Providing computer security for an organisation, company or university resembles playing a permanent game of chess. Developing a strategy, putting your pieces in place, thinking of your next moves and those of your adversary, and sweating over the unknowns of the attacker’s intentions. Fancy a game?
Strategy-wise, computer security requires a so-called defence-in-depth approach, with protections throughout the digital landscape applied on preferably every layer. Protections for accounts, laptops, smartphones, servers and other devices, which are integrated in running control systems and IT services, incorporated into software development as well as hardware production, and part of processes and procedures. Thereby reducing the overall risks – financial, legal, reputational and operational – to the Organization, avoiding identity theft and impersonation, controlling its assets and ensuring that its IT systems do not become unsecured, vulnerable or weak.
With that, are you ready to position your pieces? CERN’s holy grail is, of course, its physics programme – the king – with its accelerators and experiments as well as its back-end IT infrastructure (“About risks and threats”). The king must be well protected by the queen – two-factor authentication – such that the loss of a single password does not compromise the king. Well positioned on her right and left flanks are the bishops of spam filtering and anti-malware protection for emails and their attachments. These bishops are supposed to let only the good emails through, filtering out malicious links and attachments and providing an additional layer of protection for the king and his well-being (“Email equals letters”). As in real life, the rooks corner the scene at the outer perimeter, like the fortress of CERN’s redundant pair of outer-perimeter firewalls with their sophisticated threat protection (“CERN’s new first line of defence”) as well as dedicated intrusion detection systems on the network and the central domain name servers (“Scaling out intrusion detection”). Between the rooks and the bishops you find the most sophisticated bits of protection: the knights. As complicated in their moves as the implementation of a decent software-development life cycle (“Beauty under the hood”) via the IT department’s new operations model, software dependency curation tools (“Unwanted presents”) and business continuity and disaster recovery plans (“Disaster for your crown jewels”). But, once deployed in the right position, the power of the knights provides an additional level of assurance. And, finally, a dense line of pawns is scattered among the other pieces, close to the people, just like antivirus software (end-point detection and response, EDR) is close to your computer. The board is set. Ready to protect.
Overall, this set of pieces is governed by the Computer Security team, its overall strategy and its expertise in incident response. If they are properly deployed, the king – CERN’s digital assets – is well secured. At the core is the security operations centre (SOC), providing intelligence, looking out for so-called “indicators of compromise” (IoCs) and coordinating the moves of the bishops, rooks and pawns – aka email filters, firewall protection and EDR – to provide maximum protection. The pieces cover each other to achieve defence in depth, and redundancies avoid single points of failure. In addition, thanks to the SOC, this core can agilely adapt to new situations (like the deployment of a new email infrastructure or the extensive flexibility of CERN’s bring-your-own-device approach). Anticipating the attackers’ moves, bishops, rooks and pawns are redeployed to provide maximum protection to the king. Overshadowing him is the queen, the real power on the board once she can move freely. She is the silver bullet when deployed as two-factor authentication, but only comes to power when thoroughly deployed. This is why the Computer Security team is pushing for two-factor authentication to be used to protect all “critical” user accounts. Similarly, CERN’s knights deserve more attention. Software life cycles, software curation and business continuity and disaster recovery plans require greater coordination, funding and priority. Knights can be an effective force coming from behind when well positioned and must not be neglected because of their unusual and complicated style of movements.
The past has shown that CERN’s pieces have been well positioned so far. But this does not necessarily extrapolate to the future. We must all continue contributing (“STOP – THINK – DON’T CLICK”, remember?) and invest in our chessboard in order to counter any attackers. The permanent game of chess, of protection and defence, has just begun for another day.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.