Working in the IT department is like working in heaven: many of our IT colleagues have professional god-like powers when managing their corresponding computing services. And nearly all centrally provided computing services are critical for CERN’s operations, for the operation of the accelerators, infrastructure and experiments, and for our local and worldwide user community. New security improvements will ensure this availability even if the gods lose their power.
The CERN IT department provides a plethora of different computing services to run the accelerators and experiments, store and analyse data, and make life easy for our user community. In some way, every activity within CERN relies on IT’s computing services – and in many cases this reliance is critical. Moreover, due to how the IT infrastructure and the CERN data centre are run, many services are inter-linked and depend on (or affect) each other, which increases the overall criticality. Through necessity, more or less every colleague in the IT department is managing and administering one or more computing services, and hence has full access and configuration power for those services. Therefore, due to the aforementioned criticality, it is of utmost importance that only IT professionals access their services and that any unauthorised third party – the evil attacker – is kept out. Otherwise the attacker will be able to wreak havoc: by taking over CERN’s computing services, bringing down or sabotaging operations, deleting or modifying data, stealing and exposing confidential documents, reading personal e-mails, etc. Until now, access protection has only been based on a single factor: “something you know” – also known as your password. Their CERN password, like yours, not only allows our IT colleagues to access their mailboxes and PCs, but is also the single token for managing their computing services. Once lost to an attacker, all their – all your! – digital life is exposed (see our Bulletin article “Protect your family”). And, maybe worse, CERN’s operations are at risk.
But this is going to change. The IT department is deploying the use of so-called “two-factor authentication”. In parallel to the password, i.e. “something you know”, IT service managers and administrators now also need to present “something they have” in order to log into the computing services they manage. This “something you have” could be a mobile phone using a CERN phone number and able to receive one-time passwords via a smartphone with the “Google Authenticator” app installed which also produces one-time passwords (or any other smartphone application supporting that), or a USB-based hardware token from Yubico (known as “Yubikeys”). You might recall two-factor authentication from your bank. The Swiss bank UBS, for example, provides a small “pocket calculator” that acts in exactly the same way (check out Facebook, Instagram, Twitter, Google,… for their second factors!). Any hardware token makes the malicious work of an attacker much more difficult: besides stealing the password of our IT colleagues, the attacker now also needs to get his or her hands on the token… And this would imply physical/local presence – which is unlikely. In addition, would you not notice immediately if your smartphone was stolen? Hence, two-factor authentication is coming to the rescue to make CERN’s computing services more secure and CERN’s operations more robust. And eventually we will have similar protections for access to critical control systems.
_______
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.