Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel.

Published bySilvester Page Modified over 8 years ago

Similar presentations

Presentation on theme: "Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel."— Presentation transcript:

1 Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel “Protecting Office Computing, Computing Services, GRID & Controls”

2 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 2 Basics On Security Security is as good as the weakest link: ► Attacker chooses the time, place, method ► Defender needs to protect against all possible attacks (currently known, and those yet to be discovered) Security is a system property (not a feature) Security is a permanent process (not a product) Security cannot be proven (phase-space-problem) Security is difficult to achieve, and only to 100%-ε. ► At CERN, YOU define ε !!! BTW: Security is not a synonym for safety. YOU are responsible for securing your services & systems: ► As user, developer, system expert or administrator ► As a project manager or line manager ► As part of the CERN or your experiment hierarchy

3 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 3 CERN is under permanent attack… even now. Servers accessible from Internet are permanently probed: ► …attackers trying to brute-force passwords; ► …attackers trying to break Web applications; ► …attackers trying to break-in servers and obtain administrator rights. Users are not always aware/cautious/proactive enough: ► …attackers trying to harvest credentials outside CERN; ► …attackers trying to “phish” user passwords. Incidents happen: ► Web sites & web servers, data-base interfaces, computing nodes, mail accounts, … ► The office network is very liberal: free connection policy and lots of visitors. Thus, there are always devices being infected/compromised. Under Permanent Attack YOU are responsible for preventing incidents happening: ► As user, developer, system expert or administrator ► As a project manager or line manager ► As part of the CERN or your experiment hierarchy

4 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 4 Be Vigilant & Stay Alert !!! Email addresses can easily be faked ! Stop “Phishing” attacks: No legitimate person will EVER ask for your credentials ! Do not trust your web browser !

5 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 5 Do not trust your web browser ! What links to www.ebay.com ? http://www.ebay.com\cgi-bin\login?ds=1%204324@%31%33%37 %2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d http://www.ebaỵ.com/ws/eBayISAPI.dll?SignIn http://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo&siteid=0& co_partnerid=2&usage=0&ru=http%3A%2F%2Fwww.ebay.com&rafId=0 &encRafId=default http://secure-ebay.com    This IS Not EVEN obvious FOR professionals !

6 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 6 Unpatched oscilloscope (running Win XP SP2) Security risks are everywhere !!! Lack of input validation & sanitization Confidential data on Wiki, webpages, CVS… Negligence of the “Rule of Least Privilege”

7 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 7 An Incident in September A defaced (new) web-page… Oops !!??? …a user listing

8 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 8 Violation of Basic Principles ! Configuration well documented in Google… Neglected “Rule of Least Privileges”: Everyone could upload whatever he/she wants… Lack of input validation & sanitization

9 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 9 Who owns the consequences ? How long does it take you to reinstall your system, if requested right now ? Are you prepared to take full responsibility? Are you in the position to really take it ? Can you allow for loss of ► functionality ► control or safety ► efficiency & beam time ► hardware or data ► reputation…?

10 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 10 YOU ► Patch immediately (manage centrally) ► Keep passwords secret & change them regularly ► “Rule of least privilege”: Control access to all your assets ► Apply proper coding & configuration practices YOU&US ► Do incident forensics ► Leave “ON”, disconnect & don’t touch ► Recover… ► Analyze causes & apply lessons learned ► Monitor traffic ► Deploy intrusion detection (host-, network-based) ► Maintain up-to-date anti-virus software ► Enable & monitor system logging ► Be vigilant & stay alert ► Deploy “Defense-in-Depth” ► Segregate networks ► Tighten down firewalls ► Be vigilant & stay alert Mitigation: A Permanent Process Budget & Resources YOU Response Prevention Protection Detection

11 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 11 Stick to the “Rule of Least Privilege”: ► Protect accounts/files/services/systems against unauthorised access ► Passwords must not be divulged or easily guessable (your “toothbrush”) ► Protect access to unattended equipment E-Mail users must not: ► Send mail bombs, SPAM, chain letters or forge e-mail or news articles PC users must: ► Run anti-virus software and upgrade/patch systems regularly ► Act immediately to contain and mitigate security incidents Network users must: ► Collaborate to investigate problems detrimental to CERN’s network ► Not make unauthorised changes to CERN’s network infrastructure Operational Circular #5 http://cern.ch/ComputingRules

12 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 12 Personal use is tolerated or allowed provided: ► Frequency and duration is limited and resources used are minimal ► Activity is not illegal, political, commercial, inappropriate, offensive, or detrimental to official duties ► Activity does not violate applicable laws in CERN's Host States ► Not allowed: the consultation of pornographic and other illicit material (e.g. paedophilia, inciting to violence, discrimination, racism) Restricted personal use: ► Applications known to cause security and/or network problems ► e.g. Skype, IRC, Tor, file sharing (eDonkey, BitTorrent, …) http://cern.ch/security/software-restrictions Respect confidentiality and copyrights ► Illegal or pirated data (software, music, video, etc.) is not permitted Operational Circular #5 (cont’d) http://cern.ch/ComputingRules

13 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 13 Security is a permanent process and can only be achieved by 100%-ε. YOU are responsible for securing your service(s) (i.e. ε): ► As user, developer, system expert or administrator ► As a project manager or line manager Therefore: ► Be vigilant and stay alert ! ► Close vulnerabilities: prevent incidents from happening ► Check access rights and stick to the “Rule of Least Privilege” ► Make security a system property: Review configuration & coding practices ► Provide funding and resources The Computer Security Team can provide assistance. Summary

14 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 14 Training Courses on Security

15 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Awareness” — slide 15 http://cern.ch/security Computer.Security@cern.ch Pierre Charrue (BE), Peter Jurcso (DSU), Brice Copy (EN), Flavio Costa (FP), Timo Hakulinen (GS), Catharina Hoch (HR), Stefan Lüders (IT), Joel Closier (PH), Gustavo Segura (SC), Vittorio Remondino (TE) Peter Chochula (ALICE), Giuseppe Mornacchi (ATLAS), Eric Cano (CMS), Gerhart Mallot (COMPASS), Niko Neufeld (LHCb), Alberto Gianoli (NA62), Francesco Cafagna (TOTEM), Technical-Network Administrator (TN). More Information… CERN Computing Rules OC#5, subsidiary service rules & Computer Security information: Please report incidents to: Security contacts (Departments): Security contacts (Experiments):

Download ppt "Cyber Security Awareness Academic Freedom vs. Operations vs. Security CERN Computer Security Team (2010) S. Lopienski, S. Lüders, R. Mollon, R. Wartel."

Similar presentations

How things go wrong. The lucky one and the unlucky one Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop, Grenoble (France)

How things go wrong. The lucky one and the unlucky one Dr. Stefan Lüders (CERN Computer Security Officer) 3 rd (CS) 2 /HEP Workshop, Grenoble (France)
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
3 rd Control System Cyber-Security Workshop A Summary of this year’s meeting Dr. Stefan Lüders (CERN Computer Security Officer) with contributions from.

3 rd Control System Cyber-Security Workshop A Summary of this year’s meeting Dr. Stefan Lüders (CERN Computer Security Officer) with contributions from.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
General Awareness Training

General Awareness Training
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Similar presentations

Ads by Google