Computer Security Status UpdateComputer Security Status Update
FOCUS Meeting, 28 March 2002FOCUS Meeting, 28 March 2002
Denise Heagerty, Denise Heagerty,
CERN Computer Security OfficerCERN Computer Security Officer
Incident Summary, 31 Dec 2001Incident Summary, 31 Dec 2001
20002000 20012001 Incident TypeIncident Type
88 5959 Security holes exploited (includes worms)Security holes exploited (includes worms) 36 web servers, 11 linux kernels, 8 ssh, 4 ftp servers
8686 4242 Compromised CERN accountsCompromised CERN accounts sniffed or guessed passwords
88 (26)(26) DoS (Denial of Service) attacksDoS (Denial of Service) attacks 25 caused by Code Red Worm (counted above)
18 18 1313 Unauthorised use of file serversUnauthorised use of file servers insufficient access controls
99 1515 Serious SPAM incidentsSerious SPAM incidents CERN email addresses are regularly forged
99 1111 Serious VirusesSerious Viruses several new viruses are released each day
1717 1111 Miscellaneous security alertsMiscellaneous security alerts
155155 151151 Total IncidentsTotal Incidents
ConclusionsConclusions Security holes and discovered passwords Security holes and discovered passwords
are CERN’s biggest security risksare CERN’s biggest security risks Security related actions reduced the Security related actions reduced the
number and impact of incidents at CERNnumber and impact of incidents at CERN Incidents remained constant at CERN whilst they
doubled across the Internet as a whole in 2001 Code Red and Nimda worms were eliminated in less
than half a day due to effective security tools CERN avoided disruptive worms, e.g. Code Red II Intensive security campaigns from Aug-Dec 2001:
Code Red, Nimda, Linux kernel, ftp, ssh Disconnecting insecure systems has been essential
for assuring CERN’s Internet access (e.g. Xmas) Security needs to become integrated Security needs to become integrated
throughout CERN’s working methodsthroughout CERN’s working methods
Open IssuesOpen Issues Ensuring software is secured and patches are regularly appliedEnsuring software is secured and patches are regularly applied
systems directly visible in the firewall expose the site All systems are at risk (worms traverse firewalls) Outdated/unsupported systems are a serious security risk!
Risk from privately installed softwareRisk from privately installed software Often directly visible to the general Internet (high port nos) Can offer unauthorised access (e.g. file sharing) Can contain viruses and backdoor access for intruders
Passwords need to be encrypted for all applicationsPasswords need to be encrypted for all applications telnet, ftp, X, mail applications expose password in clear text
Protecting CERN’s Protecting CERN’s critical critical systemssystems Currently at risk on a regular basis
Ensuring correct data is registered and updated for systems on Ensuring correct data is registered and updated for systems on the CERN networkthe CERN network
Contact name who can react quickly MAC address required for mobile devices
Ensuring an audit trail to identify causes of incidentsEnsuring an audit trail to identify causes of incidents Protecting the site during Xmas shutdownProtecting the site during Xmas shutdown
Volunteer effort is not sufficient
Security proposals currently Security proposals currently under discussionunder discussion
Strengthen firewall protectionStrengthen firewall protection protect access to sensitive high numbered ports
Improve computer security information and its Improve computer security information and its disseminationdissemination
knowledge of security is an important tool Define minimum rules for connecting systems to Define minimum rules for connecting systems to
CERN’s networkCERN’s network correct registration data, configuration checklist, …
Require regular successful security checks for systems Require regular successful security checks for systems directly visible in the firewalldirectly visible in the firewall
frequent security scans of systems with INCOMING access Require security reviews for systems considered as Require security reviews for systems considered as
criticalcritical for CERN’s mission for CERN’s mission need to ensure these are and remain sufficiently protected
Define an agreed procedure to block network access for Define an agreed procedure to block network access for insecure systemsinsecure systems
attempt to inform an agreed set of people