1 CERN, LHC & the Higgs Particle: Security in an Academic Environment Dr. Stefan Lüders (CERN Computer Security Officer) 15. Berner Tagung für Informationssicherheit, November 27 th 2012
2 CERN in a Nutshell Tim Berners-Lee
3 The CERN Business Model Atom Nuclei Virus Proton Higgs? Cell m Particle Accelerator Electron Microscope Microscope The Solar System Galaxies The Observable Universe Spy Glass Telescope Radio Telescope
4 Looking into the Proton Beam Bunch Proton
5 at Very High Energies World s largest superconducting installation 1.9 K) Steer a beam of 85 kg TNT through a 3mm hole times per second
6 with Four Digital Cameras 100M data channels 1M control points
7 300 Mio. Collisions per Second Event size: ~10MB
8 24/7/200 Series Production
9 First data and 20yrs more to come!
10 Overview CERN s security footprint Operational Noise This is a people problem
11 CERN s security footprint
12 Academic Freedom at CERN CERN s Users: from 100s of universities worldwide Pupils, students, post-docs, professors, technicians, engineers, physicists, High turn-over (~10k per year) Merge of professional and private life: Social Networks, Dropbox, Gmail, LinkedIn, hostels on site, Academic Freedom in Research: No limitations and boundaries if possible Free communication & freedom to publish Difficult to change people, impossible to force them Trial of the new, no/very fast life-cycles, all-time prototypes Open campus attitude: Consider CERN being an ISP!
13 Academic Freedom at CERN CERN s Users: from 100s of universities worldwide Pupils, students, post-docs, professors, technicians, engineers, physicists, High turn-over (~10k per year) Merge of professional and private life: Social Networks, Dropbox, Gmail, LinkedIn, Academic Freedom in Research: No limitations and boundaries if possible Free communication & freedom to publish Difficult to change people, impossible to force them Trial of the new, no/very fast life-cycles, all-time prototypes Open campus attitude: I consider CERN being an ISP!
14 CERN Sectors of Operations Office Computing Security Computing Services Security Grid Computing Security Control Systems Security
15 Office Computing Footprint General network architecture for all sectors: 3 Class-B IP networks with >20 Gbps bandwidth incl. DHCP/wireless Several non-routable Class-B IP networks with >20 Gbps bandwidth >3000 switches, ~40k devices on Ethernet/DHCP/wireless networks 6k firewall openings One flat office / wireless network Visitor s laptops and office PCs on same network for a liberal (i.e. heterogeneous) user world Any type of personal/external laptops, PCs, PDAs, phones, devices,... Any type of O/S: Mac OSX, Debian, Ubuntu, Windows 98, RedHat, Any type of application, programming language, tools, Web sites,... Hundreds of Web servers for dedicated purposes ~23k user accounts
16 Computer Services Footprint 7 computer centers each with up to ~10k nodes (~64k cores, ~64k HDDs) for central computing, accelerator operations, and physics experiments Serving a multitude of services & systems Central O/S: Windows XP/7 (~6500 PCs), Windows Server , Scientific Linux 5/6, Mac OS X ~2M mails per day: 95% SPAM, 1% unidentified SPAM, 4% regular AV, file systems (AFS, DFS), disk pools (~63PB), tape stores (~15PB/yr), DBs, versioning systems, document servers, HR/FI/engineering app s, collaboration tools, PaaS virtualization service (~4k VMs), ~10k Web sites on 50 Web servers + many more for dedicated purposes CERN Internet Exchange Point (22 European ISPs + Telecom providers) incl. GRID Computing Tier-0 (~7k nodes), 11x Tier-1s, and O(100) Tier-2s
17 Control Systems Footprint Experiment: ALICE, ATLAS, CMS, LHCb, LHCf and TOTEM ALPHA (AD-5), Cast, Collaps, Compass, Dirac, Gamma Irradiation Facility, ISOLTRAP, MICE R&D, Miniball, Mistral, NA48/3, NA49, NA60, ntof, Witch, GCS, MCS, MSS, and Cryogenics System Accelerators: AB/OP, AD, CNGS, CCC, CLIC, ISOLDE, ISOLDE offline, LEIR, LHC, Linac 2, Linac 3, PS, PS Booster, REX, SM18, and SPS Safety: ACIS, AC PS1, AC PS2, AC SPS1, AC SPS2, Alarm Repeater, ARCON, ADS, CSA, SGGAZ, SFDIN, CSAM, CESAR, DSS, LACS, LASS, LASER, Radmon, RAMSES, MSAT, Radio Protection Service, Sniffer System, SUSI, TIM, and Video Surveillance Infrastructure: CV, ENS, FM, DBR, Gamma Spectroscopy, TS/CSE, and YAMS Accelerator Infrastructure: ADT, ACS, BQE, BPAWT, BDI, BIC, BLM, BOF, BPM, BOB, BSRT, BTV, BRA, CWAT, Cryo (Frigo, SM18 & Tunnel), BCTDC, BCTF, FGC, LEIR Low Level RF, LHC Beam Control System, LBDS, HC, LHC Logging Service, LTI, MKQA, APWL, BPL, OASIS, PIC, QDS/QPS, BQS, SPS BT, BQK, Vacuum System, WIC, and BWS
