Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal security consulting, reviews and penetration testing at CERN

Published byEvangeline Ball Modified over 6 years ago

Similar presentations

Presentation on theme: "Internal security consulting, reviews and penetration testing at CERN"— Presentation transcript:

1 Internal security consulting, reviews and penetration testing at CERN
Sebastian Lopienski CERN Deputy Computer Security Officer CHEP 2016, San Francisco Where are we? What to expect? How to survive and do science?

2 What do security teams usually do?
Incident Response Intrusion Detection Vulnerability Management Education, Training, Awareness Raising Firewall, Network Security Etc. etc. Obviously, we do all that at CERN, too

3 But we need to do more Too often it’s too late:
“My site runs on WordPress, because I didn’t know CERN uses Drupal” “The system is in production now, so we cannot change its architecture or technology choices” Too often people have good(?) excuses: “I inherited this code, but have no idea how it works” “This was deployed back in 2003 and no one looked into it since” “I followed a software security course, but it was many years ago” “I didn’t think that such an attacks was possible”

4 “We are there to help you”

5 Security consulting We provide input and expertise for CERN software and services Thread modeling and risk assessment Secure system architecture and design Security measures E.g. software projects and systems (from all CERN departments and experiments) computing infrastructure (e.g. COMPASS experiment, GIS services) services provided by the IT department (e.g. Drupal, git) procedures and tools (e.g. user pre-registration, payment workflows, transmitting root passwords to sysadmins, radio-protection data privacy)

6 Security consulting Technical expertise for procurement of external software/services often SaaS technical specifications for tender calls requirements for contracts E.g. service management ticket handling system (for IT) applicant tracking system (for HR) payment systems (for finance dept.)

7 Security evaluations (for systems already implemented)
Penetration testing mostly web apps - but also other systems, sometimes unexpected (e.g. point of sale, dosimeter reader station etc.) both in-house developed (too many examples to list here) … and external developed (for CERN or not), e.g. CERN alumni web app CERNjobs mobile app Questions2answers (stackoverflow alike) PyBossa (crowd-sourcing/microtasking)

8 Security evaluations (for systems already implemented)
Code reviews for particularly sensitive systems or modules (e.g. authentication, credentials handling, privileged access) E.g. Volunteer Computing Credential Service Kerberos unification secrets handling in puppet infrastructure handling (financial) donations

9 Often touching many technical domains
Account_management Software_security Authentication Authorization Cryptography System_administration System_design Privacy Data_protection System_hardening Network_security Web_frameworks Programming_platforms Virtualization Workstation Webservers

10 Considerations, lessons learned
Push or pull model? Who makes the first contact? How much should we reach out? Suggest or require? i.e. how actively should we push for security How to explain and convince? sometimes, we have to exploit in order to demonstrate a vulnerability Slow start, but a busy activity after a couple of years ~10 bigger + dozens of minor requests per year CERN people more security aware? More willing to contact us? Still, we learn about many projects too late

11 Offspring and related initiatives (IT department, last 2 years)
WhiteHat challenge (for CERN people and external universities) providing training on web security and penetration testing inviting non-security people to learn and do pentesting CERN Software Developers Forum building a community, providing starting information for newcomers IT Consulting Service advising CERN community, directing to existing services & solutions

12 Conclusions (perhaps obvious?)
Working together is very beneficial, and appreciated security people + service managers/developers/physicists Cases often touch more than security e.g. “Auto-commit to git from a website on the technical network” Back covering exercises? Sometimes. “Security team accepted it, so now they are responsible” …but that’s OK with us! Advertising our activity is not easy especially in a heterogeneous environment as CERN how to reach everyone? especially the newcomers?

13 People and technology

14 PS: Do other labs have such activities existing? formalized?
Thank you

15

Download ppt "Internal security consulting, reviews and penetration testing at CERN"

Similar presentations

The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP.

The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP.
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: 509-359-6908 Office.

CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Controls for Information Security

Controls for Information Security
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Disability Management in the Workplace Dept. of Social Protection Barbara Geoghegan Fidelma Cotter November 2011.

Disability Management in the Workplace Dept. of Social Protection Barbara Geoghegan Fidelma Cotter November 2011.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Service Management for CERN GS & IT. Page 2 Service Management: WHAT Our Goals:  One Service Desk for CERN (one number to ring, one place to go, 24/7.

Service Management for CERN GS & IT. Page 2 Service Management: WHAT Our Goals:  One Service Desk for CERN (one number to ring, one place to go, 24/7.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.
VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.

VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.
Information Systems Security Operations Security Domain #9.

Information Systems Security Operations Security Domain #9.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Similar presentations

Ads by Google