Bravo to all those who participated in the Bull**** Bingo in the last Bulletin issue, in particular to those who sent in their solution and won a delicious Hawaiian pizza topped with pineapple and a Coke. Given the many replies, it seems that our Bingo was too easy? But that's what "security" should be: easy, straightforward, simple. Paradigm #1 ─ the "KISS" paradigm: "Keep it simple, stupid".
Unfortunately, this simplicity is spoiled time and again by the complex computing environment at CERN mixing the divergent needs of academia (research and computing sector), administration (finance and HR sector) and industry (the accelerator sector); by CERN's legacy of using its resources for personal business like sending/receiving private emails, hosting personal webpages, or our bring-your-own-device (BYOD) policy to connect all of your own devices to CERN's campus network; by the cacophony of historically grown systems performing similar ─ but not identical ─ tasks (CDS/CERNBox/EDMS/EOS/Google Workspaces/MyFiles/OneDrive/Sharepoint, or Kubernetes vs OpenStack vs OpenShift); and the problems coming with the cacophony of terminating old and outdated services (like the very slow and complicated AFS and DFS migration to CERNBox, killing the old SSO for the benefit of the new one, or moving Drupal-hosted websites to WordPress). So, KISS is hardly a reality at CERN. We should strive to do better. Simpler. More homogenous. More centralised. More controlled. KISS.
Unfortunately, again, and given additional constraints ─ lack of resources or time pressure ─ paradigm #2 kicks in: "cheap, convenient, secure ─ pick two". That makes security a permanent uphill struggle as nobody would pick "secure" given that "cheap" and "convenient" always trump. Would you? Instead, security is given low priority, filed to the back, and applied only when time and resources allow (or the implementers are security aware). Again, we should strive to do better. Last year's audit on cybersecurity urged higher priority and recommended that the Organization "define and implement a process to ensure security is considered in any project" and "implement a security risk management process" under the auspices of the Computer Security team (a dedicated Bulletin article on this topic will be published soon).
Following general best practices ─ and as re-emphasised by the aforementioned audit ─ the Computer Security team has always aimed to deploy and deepen "defence-in-depth" ─ paradigm #3. With your help ─ given that "security is everyone's responsibility" (Bingo solution C1) ─ "2FA is a big step forward for account protection" (A2) and we are grateful to now have more than 10 000 accounts under this protection. On another defence level, we succeed well at dismissing malicious websites, domains and IPs on the firewall level, but struggle to filter malicious emails (and promise to improve on that during 2024). Still, we are counting on you to detect those that made it through: "Only the link behind a text/QR code reveals its truth" (B3). But we also try to help you, as "CERN's anti-malware software is free for you to download" (E4)*. Defence-in-depth. Hard to implement, but possible to have.
Hence, these paradigms "KISS ─ keep it simple, stupid" and "defence-in-depth" go hand in hand once we all jointly pick the right two of "cheap, convenient, secure". Let's overcome the hardship imposed by these three paradigms. You and us together. Together securing the Organization. Preventing any disasters.
* The fifth solution is D5 ─ "Encryption is easy; key management is complicated" ─ but that is a technical detail being taken care of inside IT.