With ongoing vulnerability scans of CERN’s internet presence performed by an external specialised company, the Computer Security team’s plans to perform penetration testing against selected targets visible to the internet, and the possibility of CERN joining a so-called Bug Bounty programme (a Bulletin article on this will come soon), we are preparing for an increasingly thorough assessment of the weaknesses, misconfigurations and vulnerabilities inside CERN – on the campus network, the technical network and the networks dedicated to the different experiments.
Given that the CERN networks are many, vast and interconnected in a complex manner, with tens of thousands of registered devices, thousands of them regularly or permanently connected, a large proportion of unmanaged “bring-your-own” devices or unpatchable and inherently vulnerable devices of the Internet of Things, a very large number of heterogenous virtual machines and containers running arbitrary applications, and about ten thousand websites leading to millions of webpages, vulnerability scanning and penetration testing of such an environment is complex, complicated and tedious. That’s why we have decided to lower CERN’s outer perimeter firewall protections for 24 hours on the first Monday of next month so that any external third party interested in poking/hacking/breaking into CERN can do so. The open firewall, allowing any incoming traffic, will facilitate not only the work of the aforementioned external company, but also that of the students affiliated with our WhiteHat programme, Bug Bounty hunters hoping for an entry on our Kudos page and any other benign or malicious attacker.
As usual, any ethical party probing CERN during those 24 hours is supposed to stop their activity before any damage or destruction is done and to report all their findings immediately to us so that they can be addressed, controlled, mitigated and fixed. For those cases where the scans and tests are performed by malicious actors, our network-based intrusion detection system connected to the outer perimeter firewall will stay alert and monitor all activities in the hope of identifying their ill-doing well in time, as we managed to in the past. The Computer Security team will, exceptionally, cover its duties 24/7. Of course, we cannot guarantee that no damage will be done by any malicious attacker, but we are counting on the robustness, resilience and up-to-dateness of your systems, devices, virtual machines/containers and websites. This risk is also the reason why we will open the firewall for just 24 hours: this tight time window should keep any collateral damage low.
So, stay tuned for next Monday, 1 April, 00:00 to 23:59, the day when we shall learn more about the security of CERN’s internal networks, and subsequently further improve all the systems connected to it.
________
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.