Download presentation
Presentation is loading. Please wait.
Published byFrank Lionel Hutchinson Modified over 9 years ago
1
Security Essentials for Fermilab System Administrators
2
Why Computer Security? Civilization is Risk. -- Not Big Brother Civilization is Risk. -- Not Big Brother November 6, 2012Security Essentials for Fermilab System Administrators2
3
Why Computer Security? Civilization is Risky. Civilization is Risky. November 6, 2012Security Essentials for Fermilab System Administrators3
4
Dealing With Risk Recognize | Reduce | Recover November 6, 2012Security Essentials for Fermilab System Administrators4
5
Organization CIO: Vicky White CISO: Irwin Gaines FCSC: Joe Klemencic FIR: The Computer Security Team Division & Sector Coordinators CIO: Vicky White CISO: Irwin Gaines FCSC: Joe Klemencic FIR: The Computer Security Team Division & Sector Coordinators November 6, 2012Security Essentials for Fermilab System Administrators5
6
Recognizing Risks High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable November 6, 2012Security Essentials for Fermilab System Administrators6
7
Recognizing Risks High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable* High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable* November 6, 2012Security Essentials for Fermilab System Administrators7
8
Recognizing Risks IP & warez SPAM Malware Botnets DDoS attacks IP & warez SPAM Malware Botnets DDoS attacks November 6, 2012Security Essentials for Fermilab System Administrators8
9
Recognizing Risks Stolen Credentials Destruction Of Data Waste Of Bandwidth Waste Of Time Frustration Stolen Credentials Destruction Of Data Waste Of Bandwidth Waste Of Time Frustration November 6, 2012Security Essentials for Fermilab System Administrators9
10
Recognizing Risks Default root/admin privs Visiting malicious sites Watering Hole infections Visitor systems Promiscuous USB sharing Lack of gruntlement Default root/admin privs Visiting malicious sites Watering Hole infections Visitor systems Promiscuous USB sharing Lack of gruntlement November 6, 2012Security Essentials for Fermilab System Administrators10
11
Recent News Stuxnet/Duqu/Flame Flashback/SabPub Trojan-Downloader:Java/GetShell.A Stuxnet/Duqu/Flame Flashback/SabPub Trojan-Downloader:Java/GetShell.A November 6, 2012Security Essentials for Fermilab System Administrators11
12
Critical Vulnerabilities 12/2011: telnetd remote code execution 03/2012: RDP vulnerability (MS12-020) 06/2012: Cumulative IE (MS012-037) 06/2012: CERN/FNAL Hypernews 10/2012: ColdFusion 12/2011: telnetd remote code execution 03/2012: RDP vulnerability (MS12-020) 06/2012: Cumulative IE (MS012-037) 06/2012: CERN/FNAL Hypernews 10/2012: ColdFusion November 6, 2012Security Essentials for Fermilab System Administrators12
13
TLAs for TCB: ISM? DID. Integrated Security Management (ISM) Defense In Depth (DID) Integrated Security Management (ISM) Defense In Depth (DID) November 6, 2012Security Essentials for Fermilab System Administrators13
14
Recognizing Risks: ISM Computer Security not an add-on Not "one size fits all" Largely common sense Computer Security not an add-on Not "one size fits all" Largely common sense November 6, 2012Security Essentials for Fermilab System Administrators14
15
DID: Perimeter Controls Protocols blocked at border Proxies Transient blocks Mail virus scanning Protocols blocked at border Proxies Transient blocks Mail virus scanning November 6, 2012Security Essentials for Fermilab System Administrators15
16
DID: Central Authentication Primary passwords off the net Single turn-off point No visible services w/o Strong Auth Lab systems scanned for compliance Primary passwords off the net Single turn-off point No visible services w/o Strong Auth Lab systems scanned for compliance November 6, 2012Security Essentials for Fermilab System Administrators16
17
DID: Services Accounts Unkerberizable: Service Now Kronos Exchange … Unkerberizable: Service Now Kronos Exchange … November 6, 2012Security Essentials for Fermilab System Administrators17
18
Major Applications Critical to the mission of the Laboratory Most things do not fall in this category Very stringent rules & procedures You'll know if you're in this category Critical to the mission of the Laboratory Most things do not fall in this category Very stringent rules & procedures You'll know if you're in this category November 6, 2012Security Essentials for Fermilab System Administrators18
19
Minor Applications Important to the mission of the Laboratory Most things do not fall in this category Stringent rules & procedures You'll know if you're in this category Important to the mission of the Laboratory Most things do not fall in this category Stringent rules & procedures You'll know if you're in this category November 6, 2012Security Essentials for Fermilab System Administrators19
20
Grid Security Training Grid SysAdmin GUMS/VOMS Admin Griddleware Developer Grid SysAdmin GUMS/VOMS Admin Griddleware Developer November 6, 2012Security Essentials for Fermilab System Administrators20 Security Essentials for Grid System Administrator Security Essentials for Grid System Administrator
21
Patch/Configuration Mgmt Baselines: Linux, Mac, Windows All systems must meet their baseline All systems must be regularly patched Non-essential services off Windows, especially, must run AV Baselines: Linux, Mac, Windows All systems must meet their baseline All systems must be regularly patched Non-essential services off Windows, especially, must run AV November 6, 2012Security Essentials for Fermilab System Administrators21
