Computer Security in ST Division

1
Computer Security in ST Division

• CERN Computer Security Officer
• Denise Heagerty (IT/DI)
• ST linkpersons
• Eva Sanchez-Corral Mena (ST/MA)
• Uwe Epting (ST/MA)

2
Outline

• Who is concerned?
• Why is it important?
• General Recommendations
• Office Users
• Control Systems
• Additional Information

3
Computer Security in ST

• Who is concerned?
• Everybody !
• Why?
• Everybody is responsible for computer security on
  his/her machine
• The law Operational Circular No. 5
• BUT two categories
• OFFICE
• CONTROL SYSTEM

4
Why is it important?

• Almost daily appearance of viruses
• executable viruses
• risk of destroying or manipulating your data
• internet worms
• risk of destroying data and network blocking
• trojan horses, password spies
• risk of (software) sabotage
• risk of publishing of confidential data

5
General Recommendations

• Do not open e-mail attachements
• if you are not sure about their content
• Click CANCEL instead of OK
• in unexpected web dialogue boxes
• Do not answer unsolicited e-mail
• delete it
• Do not run unknown software
• Choose secure passwords
• change them regularly
• Avoid exposure of passwords and/or other
  confidential information
• e.g. through unencrypted web-applications

6
Office Users

• Use the central CERN environment for
• NICE (Windows)
• Linux
• MacOSX
• Apply security patches timely as well as
  immediately when you are asked to do so.
• assistance available desktop support or C168
• Follow the CERN security recommendations

7
Control Systems (1)

• Some problems
• not centrally managed
• different Operating System flavours
• cannot be stopped for updates
• PLCs and HP workstations not covered by IT
  computer security
• Nevertheless the "Responsible of the device" has
  to keep the systems secure!

8
Control Systems (2)

• Some recommendations and ideas
• run on the "technical network"
• not directly accessible from outside CERN
• disable unnecessary applications
• like web, telnet, ftp, ..., and Office
  applications
• choose correct network connection
• NONE or OUTGOING, not INCOMING
• limit/configure computers/PLCs that can talk to
  each other
• personal firewalls, "filtering" gateways

9
Control Systems (3)

• Foresee strategy for updates during operation
• Installation of security patches
• Operating system updates
• Some ideas
• redundant servers
• spare server for temporary replacement
• plan maintenance periods
• allow short interruptions of system components
  without stopping the rest
• plan time for downtime and disaster recovery
• ensure backups and rollback possibilities

10
Control Systems (4)

• Design your system to resist security scans
• Some viruses do port scanning
• Old systems can be excluded from IT security
  scans
• foresee upgrades of those systems
• Avoid generic logins
• like cern, tcr, stcv, stel, ...
• if really needed, restrict access rights to the
  absolute minimum
• do system administration with a safe password
• Keep a logfile
• allowing the trace back of incidents

11
More information ...

• IT Computer Security web pages
• http//cern.ch/security
• read especially
• CERN's Computer Security Recommendations
• Password Recommendations at CERN
• Risks and how you can help to reduce them
• Test your systems!
• scans may be launched by IT on request

12
Questions ?
?