18 CERN s security footprint Operational Noise
19 Phishing Targeted and untargeted Phishing attacks in English & French Spoofed login pages on trusted hoster!
20 Data Leakage Sensitivity levels are user dependent!
21 Break-Ins Unpatched oscilloscope (running Win XP SP2) Lack of input validation & sanitization Unpatched web server (running Linux)
23 CERN s security footprint Operational Noise This is a people problem
24 A small quiz. Quiz: Which URL leads you to %2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d co_partnerid=2&usage=0&ru=http%3a%2f%2fwww.ebay.com&rafid=0 &encrafid=default
25 Intelligent clientele May I point out that I do not have a tail and do not feel like being treated like a circus dog. Why there are idiotic policies in place to forbid use of certain technologies? I failed to pass the security courses, the questions were so stupid, that sometimes it's difficult to answer. If you want to meet with me personally, I can teach you computer security. I fully recognise the importance of computer security at CERN. However, I am not sure that you have yet appreciated that computer security is not the raison d' être of CERN. Computer security must always be balanced with the need for CERN to carry out its experiments. I do not believe that [...] poses a strong security risk and you have not explained to us why it does.
26 CERN Security Paradigm Find balance between Academic Freedom, Operations and Computer Security Academic Freedom means Responsibility (I, as Security Officer, decline to accept that responsibility) Instead, computer security at CERN is delegated to all users of computing resources (sys admins, controls experts, secretaries, ) If they don t feel ready, they can pass that responsibility to the CERN IT department using central services. The CERN Security Team acts as facilitator and enabler: No big sticks, no heavy rules.
27 CERN Security Paradigm Find balance between Academic Freedom, Operations and Computer Security Academic Freedom means Responsibility (I, as Security Officer, decline to accept that responsibility) Instead, computer security at CERN is delegated to all users of computing resources (sys admins, controls experts, secretaries, ) If they dn t feel ready, they can pass that responsibility to the CERN IT department using central services. The CERN Security Team acts as facilitator and enabler: No big sticks, no heavy rules.
28 Change of Culture (at CERN) Security is dealt with as with Safety. CERN aims for a change of culture & a new mind set Basic awareness training to everyone, esp. newcomers Every owner of a computer account must follow online security courses every 3 years. Provisioning of static code analyzers Dedicated training on secure development (Java, C/C++, Perl, Python, PHP, web,...) Baselines & consulting Once people understand, the rest is easy: care, SLDC, use of standards,
29 Change of Culture (at CERN) Security is dealt with as with Safety. CERN aims for a change of culture & a new mind set Basic awareness training to everyone, esp. newcomers Every owner of a computer account must follow online security courses every 3 years. Provisioning of static code analyzers Dedicated training on secure development (Java, C/C++, Perl, Python, PHP, web,...) Baselines & consulting Once people understand, the rest is easy: care, SLDC, use of standards,
30 Change of Culture (Outside) We have to start sensibilization early! Being aware of risks is the first step towards mitigation Today s kids are the programmers of tomorrow Why are IT graduates still weak in security? They learn programming, O/S, DBs, for their BSc, but security just comes later in the MSc curriculum Why can software vendors still ship out insecure applications / devices? Why can I sue [car vendor] for a non-working brake but not [software vendor] for a vulnerability? Who has to do due diligence?
31 Summary CERN s Security Footprint is heterogeneous and vast However, security events happen and will continue to happen Enable users assuming responsibility. Provoke a Change-of-Mind!!!
