Computer team advises reviewing your security now and frequently

The start-up of the LHC is foreseen to take place in the autumn and CERN will be in the public spotlight again. This increases the necessity to be vigilant with respect to computer security and the defacement of an experiment's webpage last September shows that we should be particularly attentive. Attackers are permanently probing CERN and so we must all do the maximum to reduce future risks.

Security is a hierarchical responsibility and requires us to balance the allocation of resources between making systems work and making them secure. All of us, whether users, developers, system experts, administrators or managers, are responsible for securing our computing assets. These include computers, software applications, documents, accounts and passwords. There is no "silver bullet" for securing systems, it can only be achieved by a painstaking search for all possible vulnerabilities followed by their mitigation. Additional advice on particular topics can be obtained from the relevant IT groups or members of the security team, but here we include a basic list of items to be considered by all CERN computer users.

• Review access rights to your computers and documents (InDiCo, EDMS, TWiki, etc), as well as files and directories on AFS, DFS and local disks. Don't give write access if read access is sufficient and limit access only to those who need it.

• Protect websites. Very few should be publicly accessible and those that are should not reveal details of system architecture and design, computer configurations or source code.

• Ensure that accounts have been closed for individuals who have left.

• Reduce the number of service accounts where possible.

• Harden computers by removing unnecessary applications, disable unneeded services such as for web, FTP, etc, use automated update and patching services as well as up-to-date anti-virus software for PCs (but also for embedded devices like oscilloscopes), upgrade Scientific Linux CERN from SLC3 to SLC5, use local firewalls to block both incoming and outgoing traffic that is not expected.

• Protect private SSH keys.

• For experiment networks, review central firewall openings and whether devices need to be trusted or exposed.

Further information about how to improve computer security can be found on the internet at http://cern.ch/security/ and www.isseg.eu. These websites include material on risk analysis, training and recommendations for general users, developers and system administrators. As well as the many security awareness presentations that are available, training courses can also be found on writing secure code and secure web applications (see http://cern.ch/security/training).