130 likes | 218 Views
Computer Security Report. Stefan Lüders GLM October 25 th , 2010. Business as usual. Phishing Few users always reply (and then turn into SPAM bots or worse) Vulnerable OS: Still killing SLC3 and Win XP SP2 (collab’ with Michal & Jarek)
E N D
Computer Security Report Stefan Lüders GLM October 25th, 2010
Business as usual Phishing • Few users always reply (and then turn into SPAM bots or worse) Vulnerable OS: • Still killing SLC3 and Win XP SP2 (collab’ with Michal & Jarek) • CVE-2010-3081 against SLC4/5. Well done Gavin/Steve !!! GRID-SEC-001/003 • More/new sites affected on a regular basis • More problematic outside CERN, esp. on WLCG & EGI • SSC4 accomplished rather successful (failed on user blocking ) Vulnerable web applications • AIS, Vistar, MAG, INDICO, WWWCOMPASS, eLog, AB-DEP-… Stuxnet (targeted SCADA/PLC worm) • What a hype, but nothing at CERN (so far)
Top 5 Kernel rootkit detection • APQI (Thx Lionel!) pending packaging in IT/OIS (ready soon?!),ideas for an improved rkhunter, but no free resources Central monitoring of log files • LXPLUS/BATCH/ADM (should) report to FSLOGs (IT/PES) • Still problems with head-nodes; FSLOGs moved to Security Team • Central online analysis of all messages SSH 'receipts' for users • Deployed. A few HEP-related compromises already found Temporary privileged access (for root) • LX**ADM not accessible from LXPLUS anymore (Thx IT/PES!) • Multi-factor (Yubikey) in discussion with IT/PES & GS/AIS Tor usage at CERN • Prohibited. Violations are detected and users are notified
Top 10 (or 11) – Priority 1 Review all information published in IT • Partially done in groups; point has been taken by all Provide a secure IT web service • Defaults adapted (Thx. Juraj!) • Difficult to improve AFS service (waiting for migration to SLC5) • Some issues for Drupal, but solved by Juraj in the end Address web site vulnerabilities • Vulnerability scanners ready (Skipfish, w3af, Wapiti) • Full integration ready by end 2010 Audit IT software • Security Team regularly contacted for reviews:CMS online, service.now/SSO, Cluman, Kerberos/SSO, Boinc, Sindes, CDS/Invenio, CERN Global Network, Django/Shibboleth • However, we depend on users contacting us…
Top 10 (or 11) – Priority 2 Harden IT-supported systems • Comprehensive list produced with IT/PES • Priorities defined • Implementationprogresses slowly(no complaint here) Provide central log server for all services • (see Top 5) Provide net monitoring on Technical Network(s) • IDS deployed on TN/GPN gate and actively monitored • Still too many false positives. Will be addressed from Nov. 2010 Address authentication and authorization • FIM around the corner; discussions started for “v2.0” • Evaluating multi-factor authentication for LXADM (& others?)
Top 10 (or 11) – Priority 3 Secure access control lists in AFS • Permanent scans for clear text credentials in user space • Upcoming ACL restrictions for user space (implemented by Arne)(see https://cern.ch/security/rules/en/afs.shtml) • Need to be careful here due to lots of particularities • Thus, we go very slooowly here on purpose Divide LXPLUS for different use cases • Done as far as reasonably possible:i.e. split off LXADM, LXTNADM, LXVOADM Support secure web browsers • Browsers are as secure as these come shipped… • Firefox yet not (officially) supported by IT/OIS • Room for improvement; problems in BE with certificates on FF
Training and Awareness Awareness Presentation • First iteration done~throughout CERN (but IT) • Next iteration in 2011/2012 • Part of induction presentations • Integrated into CSC, openlab &summer student lectures Posters around the site Security Day • June 10th • 125 people present/on WebCast • Next time do this in winter New Security Team homepage (cern.ch/security) • Everything in one place, one look’n’feel, two languages
Training and Awareness Dedicated Security Courses • About 250 people in 6 sessions for “Developing secure software” • About 80 people for the “Secure coding…” courses • New provider of Perl/Python/Java under evaluation (HR Training)
Training and Awareness New Security Course • Revised SIR Security Course • Mandatory for all CERN users & to be redone every 3 years • Mails already out to people who have done the course before;pending for ~12000 more who never had (Thanks Francois!)
More… Static Code Tools • Evaluation done and advertised to use: https://cern.ch/security/recommendations/en/code_tools.shtml “Prodder” Device Scanning • CERN-wide scanning for selected vulnerabilities(anonymous FTP, open shared folders, weak web applications) • Role out started Security Baselines for every system & service • First baselines in from ATLAS, LHCb, IT/GT --- backlog with us Security inventory for LHC control systems (BE/CO) • Much more than just security: spare mgmt, dependencies, … Collaboration… • …with WLCG/EGI, ESA/ESO, FNAL/DESY, Etat/Police de Genève, ITU/IFRC/WIPO/UNHCR/ILO/WTO/WHO/GCSP, …
…to come. SEMS & service.now • User Event Management System Firewall Lifecycle • Regular reviews of firewall openings (Thx. Luna!) Webcam policy • Draft in progress with Legal Service’ Kirsten Baxter Enhancement of Security Culture at CERN • MBA of Sebastian:Promote security culture at CERN using HR processes CNIC2012 • Planning security enhancements for the 2012 shutdown • List of issues and priorities being prepared by the CNIC
Summary CERN did not faceany major security event in the last year. Good • (or we haven’t detected it yet. Bad ) Lots of progress on the Top 5+10(11) • Implementations are progressing reasonably well(given the manpower and priorities) • I believe next time the chart will be ~all green • Thank you all !!!!! The Security Team is entering new areasand further improving old ones • Extending & automating detection capabilities • Streamlining infrastructure & work flows • Improvement of interaction with users; reducing God workloadThx to Giacomo, Oriol, Sebastien D., Wojciech (who ~left)Kate, Pawel, Ryszard, Sebastien P., Ulrich (who joined) !!!!!