CERN Computer & Grid Security Dr. Stefan Lüders (CERN Computer Security Officer) ITU SG17 Tutorials, Geneva, September 5 th 2012 CERN in a Nutshell Tim Berners-Lee Overview CERN s security footprint Operational
Integration of Virtualized Worker Nodes Dr. A. Scheurer, Dr. V. Büge, O. Oberst, P. Krauß Linuxtag 2010, Berlin, Session: Cloud Computing, Talk ID: #16197 KIT University of the State of Baden-Wuerttemberg
Secure Email and Web Browsing Sébastien Dellabella Computer Security Team Overview Main attack types Consequences of a successful attack Survival guide on the wild Internet Understanding the details Examples
Standby Services or Reliance on Experts for Accelerator control? Claude-Henri Sicard AB/CO ATC/ABOC Days 27 Plan: PS Complex Controls Standby service: case study Organisation Domain of intervention Statistics
Computing and Engineering at CERN Employment and Training Opportunities for UK Students and Graduates 1. Introduction As part of its commitment to CERN, STFC works to ensure that the UK profits as it should
Firewalls & Intrusion Detection CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan Security Intrusion
Big Data Analytics for the Exploitation of the CERN Accelerator Complex Antonio Romero Marín Milan 11/03/2015 Oracle Big Data and Analytics @ Work 1 What is CERN CERN - European Laboratory for Particle
Shared Computing Driving Discovery: From the Large Hadron Collider to Virus Hunting Frank Würthwein Professor of Physics University of California San Diego February 14th, 2015 The Science of the LHC The
Component 4: Introduction to Information and Computer Science Unit 10: Future of Computing Lecture 2 This material was developed by Oregon Health & Science University, funded by the Department of Health
Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,
Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN Copyright 2005, Meru Networks, Inc. This document is an unpublished work protected by the United States copyright laws and
Beyond High Performance Computing: What Matters to CERN Pierre VANDE VYVRE for the ALICE Collaboration ALICE Data Acquisition Project Leader CERN, Geneva, Switzerland 2 CERN CERN is the world's largest
(Possible) HEP Use Case for NDN Phil DeMar; Wenji Wu NDNComm (UCLA) Sept. 28, 2015 Outline LHC Experiments LHC Computing Models CMS Data Federation & AAA Evolving Computing Models & NDN Summary Phil DeMar:
Data sharing and Big Data in the physical sciences 2 October 2015 Content Digital curation: Data and metadata Why consider the physical sciences? Astronomy: Video Physics: LHC for example. Video The Research
Tier0 plans and security and backup policy proposals, CERN IT-PSS CERN - IT Outline Service operational aspects Hardware set-up in 2007 Replication set-up Test plan Backup and security policies CERN Oracle
An Integrated CyberSecurity Approach for HEP Grids Workshop Report http://hpcrd.lbl.gov/hepcybersecurity/ 1. Introduction The CMS and ATLAS experiments at the Large Hadron Collider (LHC) being built at
Network Documentation Checklist Don Krause, Creator of NetworkDNA This list has been created to provide the most elaborate overview of elements in a network that should be documented. Network Documentation
HE WAR AGAINST BEING AN INTERMEDIARY FOR ANOTHER ATTACK Prepared By: Raghda Zahran, Msc. NYIT-Jordan campus. Supervised By: Dr. Lo ai Tawalbeh. November 2006 Page 1 of 8 THE WAR AGAINST BEING AN INTERMEDIARY
Big Data and Storage Management at the Large Hadron Collider Dirk Duellmann CERN IT, Data & Storage Services Accelerating Science and Innovation CERN was founded 1954: 12 European States Science for Peace!
01347 812100 www.softbox.co.uk DOBUS And SBL Cloud Services Brochure firstname.lastname@example.org DOBUS Overview The traditional DOBUS service is a non-internet reliant, resilient, high availability trusted
Integrating a heterogeneous and shared Linux cluster into grids 1,2 1 1,2 1 V. Büge, U. Felzmann, C. Jung, U. Kerzel, 1 1 1 M. Kreps, G. Quast, A. Vest 1 2 DPG Frühjahrstagung March 28 31, 2006 Dortmund
Computing at the HL-LHC Predrag Buncic on behalf of the Trigger/DAQ/Offline/Computing Preparatory Group ALICE: Pierre Vande Vyvre, Thorsten Kollegger, Predrag Buncic; ATLAS: David Rousseau, Benedetto Gorini,
Managed Hosting Service Description Version 1.10 Effective Date: 3/3/2015 Purpose This Service Description is applicable to Managed Hosting services (MH) offered by MN.IT Services (MN.IT) and described
Operating Systems & Information Services Update on Windows 7 at CERN & Remote Desktop Gateway CERN IT-OIS Tim Bell, Michal Kwiatek, Michal Budzowski, Andreas Wagner HEPiX Fall 2010 Workshop 4th November
A Physics Approach to Big Data Adam Kocoloski, PhD CTO Cloudant 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Solenoidal Tracker at RHIC (STAR) The life of LHC data Detected by experiment Online
The CC1 system Solution for private cloud computing 1 Outline What is CC1? Features Technical details Use cases By scientist By HEP experiment System requirements and installation How to get it? 2 What
A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State
Testing the In-Memory Column Store for in-database physics analysis Dr. Maaike Limper About CERN CERN - European Laboratory for Particle Physics Support the research activities of 10 000 scientists from
DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing Slide 1 Slide 3 A style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet.
