Contractor |
DOE Office |
|
|
The Stanford Linear Accelerator Center is the lead Department of Energy (DOE) laboratory for electron-based high energy physics. It is dedicated to research in elementary particle physics, accelerator physics and in allied fields that can make use of its synchrotron radiation facilities—including biology, chemistry, geology, materials science and environmental engineering. Operated on behalf of the DOE by Stanford University, SLAC is a national user facility serving universities, industry and other research institutions throughout the world. Its mission can be summarized as follows:
The Unclassified Computer Security function is responsible for coordinating and promoting programs within the Laboratory to assure that information resources provide protection commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access or from modification of such information resources and to assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection.
The Unclassified Computer Security functional area self-assessment is based on, and measured against, performance objectives and standards as reflected in the SLAC contract.
Bob Cowles, Computer Security Officer (CSO), SLAC
Richard Mount, Director, SLAC Computing Services (SCS)
General Security Education
A computer security briefing was included in the September, 2003, Integrated Safety Management System (ISMS) training given to all SLAC staff. Over ninety students attended a variety of security-related classes taught by Microsoft or by Gene Schultz from Lawrence Berkeley National Lab.
Web and Anti-Virus Activities
Almost all incoming mail enters SLAC through a single gateway that runs flexible algorithms for scanning and stripping potentially harmful attachment files. Further scanning is performed at the MS Exchange server, and real-time anti-virus scanning is performed at the user’s workstations and home directory file servers. There were no reportable incidents of serious virus infection at SLAC in FY2003, other than individual machines brought into the lab by collaborators – and these few machines were quickly detected and cleaned. According to our monthly scans, over 90% of all Windows machines on-site have InoculateIT installed and their virus signature is up-to-date.
In order to improve the management of the web servers, files with restricted access were moved to a new web server, www-internal. By segregating these files to be protected from open access, we significantly reduced the likelihood that configuration errors on the Windows-based web servers could result in the inadvertent disclosure of information intended for SLAC staff and users.
Secure BSD-Network
Continuous work is being performed on the business system network to accommodate several changes in services that are planned:
PeopleSoft HR and Financials applications are moving to PeopleSoft version 8, which will require substantial changes in the security structure to accommodate broader access to PeopleSoft information through a web and application server (3 tier) architecture. | |
A business systems’ DMZ network has been developed, driven by the need to exchange information with Stanford campus HR systems. |
SPAM
In May, 2003 SLAC introduced spam-tagging software (PureMessage) at the mail gateways and stopped the long-standing process of blocking IP domains when SPAM was received (more than 30,000 domains had been blocked). SLAC has chosen to: scan; tag-if-spam; and deliver all email; and not to quarantine any emails. For the most part, the user community has been extremely happy with this solution. Since the introduction of the service, only 23 users out of more than 1700 have requested to be opt-ed out. We did not remove the prior IP blocking but continue to remove blocks on request.
Management of Windows systems
Traditionally, desktop administrators have had to visit individual systems to apply security patches. While this is quite time consuming, until this year the border firewall and stripping of executable attachments gave us a substantial time buffer to get patches applied to all systems. As desktop systems are converted to Windows XP, the plan is to be able to distribute OS updates through a Software Update Server (SUS) and application updates through Group Policy Objects (GPO). With the flurry of critical security patches starting in July, 2003, SLAC gained a lot of experience in how these systems worked in practice and experienced significant time savings in departments where conversion to Windows XP was substantially complete.
Management of Linux and Solaris systems
The SCS Unix Systems Group uses software to standardize the management of Red Hat Linux and Sun Solaris systems. This software is used on all central Linux and Solaris servers and is strongly encouraged for desktop systems. Once the code was available to protect against a recently announced vulnerability, use of this software allowed over two thousand systems to be patched within four hours.
Performance Objective # 3
Information resources are provided protection commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information resources.
Performance Criteria: 3.1
Through a documented unclassified computer security program, SLAC will ensure its information systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection.
