Computer Security in AIS
Nowadays
there is a lot of concern around IT security. Who
has not heard about Cyber-attacks, intrusion, viruses
and hackers? In the AIS
environment we are taking these questions very seriously
and we are trying to be as well prepared as possible
in order to avoid incidents or disruption of our services.
Recent
surveys have shown that around 90 percent of large corporations
and organizations, have detected computer security breaches
of all sorts, not just hacker attacks, during the previous
12 months. Some involved incidents like viruses, Internet
abuse by employees and laptop thefts. But 70 percent
reported financial fraud, system penetration, theft
of proprietary information and denial-of-service attacks
(when a Web site is knocked offline and is unable to
do business). Of the organizations surveyed, 74 percent
admitted financial losses, but only 42 percent were
willing to or able to quantify those losses. Many companies
are not willing to admit that they have been attacked
in fear of getting bad publicity and losing confidence
from customers.
A
very high percentage of the assaults succeeded due to
known vulnerabilities, security gaps that have not yet
been patched, and poor security practices in general.
Badly configured firewalls and obvious administrator
passwords are also often mentioned.
Many
specialists believe that we will see a significant increase
in the attacks over the coming years. We must therefore
be prepared and understand how to avoid, minimize or
recover from the potential damage.
What
do we do in order to protect the AIS systems and the
services we are providing?
Our goal is to
be able to guarantee:
• Confidentiality
and Integrity. Information should be available to,
and modified by, only those who are authorised to do
so.
• Availability. Information
should be accessible to those who need it when they
need it.
Here follows some
of the measures we have taken in order to provide a
reliable service.
The AIS Firewall
What
is a Firewall?
A Firewall is a sort of “network
filter” that allows protection against access from outside
computers. It should make it more difficult for people
trying to get unauthorised access to the systems “inside”
the Firewall. The Firewall can block information from
entering a network or from getting out of that network,
it can permit different users to perform different kinds
of operations, according to the user's authorizations.
In addition to
the CERN standard Firewall we have an AIS Firewall that
shields off all the AIS systems
from the rest of CERN. As we have full control of who
and what our users need to access, we can be very restrictive
in what we let pass through.
Software Patching
What
is a Software Patch?
A patch can be an update to
address new issues such as a security problem, it can
be an upgrade (adding increased features) or a bug fix.
An important part
of the overall protection is to make sure that all the
systems are up-to-date specially concerning security
patches. New “holes” and flaws are regularly discovered
and the suppliers provide patches for fixing these problems.
We therefore have automatic jobs that check that we
have the correct levels installed on our systems and
warn us if not.
Monitoring of
Security Alerts
Computer- and network-security
organizations like CERT regularly publish Security Alerts
that warn and inform about problems and software fixes.
We need to stay aware of immediate steps that can be
taken in order to reduce the exposure to the vulnerability.
This is mostly done via mailing lists and different
web sites.
Monitoring of
User accounts
Leaving unused
user accounts available and open on the systems is also
a security hole. We therefore have automatic jobs, running
regularly, detecting users accounts on the servers that
have not been used for a certain period of time and
locking of these accounts. Root and administrator accounts
have enforced rules for password selections.
Web server access
The AIS Common Login provides a mechanism
for encrypted authentication with the AIS
applications. Some of the applications, like BHT,
EDH
and HRT,
also provide an encrypted channel between the Web browser
client and the Web server. The web servers’ access logs
are processed and scanned for detecting attempts to
compromise the systems.
Database access
In order to guarantee
correct functioning of the AIS
databases we have developed and implemented tools
for automatic problem detection and performance monitoring.
Securing communication
for sensitive access
We are using the
secure shell (SSH) suite of security enhancing tools
that addresses the problem of host and user authentication
by using public key cryptography, and the problem of
clear text data transmission by using data encryption.
SSH is a strong defence against network sniffing and
DNS/IP spoofing.
Network services
We are reducing
to a strict minimum the different network services available
on the systems. This could include things like electronic
mail, access to the Web, domain name services, file
transfers, and access to databases.
Backups
In the event of
a compromised system or any other event that has led
to data loss or corruption it is absolutely critical
to have reliable backup copies of all information resources.
The goal being to minimise the loss of data and be able
to restore the situation as close as possible prior
to the event.
All our systems
and databases are regularly backed up. The databases
are given particular attention; all redo-logs, which
contain all the transactions, are backed up several
times per day on three different backup nodes in two
different locations (one off site i.e. not in the computer
centre).
The physical media
that holds the backup data is stored in fireproof safes
off site.
The media is periodically,
at least once a month, tested and verified. It is very
important to be able to trust the backup system and
be sure that we actually can restore a database or a
complete system in case of a disaster.
The Users
We should remember
that the users also contribute to enforce the overall
level of security. Selecting good passwords that are
difficult to guess, not leaving unattended connections
open, not open e-mail attachments from strangers are
simple measures that everyone can take.
Mats Moller
AS-SAS
Group Leader
|
