Computer Security in ST Division

1. Computer Security in ST Division CERN Computer Security Officer: Denise Heagerty (IT/DI) ST linkpersons: Eva Sanchez-Corral Mena (ST/MA) Uwe Epting (ST/MA) Uwe Epting - ST/MA

2. Outline • Who is concerned? • Why is it important? • General Recommendations • Office Users • Control Systems • Additional Information Uwe Epting - ST/MA

3. Computer Security in ST • Who is concerned? • Everybody ! • Why? • Everybody is responsible for computer security on his/her machine • The law: Operational Circular No. 5 • BUT: two categories • OFFICE • CONTROL SYSTEM Uwe Epting - ST/MA

4. Why is it important? • Almost daily appearance of viruses: • executable viruses • risk of destroying or manipulating your data • internet worms • risk of destroying data and network blocking • trojan horses, password spies • risk of (software) sabotage • risk of publishing of confidential data Uwe Epting - ST/MA

5. General Recommendations • Do not open e-mail attachements • if you are not sure about their content • Click CANCEL instead of OK • in unexpected web dialogue boxes • Do not answer unsolicited e-mail • delete it • Do not run unknown software • Choose secure passwords • change them regularly • Avoid exposure of passwords and/or other confidential information • e.g. through unencrypted web-applications Uwe Epting - ST/MA

6. Office Users • Use the central CERN environment for • NICE (Windows) • Linux • MacOSX • Apply security patches timely as well as immediately when you are asked to do so. • assistance available: desktop support or C168 • Follow the CERN security recommendations Uwe Epting - ST/MA

7. Control Systems (1) • Some problems: • not centrally managed • different Operating System flavours • cannot be stopped for updates • PLCs and HP workstations not covered by IT computer security • Nevertheless the "Responsible of the device" has to keep the systems secure! Uwe Epting - ST/MA

8. Control Systems (2) • Some recommendations and ideas: • run on the "technical network" • not directly accessible from outside CERN • disable unnecessary applications • like web, telnet, ftp, ..., and Office applications • choose correct network connection • NONE or OUTGOING, not INCOMING • limit/configure computers/PLCs that can talk to each other • personal firewalls, "filtering" gateways Uwe Epting - ST/MA

9. Control Systems (3) • Foresee strategy for updates during operation • Installation of security patches • Operating system updates • Some ideas: • redundant servers • spare server for temporary replacement • plan maintenance periods • allow short interruptions of system components without stopping the rest • plan time for downtime and disaster recovery • ensure backups and rollback possibilities Uwe Epting - ST/MA

10. Control Systems (4) • Design your system to resist security scans • Some viruses do port scanning • Old systems can be excluded from IT security scans • foresee upgrades of those systems • Avoid generic logins • like: cern, tcr, stcv, stel, ... • if really needed, restrict access rights to the absolute minimum • do system administration with a safe password • Keep a logfile • allowing the trace back of incidents Uwe Epting - ST/MA

11. More information ... • IT Computer Security web pages: • http://cern.ch/security • read especially • CERN's Computer Security Recommendations • Password Recommendations at CERN • Risks and how you can help to reduce them • Test your systems! • scans may be launched by IT on request Uwe Epting - ST/MA

12. Questions ? ? Uwe Epting - ST/MA