Summer 2023 was an intense season for CERN computer security. In the context of a dedicated cybersecurity audit, as planned by the five-yearly internal audit plan, the Computer Security team, the IT department and affiliated groups, the Office of Data Privacy and the Business Continuity and Disaster Recovery Lead all participated in dozens of interviews conducted by an external company specialised in cybersecurity. Based on the CIS v8 standard, that external company compared CERN's current computer security stance with international best practices. And CERN fared well.
Based on that very comprehensive and thorough standard, the auditors issued 82 recommendations, 73 of which were accepted by the CERN Director-General: 15 were classified by the auditors as "major", 34 "medium" and 24 "minor", and none were deemed to be labelled "catastrophic". And, actually, none of those recommendations came as a surprise. Some were already planned or on track for implementation, such as:
- Better protecting end devices with endpoint protection, disk encryption and the possibility to remotely wipe those devices;
- Improving authentication and authorisation by increasing password complexity rules and required password length, reducing the scope for privileged accounts and deploying two-factor authentication to all CERN accounts and via all major login routes (web, LXPLUS, Windows Terminal Servers);
- Integrating Google Workspace and Microsoft Azure logs as well as the network traffic between the data centre network and the individual experiment networks into CERN's Security Operations Centre, and better documenting its data sources;
- Deploying antispoofing and impersonation protections (SPF, DMARC, DKIM) to all incoming emails;
- Reviewing the network segregation between the data centre network and the technical network as well as the campus network, introducing WPA3 for the campus network and using web application firewalls and SDNs (software-defined networks) in the data centre itself;
- Enable software developers to check their CERN's GitLab repositories using static and dynamic application security testing (SAST and DAST);
- Reviewing the security stance of CERN's OpenStack, OpenShift and MS Azure services.
Others were already known to be a deficit requiring remediation:
- "Computer security" needs more governance, including a mandate for the Computer Security Officer, a more detailed computer security policy complementing the CERN Computing Rules (OC5) and better integration in the CERN-wide Enterprise Risk Register;
- CERN needs better inventories of its digital assets, including a so-called software bill of materials (SBOM), and guidelines and training on secure software development;
- CERN institutional "data" deserves a custodian, a Data Governance Officer, who would produce an inventory of CERN data stores and determine data classification and handling policies and retention periods;
- The Computer Security team should improve their documentation on penetration testing programmes, vulnerability management and incident response.
Hence, 2024-2025 will be an interesting, but challenging, period. The efforts of the Computer Security team and the IT department to address these recommendations are in full swing. Thanks a lot for helping to secure CERN. And, please, don't be a security NIMBY.