Activities in response to threats
10/02 Solaris patches for TTYPROMPT overflow
10/02 Microsoft VPN servers patched for DoS vulnerability
11/02 cumulative patch for IIS MS02-062
11/02 Warned users about email mass mailing hoax
11/02 Dial-up account password change
11/02 Blocked UDP/53 from offsite except for official DNS servers
11/02 Holiday greeting card alert
12/02 Fix multiple vulnerabilities in KDE
01/03 Mozilla security upgrade
01/03 Cleanup of old DHCP entries
01/03 Warn users to update CVS
01/03 Block MSSQL server ports following SQL Slammer worm
01/03 MSSQL patch against slammer worm
02/03 Solaris patches for priocntl and utmp_update vulnerabilities
02/03 Oracle security patches applied
03/03 Sendmail patch applied to all Unix/Linux systems
03/03 Notified admins of systems running Sun’s Answerbook to patch
04/03 Linux ptrace vulnerability patched
04/03 Sendmail vulnerability patched
04/03 All IIS servers patched for WebDAV exploit
04/03 Solaris dtsession vulnerability patched
05/03 Red Hat Linux kernel security fixes for local root vulnerability
05/03 Notified users of Axis camera of security patch
05/03 Linux systems patched for xpdf vulnerability
06/03 IIS web servers patched MS03-018
06/03 Warned Apple MAC X users of an important security update
07/03 Windows RPC parch MS03-026
07/03 Cisco routers & switches patched for DoS vulnerability
07/03 Mozilla patches applied to Linux systems
07/03 MSSQL patch SP3
07/03 Started removing attachments with filetype of "mid"
08/03 Microsoft networking ports blocked outbound
08/03 Warned admin of IRIZ systems about remote root vulnerability
08/03 Oracle systems patched for EXTPROC vulnerability
08/03 Solaris patch levels updated incl runtime linker vulnerability
08/03 Change in Windows patching schedule
08/03 Warning to users about SoBig virus spoofing "From" addresses
08/03 Windows critical patches MS03-030 (DirectX), 032 (IE), 033 (MDAC)
09/03 MS Office patches – patching started, plus VBA vulnerability
09/03 Windows RPC DCOM patch MS03-039
09/03 Pine security patches applies on Unix/Linux systems
09/03 Block additional outbound ports UDP/445 and TCP/593
09/03 OpenSSH patched on all Unix & Linux systems
09/03 OpenSSH patched again on all Unix & Linux systems
09/03 Backlevel Red Hat Linux machines shut down
09/03 Sendmail patch for remote root exploit
09/03 Solaris – shutdown sadmind on systems where still running
09/03 ProFTPD patched for ASCII file vulnerability
Windows desktop security patch application
With the recent vulnerabilities in Windows desktop systems, the security team has been performing almost daily scans for desktop systems remaining to be patched, based on which report is sent to system administrators. The chart below shows that as we gain more experience, we are getting the systems patched with less delay.
Reportable Incidents
In late March, a user had their password compromised at another institution. It appears that the Linux "ptrace" vulnerability was used to compromise several systems and install the SK rootkit. These systems were reinstalled and all users who had logged into a compromised were required to change their password at SLAC and were advised to change their passwords everywhere else.
As a result of this incident, we have become much more aggressive about applying patches for vulnerabilities involving local root compromises.
- The CSPP was updated and approved by SLAC management in December, 2002. There have been no negative comments received from DOE about the CSPP.
Complete clean-up of accounts belonging to long departed users or staff.
- There has been a tremendous effort in closing accounts belonging to terminated staff and users. There are policies and procedures regarding closure of account belonging to those who no longer have an active affiliation with SLAC. There are approximately 100 accounts over 2 months old that are yet to be closed and by far the majority of them are less than one year old. We will close these accounts as we review and determine a course of action for each individual account.
Participate in development of future Grid security models.
SLAC security representatives actively participated in all Global Grid Forum security groups including attending meetings, contributing to and editing formal documents, and participating in regular conference calls. They also participate in the LCG Security group and the EDG Certification Authority group representing non-LHC experiments, in addition to strong representation and participation in BaBar grid activities.
Improvement Action Plan/Goals
Goals for FY2003:
- Improve the timeliness with which Windows patches are installed on desktop systems.
- Complete clean-up of accounts belonging to long departed users or staff.
- Institute enforcement of password aging for Unix systems.
The Laboratory’s true performance with regard to Unclassified Computer Security is perhaps best measured by the things that did NOT happen during FY2003:
There were no significant infestations of viruses or worms.
There were no web server defacements