fermilab System Administrators45

46. Data Backup Policy For Users Decide what data requires protection How to be recovered, if needed Arrange backups with sysadmins Or do your own backups Periodically test retrieval 11/10/15Security Essentials for Fermilab System Administrators46

47. The Incidental Computist Some non-Lab-business use is allowed: http://security.fnal.gov/ProperUse.htm I prefer personal phone/tablet via an external network. Note, however, that outside personal email accounts don’t go through the AV scanners. Webmail does get scanned passing through the border router. 11/10/15Security Essentials for Fermilab System Administrators47

48. Data Privacy Generally, Fermilab respects privacy You are required to do likewise Special cases for Sysadmins during Security Incidents Or written Directorate approval 11/10/15Security Essentials for Fermilab System Administrators48

49. Privacy of Email and Files May not use information in another person’s files seen incidental to any activity (legitimate or not) for any purpose w/o explicit permission of the owner or "reasonable belief the file was meant to be accessed by others." 11/10/15Security Essentials for Fermilab System Administrators49

50. Offensive Materials Material on computer ≈ Material on desk A line management concern Not a computer security issue per se 11/10/15Security Essentials for Fermilab System Administrators50

51. Summary: User Responsibilities Of particular concern is illegally download material -Copyrighted works such as movies, shows, books -Licensed programs and data -Otherwise illegal files The Lab doesn’t need the liability. 11/10/15Security Essentials for Fermilab System Administrators51

52. Summary: User Responsibilities Appropriate use of computing resources Prompt incident reporting Proper PII handling (separate training) Know how your data is backed up Respect privacy of electronic information 11/10/15Security Essentials for Fermilab System Administrators52

53. Summary: Admin Responsibilities System registration AV, patching, configuration mgmt Strong Authentication access control No restricted services (email, dns, etc.) 11/10/15Security Essentials for Fermilab System Administrators53

54. Questions? nightwatch@fnal.gov for questions about security policy computer_security@fnal.gov for questions about security incidents http://security.fnal.gov/ 11/10/15Security Essentials for Fermilab System Administrators54

55. Security Essentials for Fermilab System Administrators

56. Everything Is Important 11/10/15Security Essentials for Fermilab System Administrators56