PROTECTION SERVICE FOR BUSINESS WELCOME TO THE BUSINESS OF FREEDOM EMPLOYEES WORK ON THE MOVE, WITH MULTIPLE DEVICES MEETING CUSTOMERS WORKING FROM HOME BUSINESS TRIP CLOUD SERVICES ARE ENABLERS OF MOBILE
Batch and Cloud overview Andrew McNab University of Manchester GridPP and LHCb Overview Assumptions Batch systems The Grid Pilot Frameworks DIRAC Virtual Machines Vac Vcycle Tier-2 Evolution Containers
Building a Volunteer Cloud Ben Segal, Predrag Buncic, David Garcia Quintas / CERN Daniel Lombrana Gonzalez / University of Extremadura Artem Harutyunyan / Yerevan Physics Institute Jarno Rantala / Tampere
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
Building a Penetration Testing Virtual Computer Laboratory User Guide 1 A. Table of Contents Collaborative Virtual Computer Laboratory A. Table of Contents... 2 B. Introduction... 3 C. Configure Host Network
How to prevent computer viruses in 10 steps Following on from our advice on how to keep your online data secure, we ve created a follow-up outlining how you can keep your computer itself safe. Not only
The self-defending network a resilient network By Steen Pedersen Ementor, Denmark The self-defending network - a resilient network What is required of our internal networks? Available, robust, fast and
Cloud computing an insight Overview IT infrastructure is changing according the fast-paced world s needs. People in the world want to stay connected with Work / Family-Friends. The data needs to be available
FIREWALL POLICY November 2006 TNS POL - 008 Introduction Network Security Services (NSS), a department of Technology and Network Services, operates a firewall to enhance security between the Internet and
Control System Cyber Security Measures at the Advanced Photon Source Debby Quock, ANL Advanced Photon Source ICALEPCS 2007 Control System Cyber-Security Workshop Introduction Advanced Photon Source (APS)
12 Security Camera System Best Practices - Cyber Safe Dean Drako, President and CEO, Eagle Eye Networks Website version of white paper Dean Drako video introduction for cyber security white paper Introduction
1 Accelerators 1.1 Hadron injectors 1.1.1 Overall design parameters 188.8.131.52 Performance and gap of existing injector chain 184.108.40.206 Performance and gap of existing injector chain 220.127.116.11 Baseline parameters
ITS Co-location and Virtual Machine Customer Questionnaire This form is for both Co-locations and Virtual Machines. If you are requesting a Virtual Machine, answer sections 1 and 3 of this questionnaire
ITEC 495 Capstone Project Ideas Open Source Content Filtering OpenDNS A 25 person architectural firm with one single location needs to implement a low cost, secure, easy to deploy and administer web content
Perspective on secure network for control systems in SPring-8 Toru Ohata, M. Ishii, T. Fukui* and R. Tanaka JASRI/SPring-8, Japan *RIKEN/SPring-8, Japan Contents Network architecture Requirement and design
Promoting Network Security (A Service Provider Perspective) Prevention is the Foundation H S Gupta DGM (Technical) Data Networks, BSNL email@example.com DNW, BSNL 1 Agenda Importance of Network Security
Desktop Virtualization @ U-M September 28, 2011 Ryan Henyard ITS Desktop Infrastructure Overview Introduction to Desktop Virtualization MyDesktop Service How We Got There Use Cases Takeaways Future Plans
Complete Management Targeted, Reliable and Cost-efficient In- Depth CSI Corporate Software Inspector Empower your IT-Operations and Security Teams with the most reliable Vulnerability & Management solution
As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is a ideal to help the SMBs increase the broadband
Stephen Hargrove PO Box 592241 San Antonio, TX 78259 210-239-9763 firstname.lastname@example.org EXPERIENCE Information Security Officer Manager, Information Security Administration, UTHSCSA; San Antonio,
Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro) NICE Conference 2014 CYBERSECURITY RESILIENCE A THREE TIERED SOLUTION NIST Framework for Improving Critical Infrastructure Cybersecurity
Customized Cloud Solution (Overall Cloud Performance Expectations) Last Updated: June 5, 2012 Prepared by: Polleo Systems, Inc. Notice of Confidentiality: The enclosed material is proprietary to Polleo
Eduroam wireless network Apple Mac OSX 0.4 How to configure laptop computers to connect to the eduroam wireless network Contents university for the creative arts Contents Introduction Prerequisites Instructions
