AIS Newsletter , October 2001






EDITORIAL

 

RECENT NEWS


Computer Security in AIS

Nowadays there is a lot of concern around IT security. Who has not heard about Cyber-attacks, intrusion, viruses and hackers? In the AIS environment we are taking these questions very seriously and we are trying to be as well prepared as possible in order to avoid incidents or disruption of our services.

Recent surveys have shown that around 90 percent of large corporations and organizations, have detected computer security breaches of all sorts, not just hacker attacks, during the previous 12 months. Some involved incidents like viruses, Internet abuse by employees and laptop thefts. But 70 percent reported financial fraud, system penetration, theft of proprietary information and denial-of-service attacks (when a Web site is knocked offline and is unable to do business). Of the organizations surveyed, 74 percent admitted financial losses, but only 42 percent were willing to or able to quantify those losses. Many companies are not willing to admit that they have been attacked in fear of getting bad publicity and losing confidence from customers.

A very high percentage of the assaults succeeded due to known vulnerabilities, security gaps that have not yet been patched, and poor security practices in general. Badly configured firewalls and obvious administrator passwords are also often mentioned.

Many specialists believe that we will see a significant increase in the attacks over the coming years. We must therefore be prepared and understand how to avoid, minimize or recover from the potential damage.

What do we do in order to protect the AIS systems and the services we are providing?

Our goal is to be able to guarantee:

Confidentiality and Integrity. Information should be available to, and modified by, only those who are authorised to do so.
Availability. Information should be accessible to those who need it when they need it.

Here follows some of the measures we have taken in order to provide a reliable service.

The AIS Firewall

What is a Firewall?
A Firewall is a sort of “network filter” that allows protection against access from outside computers. It should make it more difficult for people trying to get unauthorised access to the systems “inside” the Firewall. The Firewall can block information from entering a network or from getting out of that network, it can permit different users to perform different kinds of operations, according to the user's authorizations.

In addition to the CERN standard Firewall we have an AIS Firewall that shields off all the AIS systems from the rest of CERN. As we have full control of who and what our users need to access, we can be very restrictive in what we let pass through.

Software Patching

What is a Software Patch?
A patch can be an update to address new issues such as a security problem, it can be an upgrade (adding increased features) or a bug fix.

An important part of the overall protection is to make sure that all the systems are up-to-date specially concerning security patches. New “holes” and flaws are regularly discovered and the suppliers provide patches for fixing these problems. We therefore have automatic jobs that check that we have the correct levels installed on our systems and warn us if not.

Monitoring of Security Alerts

Computer- and network-security organizations like CERT regularly publish Security Alerts that warn and inform about problems and software fixes. We need to stay aware of immediate steps that can be taken in order to reduce the exposure to the vulnerability. This is mostly done via mailing lists and different web sites.

Monitoring of User accounts

Leaving unused user accounts available and open on the systems is also a security hole. We therefore have automatic jobs, running regularly, detecting users accounts on the servers that have not been used for a certain period of time and locking of these accounts. Root and administrator accounts have enforced rules for password selections.

Web server access

The AIS Common Login provides a mechanism for encrypted authentication with the AIS applications. Some of the applications, like BHT, EDH and HRT, also provide an encrypted channel between the Web browser client and the Web server. The web servers’ access logs are processed and scanned for detecting attempts to compromise the systems.

Database access

In order to guarantee correct functioning of the AIS databases we have developed and implemented tools for automatic problem detection and performance monitoring.

Securing communication for sensitive access

We are using the secure shell (SSH) suite of security enhancing tools that addresses the problem of host and user authentication by using public key cryptography, and the problem of clear text data transmission by using data encryption. SSH is a strong defence against network sniffing and DNS/IP spoofing.

Network services

We are reducing to a strict minimum the different network services available on the systems. This could include things like electronic mail, access to the Web, domain name services, file transfers, and access to databases.

Backups

In the event of a compromised system or any other event that has led to data loss or corruption it is absolutely critical to have reliable backup copies of all information resources. The goal being to minimise the loss of data and be able to restore the situation as close as possible prior to the event.

All our systems and databases are regularly backed up. The databases are given particular attention; all redo-logs, which contain all the transactions, are backed up several times per day on three different backup nodes in two different locations (one off site i.e. not in the computer centre).

The physical media that holds the backup data is stored in fireproof safes off site.

The media is periodically, at least once a month, tested and verified. It is very important to be able to trust the backup system and be sure that we actually can restore a database or a complete system in case of a disaster.

The Users

We should remember that the users also contribute to enforce the overall level of security. Selecting good passwords that are difficult to guess, not leaving unattended connections open, not open e-mail attachments from strangers are simple measures that everyone can take.

Mats Moller
AS-SAS Group Leader

 

 



LEAVE

Annual Leave Year bookclosing - 30th September

On 30th September two Annual Leave Year bookclosing operations have taken place:

  • automatic transfer to Saved Leave account
  • limit of Annual Leave carry over

You can access your personal situation by clicking here
You can get all the details on our special web pages!

(Published on 24/09/2001)




Summer statistics

What happens to the amount of DAI requests when people are in vacation?

(Published on 25/07/2001)




HRT-PIE

WebHRT-PIE test version is available

A new version of WebHRT-PIE has just been released for testing by the WebHRT-PIE user community. Click on the link to get to it!!

This test version already includes several enhancements based on users feedback.

The new version is based on the same tool that has been used to implement webHRT and which is also used by PPT and EDH.

We would appreciate your input on this new version. Your feedback may be sent to Ais Support

Find out more about it here!!!


(Published on 28/05/2001)




Find your way using the Documentation map

Our documentation map is intended to gather all available help provided for each of our applications.

Your input as users on the quality and usefulness of our applications online help, documentation, quicktours, Frequently Asked questions is essential and valuable.

Let us know what you find useful, what you do not find useful, what could be improved, what you dislike, were you always able to find what you were searching for?

Please send your feedback to AIS webmaster

(Published on 23/04/2001)




Newsletter

Keep informed reading AIS Newsletter 2001

The AIS Newsletter is a periodical 'compilation' of published information of what has happened and what is going to happen on our work which sooner or later will have implication on your professional life. Have a look!


(Published on 09/04/2001)

 

 

 

 

 

DISCUSSIONS

You have the opportunity to express your thoughts and opinions about our articles by e-mail.
This might be an opportunity for interactivity. If we receive enough comments from you, we could publish them in our Newsletter and this way you can also find out what your colleagues have to say.

 

 

 

READER SURVEY

Please let us know how you find this newsletter:

very interesting
worth reading
not worth reading

Comments: