Computer Security: Scanning for problems

Keeping your digital house in order is sometimes very difficult. And it’s even more difficult when looking at it from the security perspective. There are just too many possibilities as to what might go wrong. Too many areas with potential weaknesses. And too many components with potential vulnerabilities.

Just think of a common webserver. The various web components and frameworks used (Apache, PHP, Drupal, Joomla!, WordPress, etc.) need to be kept secure and up-to-date to avoid them being directly compromised. Up-to-date versions. Up-to-date libraries. Up-to-date software packages. Ditto for the security of the underlying operating system, be it Linux or Windows. Up-to-date everything. With access control to the host on every layer. And individual passwords changed from their documented defaults. The same holds for the protection of hardware. BIOS. IPMI interfaces. Always kept updated – often a particularly difficult feat! With access control. And, of course, the securing of all hosted webpages. Access control for sensitive content. And if some webpages serve dynamic content, filtering and sanitisation of any input on the server side. To avoid cross-site scripting (XSS), SQL injection or similar (see the OWASP top 10 on that subject). It’s a difficult endeavour. So many layers. So many components. In a dynamic, agile and fast-changing environment.

At CERN, the responsibility for keeping your digital house in order – that aforementioned webserver, but also your computer, your Internet-of-Things gadgets, your control system, your computing services – lies in the first instance with you. It is your responsibility to ensure that your hardware and your software stack are kept up-to-date and as secure as possible. We try to help you wherever possible with security advisories in the event of critical vulnerabilities, detailed recommendations and guidelines, in-depth training or broader-view Bulletin articles. But we can do more.

The Computer Security Team has therefore recently revamped its vulnerability scanning infrastructure with a view to better and earlier detection of weaknesses, vulnerabilities and sub-optimal configurations of devices and services hosted on CERN’s office and data centre networks. The new infrastructure is supposed to scan every device on those networks about once a month and will be able to detect more than 1500 different types of problems: still existing and valid default passwords; the use of ancient SSL or SMB versions or of FTP or Telnet (R.I.P!); expired certificates; disclosed vulnerabilities; or simply outdated and supposed-to-be-dead operating systems. And more types will be added when they appear. When a problem is discovered, the owner of the corresponding device or service is notified directly, with the hope that these problems are quickly resolved for the sake of improving the Organization’s protection and security stance. Remember, the primary responsibility for the computer security of your computing resources lies with you. The Computer Security Team is standing by to help you improve the security and protection of your assets. Just contact us at Computer.Security@cern.ch.

_______

/Public Release. The material in this public release comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.