The shortest path to cellular communications: Cellular Development Platform Multi-Tech Overview 40 years focused on Machine-to-Machine (M2M) Communications 80+ patents 20+ million devices, thousands of
Copyright Statement is the registered trademark of Shenzhen Tenda Technology Co., Ltd. Other trademark or trade name mentioned herein are the trademark or registered trademark of above company. Copyright
High Availability Databases based on Oracle 10g RAC on Linux WLCG Tier2 Tutorials, CERN, June 2006 Luca Canali, CERN IT Outline Goals Architecture of an HA DB Service Deployment at the CERN Physics Database
INDEPENDENT TECHNOLOGY SPECIALISTS IN EDUCATION CONSIDERATIONS FOR DEVELOPING AND DEPLOYING A MOBILE LEARNING STRATEGY Many schools we are working with are looking to extend their use of tablet technology,
LHCb Software Installation Tools Stuart K. Paterson Ganga Workshop (Tuesday 14th June) 1 Contents Introduction Current Situation in LHCb From Source Pacman Distribution Software Distribution Tool DIRAC
Connecting to the Internet LAN Hardware Requirements Computer Requirements LAN Configuration Requirements Installation Performed by Time Warner Cable Technician Connecting via Ethernet Connecting via USB
Best Practice Guide CLEO Remote Access Services A Guide to Preparing Your School Network & Remote Users PCs V 5.0 Published: October 2007 Please refer to www.cleo.net.uk for the most recently published
Features Checklist Your evaluation is not complete until you check out top vendors and the price. Here is a list prepared based customer queries. Features General Easy web interface with admin, technician,
The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com
For Unlimited Capacity & Performance Clustered NAS System (Scale Out NAS System) Copyright 2010 by Netclips, Ltd. All rights reserved -0- 1 2 3 4 5 NAS Storage Trend Scale-Out NAS Solution Scaleway Advantages
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
Minimum Computer System Requirements http://ualr.edu/blackboard/welcome/system- requirements/ The following minimum hardware and software requirements are necessary in order to access an online class through
SOCIETIC SOCiety as Infrastructure for E-Science via technology, innovation and creativity Deliverable no. D3.1 Deliverable name Dissemination level WP no. 3 WP name Operational Platform for Experimental
Gigabit Content Security Router As becomes essential for business, the crucial solution to prevent your connection from failure is to have more than one connection. PLANET is the Gigabit Content Security
Security in the Sauce Labs Cloud Practices and protocols used in Sauce s infrastructure and Sauce Connect Table of Contents page 2 page 4 page 6 page 8 page 9 page 10 page 11 Overview I. Sauce Labs Data
Design and Configuration of a Network Security and Forensics Lab Billy Harris Billy-Harris@utc.edu Joseph Kizza Joseph-Kizza@utc.edu Mike Ward Mike-Ward@utc.edu ABSTRACT This paper describes the design
CONFIGURING AND MANAGING A PRIVATE CLOUD WITH ORACLE ENTERPRISE MANAGER 12C Kai Yu, Dell Inc. INTRODUCTION TO CLOUD MANAGEMENT Oracle cloud supports several types of resource service models: Infrastructure
DECS Community IT Michigan State University College of Engineering DIVISION OF ENGINEERING COMPUTING SERVICES DECS SERVICE DESK For all questions and requests visit www.egr.msu.edu/decs or 1325EB, e mail
Cyber Threats in Physical Security Understanding and Mitigating the Risk Synopsis Over the last few years, many industrial control systems, including security solutions, have adopted digital technology.
CHAPTER 2 THEORETICAL FOUNDATION 2.1 Theoretical Foundation Cloud computing has become the recent trends in nowadays computing technology world. In order to understand the concept of cloud, people should
Enhancing Your Network Security Rainer Singer SE Manager Central Europe October 2013 Infoblox Overview & Business Update Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries
Host Hardening (March 21, 2011) Abdou Illia Spring 2011 CERT Report on systems vulnerabilities Source: CERT Report @ http://www.kb.cert.org/vuls/bymetric 2 OS Vulnerability test Source: http://www.omninerd.com/articles/2006_operating_system_vulnerabilit
Introduction The Cathode Ray Tube or Braun s Tube was invented by the German physicist Karl Ferdinand Braun in 897 and is today used in computer monitors, TV sets and oscilloscope tubes. The path of the