CERN found itself under heavy attack in summer 2015 with cybercriminals trying to take over PCs and computing accounts and aiming to extract some of our public documents. While the attack only lasted a few days and was visibly not successful in the end, it laid the foundation for an initiative to strengthen CERN's protective measures further.
CERN, with its open, academic culture, has always been susceptible to cyberattacks of many different kinds, as are all companies and institutes worldwide. Thanks to you being vigilant, attacks are usually fought off. Training sessions and awareness-raising campaigns have shown to be fruitful on many occasions. Still, there is room for improvement (see our Bulletin article on “One click and BOOM… (Reloaded)”). Computer security is a moving target and defensive measures need continual adaptations and adjustments. The aforementioned attack in summer 2015 and the 2016 Crisis Management Exercise by CERN’s senior management triggered increased efforts to raise our defences. Thanks to the support of the CERN Management, four important security initiatives were launched:
* The mail service, in collaboration with the Computer Security team, has deployed a dedicated appliance that automatically analyses all our e-mails for malicious content (see also “Protect your click”). Our FireEye EX device even simulates user activity trying to trigger any malicious activity in the e-mails sent to us. It is now in full operation and many waves of malware such as the Dridex banking malware have been prevented from arriving in your inbox.
* For those mails that still make it through, the IT department’s Windows team has started deploying specially hardened Windows PCs for those colleagues who have to open unsolicited attachments regularly, in particular PDF files. If infected, those PDFs will certainly compromise the PC and the local computing accounts. Hardened Windows PCs are less susceptible to infection thanks to a suite of additional protective measures (e.g. administrator rights removed, an alternative PDF reader installed, phasing-out of Flash, execution restrictions for macros and local commands). A pilot is already running with our colleagues in the Finance and Human Resources sector. A big thank you to all participants!
* Thanks to a collaboration between the Accelerator and Technology sector and the IT department, additional access protections are on the horizon: multi-factor authentication (the use of a hardware token in addition to your password) is currently being investigated so that it can be deployed on dedicated Windows and Linux Bastion hosts (see also our article “Pimp up your password”). Those Bastion hosts (bastions indeed!) will become gateways for any interactive remote access into CERN’s accelerator network (i.e. the “Technical Network”) as well as for administrator access to CERN’s Data Centre.
* Finally, in line with a new strategy defined by the Beams department and the CNIC (Computing and Networking Infrastructure for Controls) working group, our colleagues from the OpenStack virtualisation service have started looking into ways to provide dedicated virtual machines for the control system development on the accelerator network. While those virtual machines are currently located on CERN’s office network, they should virtually move closer to the control system devices to ease development and testing.
Of course, we are trying to make all these extra measures as convenient and transparent as possible for you and your daily work. Still, we are counting on your support to ensure that CERN’s operations proceed in the most secure fashion.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.