Have you ever heard about the “Broken Windows Theory”? It was introduced in 1982 by social scientists and suggests that serious crime and anti-social behaviour is more likely in environments where small crimes such as vandalism, public drinking and turnstile-jumping have already created an atmosphere of lawlessness. The city of New York adopted the theory, with the hope of reducing crime by creating a more positive urban environment, leading to order and lawfulness. We should try to apply the same theory to running computing services visible to the Internet.
Computing services at CERN are run by a large variety of people, but primarily by our colleagues from the IT department. On top of their service offerings, users can create web services with openings to the Internet. In parallel, our research community, the experiments and the accelerator sector independently run computing services, which themselves have openings to the Internet. While the Computer Security Team controls the openings in CERN’s outer perimeter firewall and performs an assessment on the level of security before any new opening is permitted, it is currently quite tiresome to maintain that security level for all open services. On the one hand, “computer security” is a highly dynamic subject and what was secure yesterday might become insecure tomorrow (think of the “Shellshock” or “POODLE” vulnerabilities of the past). On the other hand, thanks to the motto “don’t touch a running system”, negligence leads to a deteriorated state of open services.
Recent computer security scans have shed some sinister light on those CERN computer services exposed to the Internet. Not all of them are perfectly secure anymore. Certificates have expired or are just “random” (e.g. self-signed or without chain-of-trust), encrypted channels use methods that are now deemed to be insecure, landing pages are missing or software is not up-to-date anymore. All owners of the affected services have, of course, been notified!
But still, like in New York, deteriorated services might attract malicious evil-doers to carry out their malicious deeds. Let’s keep our Internet presence secure and professional! Let’s apply New York City methods! We already scan for vulnerable websites and outdated configurations, we already check whether current firewall openings are still needed and we notify the owners of affected services, but we need to do more! On the one hand, we should look into adapting the defaults for centrally managed services in order to have an elevated and more secure base configuration. On the other hand, we would like to ask all owners of computing services, in particular where running that service is not your primary occupation, to keep a closer eye on them. Don’t let them deteriorate! Keep them up-to-date and verify regularly that all versions are the most recent ones. Check your certificates and renew them in time. Have a landing page or, if not possible, redirect to “home.cern”. And, finally, review all firewall openings and ask us to close them if they are not needed anymore. Hence, for 2019 and beyond, let’s keep our Digital Broken Windows under control.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.