22
Patch/Configuration Mgmt Exceptions/Exemptions: Documented case why OS is "stuck" Patch and manage as securely Exceptions/Exemptions: Documented case why OS is "stuck" Patch and manage as securely November 6, 2012Security Essentials for Fermilab System Administrators22
23
Anti-Virus Windows & Mac Baselines Linux with Samba/CIFS Central Update Server & Logging Respond to alerts! Windows & Mac Baselines Linux with Samba/CIFS Central Update Server & Logging Respond to alerts! November 6, 2012Security Essentials for Fermilab System Administrators23
24
Central Logging Use clogger Attackers will sanitize local logs Aids forensic investigations Problems may get noticed earlier Use clogger Attackers will sanitize local logs Aids forensic investigations Problems may get noticed earlier November 6, 2012Security Essentials for Fermilab System Administrators24
25
Critical Vulnerabilities Active exploits declared critical Pose a clear and present danger Must patch by a given date or be blocked Handled via TIssue events Active exploits declared critical Pose a clear and present danger Must patch by a given date or be blocked Handled via TIssue events November 6, 2012Security Essentials for Fermilab System Administrators25
26
AV Alerts & Automatic Blocking Some bad viruses cause an immediate block May require a "Wipe & Reinstall" If not, a thorough scan is performed May be returned to service, if successful Inconvenience is unavoidable, alas Some bad viruses cause an immediate block May require a "Wipe & Reinstall" If not, a thorough scan is performed May be returned to service, if successful Inconvenience is unavoidable, alas November 6, 2012Security Essentials for Fermilab System Administrators26
27
Computer Security Incidents Report suspicious events to x2345 or Service Now > Security Incident Follow FIR instructions during incidents Keep infected machines off the network Preserve system for expert investigation Not to be discussed! Report suspicious events to x2345 or Service Now > Security Incident Follow FIR instructions during incidents Keep infected machines off the network Preserve system for expert investigation Not to be discussed! November 6, 2012Security Essentials for Fermilab System Administrators27
28
Fermi Incident Response (FIR) Triage initial reports Coordinate investigation Work with local Sysadmins, experts May take control of affected systems Maintain confidentiality Triage initial reports Coordinate investigation Work with local Sysadmins, experts May take control of affected systems Maintain confidentiality November 6, 2012Security Essentials for Fermilab System Administrators28
29
Prohibited Activities Blatant disregard of computer security Unauthorized or malicious actions Unethical behavior Restricted central services Security & cracker tools http://security.fnal.gov/policies/cpolicy.html Blatant disregard of computer security Unauthorized or malicious actions Unethical behavior Restricted central services Security & cracker tools http://security.fnal.gov/policies/cpolicy.html November 6, 2012Security Essentials for Fermilab System Administrators29
30
Mandatory Sysadmin Registration All Sysadmins must be registered Primary Sysadmin is responsible for configuring and patching http://security.fnal.gov -> "Verify your node registration" All Sysadmins must be registered Primary Sysadmin is responsible for configuring and patching http://security.fnal.gov -> "Verify your node registration" November 6, 2012Security Essentials for Fermilab System Administrators30
31
Sysadmins Get Risk-Roled System manager for security Assist and instruct users to do it right Vigilant observer of your systems (and sometimes users’) behavior System manager for security Assist and instruct users to do it right Vigilant observer of your systems (and sometimes users’) behavior November 6, 2012Security Essentials for Fermilab System Administrators31
32
Role of Sysadmins Manage your systems sensibly, securely Services comply with Strong Auth rules Report potential incidents to FIR Act on relevant bulletins Keep your eyes open Manage your systems sensibly, securely Services comply with Strong Auth rules Report potential incidents to FIR Act on relevant bulletins Keep your eyes open November 6, 2012Security Essentials for Fermilab System Administrators32
33
Protecting Your Systems Shut off unneeded services Set up needed services properly Set up a suitable firewall Keep informed & patched on OS issues Use clogger Shut off unneeded services Set up needed services properly Set up a suitable firewall Keep informed & patched on OS issues Use clogger November 6, 2012Security Essentials for Fermilab System Administrators33
34
Users: We Get Mail You haven’t won $10M Don’t open (most) attachments Best not to click links in mail Disable scripting for mail You haven’t won $10M Don’t open (most) attachments Best not to click links in mail Disable scripting for mail November 6, 2012Security Essentials for Fermilab System Administrators34
35
