CERN’s Computer Security Challenge

Slides:

Advertisements

Similar presentations

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.

Advertisements

Computer Security set of slides 10 Dr Alexei Vernitski.

Thank you to IT Training at Indiana University Computer Malware.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

1 Protecting Your Computer Internet Annoyances (Already done in Chapter 3) Spam Pop-ups Identity theft phishing hoaxes Spyware.

Denise Heagerty, CERN, HEPiX Meeting Oct HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

NetPass and Northwestern By Julian Y. Koh As told by Robert Vance NUIT-Telecom & Network Services.

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security – Our Approach James Clement Network Specialist ETS: Communications & Network Services

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

COEN 252: Computer Forensics Router Investigation.

Computer Security Update Bob Cowles, SLAC stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy.

Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto.

EDUCAUSE Security 2006 Internet John Brown University.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel.

Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.

How CERN reacted to the Blaster and Sobig virus attack Christian Boissat, Alberto Pace, Andreas Wagner.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

TECHNOLOGY GUIDE THREE Protecting Your Information Assets.

Security at NCAR David Mitchell February 20th, 2007.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Note1 (Admi1) Overview of administering security.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

Introduction to Student Name Student Class.

Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.

Module 11: Designing Security for Network Perimeters.

What is Spam? d min.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

Wolfgang von Rüden, CERN IT, August Computer Security: A permanent and costly battle Update for the CERN Management Board 26 August 2003 Wolfgang.

Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.

NetTech Solutions Protecting the Computer Lesson 10.

Polytechnic University Introduction1 CS 393/682: Network Security Professor Keith W. Ross.

Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Computer Security Sample security policy Dr Alexei Vernitski.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)

Network System Security - Task 2. Russell Johnston.

Top 5 Open Source Firewall Software for Linux User

Working at a Small-to-Medium Business or ISP – Chapter 8

Instructor Materials Chapter 7 Network Security

TECHNOLOGY GUIDE THREE

Backdoor Attacks.

Security in Networking

Information Security Session October 24, 2005

Firewalls Jiang Long Spring 2002.

Lecture 3: Secure Network Architecture

Test 3 review FTP & Cybersecurity

Presentation transcript:

CERN’s Computer Security Challenge Denise Heagerty, CERN Computer Security Officer Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Denise Heagerty, CERN, HEPiX Meeting Oct 2003 Overview Incident Summary, 2001- 2003 (Sep) Examples of recent incidents CERN Site Security Access restrictions into CERN Vulnerability Scanning Intrusion detection Actions in progress Worrying trends What more can be done? Other suggestions Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Denise Heagerty, CERN, HEPiX Meeting Oct 2003 Incident Summary, 2001-2003 2001 2002 2003 -Sep Incident Type 59 31 26 System compromised (intruder has control) security holes in software (e.g. ssh, kernel, ICQ, IE) 42 25 27 Compromised CERN accounts sniffed or guessed passwords 11 21 305 Serious Viruses and worms Blaster/Welchia (290), Sobig (12) , Slammer(3) 13 119 Unauthorised use of file servers insufficient access controls, P2P file-sharing 15 16 1 Serious SPAM incidents CERN email addresses are regularly forged 9 6 Miscellaneous security alerts 151 123 484 Total Incidents Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Examples of recent incidents Windows systems used as SPAM relays Security hole in IE – no fix available (now MS03-40) Welchia and Blaster worms ~300 PCs infected so far - new infections every day IRC bots and Remote Shell Trojans found on compromised accounts SucKIT root kits installed Used security hole in Linux Kernel and captured passwords Unauthorised file-sharing P2P file-sharing is NOT permitted at CERN for personal use can spread viruses and install spyware Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Site Security: Access into CERN Internet access into CERN is restricted Low numbered TCP & UDP ports are protected by default Stateful firewall combined with packet filtering High throughput path for a few special application servers Stronger restrictions for DHCP addresses Off-site sessions must be initiated by the clients Protects unintended/vulnerable servers & backdoors VPN access into CERN for registered users Requires agreement to CERN’s VPN Security Requirements: updated anti-virus, latest patches, incoming connections firewalled, essential applications only, password secured Modem access into CERN for registered users Serious source of security problems - needs to be addressed Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Site Security: Vulnerability Scanning Site-wide vulnerability scans All networked systems must agree to be scanned Scans are regular & scheduled following security alerts Tools used depend on vulnerabilities being tested Scans are made as non–intrusive as possible Email sent to registered admins of vulnerable systems Insecure systems may be blocked from the network System specific vulnerability scans Servers are scanned before firewall access is opened Based on Nessus vulnerability scanning tool (all ports) Requires a security expert to assess results Requests are mainly for SSH and Web servers Scan results are stored in a database Provides status and evolution of site security Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Site Security: Intrusion Detection Network based Intrusion Detection Based on available software with local customisation Off-site “scanning” (excessive destinations) alerts Suspicious sites access alerts Non-standard SSH server access alerts (based on SNORT) IRC bots and backdoors detected by site-wide scanning Host based Intrusion detection Implemented on central linux based servers TCP activity recorded and stored in a database Database is analysed daily for suspicious activity Integrated Security Database IDS data is structured and stored in a database to aid incident detection and follow up Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Site Security: actions in progress Hardware address registration enforced for computers using DHCP (wireless, portables) Allows the user to be informed of problems Started for some buildings, rest of site before Xmas Off-site FTP closure Firewall block planned for 20 Jan 2004 AFS password expiry enforcement Forced annual password changes + email warnings Already enforced for Windows/Mail passwords Network connection Rules Defines acceptable network and security practice System admins must agree before connecting systems Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Denise Heagerty, CERN, HEPiX Meeting Oct 2003 Worrying Trends Break-ins are devious and difficult to detect E.g. SucKIT rootkit Worms are spreading within seconds Welchia infected new PCs during installation sequence Poorly secured systems are being targeted Home and privately managed computers are a huge risk Break-ins occur before the fix is out SPAM relays used a new hole before a patch and anti-virus available People are often the weakest link Infected laptops are physically carried on site Users continue to download malware and open tricked attachments Intruders and worms can do more damage When? Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Denise Heagerty, CERN, HEPiX Meeting Oct 2003 What more can be done? Restrict/eliminate direct modem access Firewall protection has proved to be necessary Modem access is provided by ISPs Reduce the need for VPN to access CERN services Offer popular services to the general Internet: mail, authenticated web sites, file access, … Further enhance firewall protections database driven and based on requirements Enhance system and application security Some patches need deadlines and forced reboots Security & anti-virus updates should not rely on home site access Personal firewalls can reduce risk and buy time Improve security awareness Common messages across the HEP community would help Denise Heagerty, CERN, HEPiX Meeting Oct 2003

Denise Heagerty, CERN, HEPiX Meeting Oct 2003 Other Suggestions Your suggestions are welcome… Denise Heagerty, CERN, HEPiX Meeting Oct 2003