Computer Security: Banks and work

Over the past few months, the Computer Security team and the Identity and Account Management team have started to roll out two-factor authentication (2FA). 2FA is considered to be the silver bullet for protecting computing accounts. You find it everywhere: for accessing Facebook, Twitter, Gmail and many other services. Your bank uses it to protect your money. Still, we are facing resistance. And I'm starting to wonder why it is that people at CERN are perfectly willing to protect their bank accounts with 2FA while trying to avoid using it to protect their work, which is what puts the money in said accounts in the first place…

CERN is under attack, like any other organisation, institute or company, many of which have been hacked or compromised and their data stolen (see here and there). A successful ransomware attack against CERN could have devastating consequences for our operations and reputation. Ransomware attacks, like many other forms of attack, usually take the route of you clicking on a malicious link, opening a malicious attachment or browsing a dodgy webpage, and subsequently infecting your computer. While the consequences for your laptop are local (and can be very nasty), the next hop from that compromised device most likely requires your password. A password that can now be easily intercepted by an attacker who has a foothold in your device. Other successful ransomware attacks are more direct. By asking. By you providing your password directly to an attacker, via a fake login page. Every year, between 10% and 20% of us fall for the Computer Security team's clicking campaign. Between 10% and 20% of all CERN passwords are exposed. Lost.

Lots of juice for an attacker if those campaigns were real. Just think what they could access with your password. What power they could inherit from you. What the attacker could do if they could observe you working on different IT services, controls systems and financial applications. And what could happen if the attacker started acting on their own. Stopping accelerators? Manipulating experiments? Disabling safety systems? Stealing money? Deleting files? Exposing personal data? Impacting CERN's reputation?

In order to protect CERN against those types of attack, we are adding another - immense - hurdle for a potential attacker by deploying 2FA on your account. Not only would the attacker need your password, they would also need your second-factor hardware token - i.e. either your YubiKey or your smartphone. And you always know where your smartphone is, don't you? This is why we consider 2FA to be a silver bullet for account protection. Yes, we do acknowledge that it adds another layer of inconvenience. So we've tried, and continue to try, to make 2FA as easy as possible for you:

  • We deployed it at one single point, the new CERN Single Sign-On (plus a few dedicated services at the gates, such as AIADM and the Remote Operations Gateways).
  • We made adjustments so that the authentication lasts around 12 hours per browser, meaning that you will need to use your token about twice a day, which is likely much less often than some people go for a coffee or a smoke.
  • You can choose which token - YubiKey or smartphone - will be the default (just go to https://users-portal.web.cern.ch/, click on "configure multifactor" and pick your "default login method").
  • You can choose between the two tokens every time you log in. If you forget one, the other is at hand. If you lose one, the other can be used to reset it. And we will add more options once they are compatible with our set-up.
  • Procedures are in place to help if your token gets lost and you are locked out: the Service Desk and the Computer Security team have put all the necessary means in place for quick recovery.
  • Finally, a more comprehensive list of answers can be found in our FAQ.

So, doesn't your CERN computing account deserve the same level of protection as your bank account? If you agree, give it a try and let us know if you're happy with it, so that we can set it up for you permanently.

/Public Release. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).View in full here.