Users: We Get Mail Can you trust the (so-called) sender? Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov (Postfix) with ESMTP id 808F76F247 for ; Thu, 01 Apr 2010 09:41:02 -0500 (CDT) From: Wayne E Baisley To: Wayne E Baisley route: 123.28.32.0/19 descr: VietNam Post and Telecom Corporation (VNPT) address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi Can you trust the (so-called) sender? Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov (Postfix) with ESMTP id 808F76F247 for ; Thu, 01 Apr 2010 09:41:02 -0500 (CDT) From: Wayne E Baisley To: Wayne E Baisley route: 123.28.32.0/19 descr: VietNam Post and Telecom Corporation (VNPT) address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi November 6, 2012Security Essentials for Fermilab System Administrators35
36
Users: Pass the Word Use strong passwords Longer is better Use different passwords Or variants, at least Use strong passwords Longer is better Use different passwords Or variants, at least November 6, 2012Security Essentials for Fermilab System Administrators36
37
Other Duties As Assigned Guard against malicious web code Protect your Kerberos password Report possible security incidents to x2345 or Service Now > Security Incident Guard against malicious web code Protect your Kerberos password Report possible security incidents to x2345 or Service Now > Security Incident November 6, 2012Security Essentials for Fermilab System Administrators37
38
Data Backup Policy For Users Decide what data requires protection How to be recovered, if needed Arrange backups with Sysadmins Or do your own backups Occasionally test retrieval Decide what data requires protection How to be recovered, if needed Arrange backups with Sysadmins Or do your own backups Occasionally test retrieval November 6, 2012Security Essentials for Fermilab System Administrators38
39
The Incidental Computist Some non-Lab-business use is allowed: http://security.fnal.gov/ProperUse.htm (I prefer personal iPhone/iPad/Droid via an external network …) Some non-Lab-business use is allowed: http://security.fnal.gov/ProperUse.htm (I prefer personal iPhone/iPad/Droid via an external network …) November 6, 2012Security Essentials for Fermilab System Administrators39
40
Activities to Avoid Anything that: Is illegal Is prohibited by Lab/DOE policy May embarrass the Lab Interferes with job performance Consumes excessive resources Anything that: Is illegal Is prohibited by Lab/DOE policy May embarrass the Lab Interferes with job performance Consumes excessive resources November 6, 2012Security Essentials for Fermilab System Administrators40
41
Activities to Avoid Services like Skype and BitTorrent not forbidden but very easy to misuse! Services like Skype and BitTorrent not forbidden but very easy to misuse! November 6, 2012Security Essentials for Fermilab System Administrators41
42
Data Privacy Generally, Fermilab respects privacy You are required to do likewise Special cases for Sysadmins during Security Incidents Or written Directorate approval Generally, Fermilab respects privacy You are required to do likewise Special cases for Sysadmins during Security Incidents Or written Directorate approval November 6, 2012Security Essentials for Fermilab System Administrators42
43
Privacy of Email and Files May not use information in another person’s files seen incidental to any activity (legitimate or not) for any purpose w/o explicit permission of the owner or "reasonable belief the file was meant to be accessed by others." May not use information in another person’s files seen incidental to any activity (legitimate or not) for any purpose w/o explicit permission of the owner or "reasonable belief the file was meant to be accessed by others." November 6, 2012Security Essentials for Fermilab System Administrators43
44
Offensive Materials Material on computer ≈ Material on desk A line management concern Not a computer security issue per se Material on computer ≈ Material on desk A line management concern Not a computer security issue per se November 6, 2012Security Essentials for Fermilab System Administrators44
45
Software Licensing Fermilab is strongly committed to respecting intellectual property rights. Use of unlicensed commercial software is a direct violation of lab policy. Fermilab is strongly committed to respecting intellectual property rights. Use of unlicensed commercial software is a direct violation of lab policy. November 6, 2012Security Essentials for Fermilab System Administrators45
46
Summary: User Responsibilities Appropriate use of computing resources Prompt incident reporting Proper PII handling (separate training) Know how your data is backed up Respect privacy of electronic information Appropriate use of computing resources Prompt incident reporting Proper PII handling (separate training) Know how your data is backed up Respect privacy of electronic information November 6, 2012Security Essentials for Fermilab System Administrators46
47
Summary: Admin Responsibilities System registration AV, patching, configuration mgmt Strong Authentication access control No restricted services (email, dns, etc.) System registration AV, patching, configuration mgmt Strong Authentication access control No restricted services (email, dns, etc.) November 6, 2012Security Essentials for Fermilab System Administrators47
48
Questions? nightwatch@fnal.gov for questions about security policy computer_security@fnal.gov questions about security incidents http://security.fnal.gov/ nightwatch@fnal.gov for questions about security policy computer_security@fnal.gov questions about security incidents http://security.fnal.gov/ November 6, 2012Security Essentials for Fermilab System Administrators48
49
Security Essentials for Fermilab System Administrators
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.