Voir en

français

Computer Security: Too open even for academia?

Computer security blog
(Image: CERN)

We are CERN. We are scientific. We are academic. We explore. We discover. We discuss. We publish. It is in our profession. In our values. In our genes. And in our mandate. Sharing information, developments and discoveries to the maximum. Because we can and because we should. But, hold on! Where are the limits?

Limits there are, for sure! After all, not all information, documents and data produced at CERN are academic/scientific in nature or for public eyes. We should make sure that we keep a healthy balance of publishing to the max, while keeping the confidential stuff only for those people who have a legitimate need to access it. If you follow our regular monthly reports, you might have seen that CERN is under constant attack. Evil people are on the prowl to extract juicy data and other information from us: infiltrating Indico conferences or Zoom meetings (“Videoconferencing pitfalls”), trawling our public webpages for documents that shouldn’t be public, sifting through our Service Now (SNOW) or Jira ticketing systems for issues and requests containing confidential information (e.g. personal data, credit card numbers, internal procedures), analysing our Git software repositories for passwords or similar credentials, or manipulating and spamming our folks via e-mails sent to unprotected e-group mailing lists.

The exposure of confidential data poses a risk to CERN, as a successful attacker might blackmail CERN and threaten to circulate internal documents more widely, abuse passwords and other credentials to further infiltrate CERN (“An attack for more security”) or mass-spam CERN (and external!) e-mail addresses (“Stop SPAM!”).

Hence, if you are managing CERN-hosted websites, e-groups, Git repositories or projects in Jira, if you are supporter of a so-called “Functional Element” in SNOW, if you regularly open SNOW or Jira tickets, or if you are running Indico or Zoom meetings, double-check their default settings. Your first choice for data protection should be “CERN internal” or – even better – “CERN restricted”, i.e. restricted to an e-group of those who really need to access or contribute to that data. Only if you are sure that there is no compromising data exposed or no means for abuse, should you consider opening it up. Fulfil CERN’s mandate. Share. And make CERN truly academic.

______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.