| Contractor |
DOE Office |
|
|
Departmental Overview
The Stanford Linear Accelerator Center (SLAC) is dedicated to experimental and theoretical research in elementary particle physics and in those fields that make use of its synchrotron radiation facilities, including biology, chemistry, geology, material science and electrical engineering. This includes the development of new techniques in 1) particle acceleration and detection and 2) synchrotron radiation sources and associated instrumentation. The center is operated as a national user facility for the Department of Energy by Stanford University.
Organizational Mission
The Unclassified Computer Security function is responsible for coordinating and promoting programs within the Laboratory to assure that information resources provide protection commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access or from modification of such information resources and to assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection.
The Unclassified Computer Security functional area self-assessment is based on, and measured against, performance objectives and standards as reflected in the SLAC contract.
Identification of Self-Assessment Report Staff
Names, titles, affiliations of participants
Bob Cowles, Computer Security Officer, SLAC
Richard Mount, Director, SLAC Computing Services (SCS)
Scope of Self-Assessment
Status of Open Items from 2000 Review
The SCS Security Group is fully integrated and represented in all computing matters. In addition, computer security considerations are well represented in the two policy groups, the Computer Coordinating Committee (CCC) and the Associate Directors Committee on Computing (ADCC), by Richard Mount, Director of SLAC Computing Services (SCS) who chairs the former and is an ex-officio member of the latter.
Secure BSD-Network
Continuing work is being performed on the business system network to accommodate several changes in services that are planned:
Progress Reducing Clear Text Passwords
At the end of FY99, the HEP community had replaced all Telnet connections with Secure Shell (ssh). During FY00, SSRL introduced ssh onto most of its servers and eliminated Telnet to all but two machines. During FY02, exceptions ftp to the SSRL machines were eliminated.
Discussion of Individual Performance Objectives
Performance Objective # 3
Information resources are provided protection commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information resources.
Performance Criteria: 3.1
Through a documented unclassified computer security program, SLAC will ensure its information systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection.
Discussion
General Security Education
In addition to the security briefing given at the annual Cyber Faire, a computer security briefing was included in the September 2002, Integrated Safeguards and Security Management (ISSM) training.
Web and Anti-Virus Activities
Incoming e-mail at SLAC is stripped of executable attachments at the gateway before it ever gets delivered to the users. Almost all incoming mail enters SLAC through a single gateway. The gateway software, PMDF, has within it flexible algorithms for scanning and stripping attachment files that either contain executable macros or are themselves executable. Additionally, further scanning is performed at the MS Exchange server, and real-time anti-virus scanning is performed at user workstations and home directory file servers. There were no incidents of virus infection at SLAC in FY2002, other than individual machines brought into the lab by collaborators – and these few machines were quickly detected and cleaned.
The anti-virus product InoculateIT virus signature updates are distributed almost immediately to SLAC workstations by means of the networked distribution servers that are part of the product. According to monthly scans, over 90% of all Windows machines on-site have InoculateIT installed and their virus signature is up-to-date.
CSPP Peer Review
In February 2002, a number of outside computers security experts reviewed the SLAC Computer Security program. The summary from the review committee’s report stated:
“The committee endorses the plans presented and the continuation of the current methods. A key to the successful Cyber Security Program is the quality and dedication of the current computer security team. The review demonstrated that from the highest level of management and throughout the user community there is recognition and practice of safe computing procedures.
We note the early involvement of security personnel in computer initiatives at the Laboratory and recognize this as a key to the ongoing successful cyber security posture. Anticipated new initiatives will involve global partnerships and expand the computing and security requirements. To meet these new challenges the committee recommends that the SLAC computer security team continue their vigilance and to invest in and research evolving technologies such as perimeter protection, enhanced authentication techniques and intrusion detection.”
In general, the average rating of compliance with the CSPP was rated as 9 on a scale of 1-10.
SPAM
SLAC continues to be aggressive in suppressing SPAM when there are complaints from the user community. We do this, once again at the mail gateway, by blocking incoming e-mail from ranges of offending IP addresses (i.e., blocking traffic from all IP addresses in the range 24.28.42.*). At the present, we have blocked more than 25,000 such ranges. There are over 1400 additions each month, and removal of approximately 4-6 per month when requested by a SLAC user in order to receive e-mail from someone off-site.
The SLAC community enthusiastically supports this program and complains loudly when new “spammers” discover the Laboratory. The only downside is the on-going staff effort that must be expended in maintaining the lists of blocked ranges.
Management of Linux desktops
The SCS Unix Systems Group completed and deployed software to standardize the management of Linux systems. This software is used extensively on all central Linux servers and is strongly encouraged for Linux desktops. Penetration of this technology for the desktop systems has been high, going from 20-25% last year to the 85-90% range this year.
Status of FY2002 Goals:
General computer security training was incorporated into the newly implemented ISSM program. Additional security training was available for people with system admin responsibilities 61 people took advantage of classes for securing Windows XP, IIS web servers, and Unix/Linux systems.
The clean-up procedures are in place and operating.
Held a peer review of the computer security program and received a report that was very complementary.
Improvement Action Plan/Goals
Goals for FY2003:
The Laboratory’s true performance with regard to Unclassified Computer Security is perhaps best measured by the things that did NOT happen during FY2002:
The Laboratory has had an outstanding year of accomplishments in the area of computer security.
For Questions or comments, Please contact Ziba Mahdavi, Last Updated 10/30/02