Performance Based Management

Self-Assessment Report

October 2002

Unclassified Computer Security

Introduction/Background

The Stanford Linear Accelerator Center is the lead Department of Energy (DOE) laboratory for electron-based high energy physics. It is dedicated to research in elementary particle physics, accelerator physics and in allied fields that can make use of its synchrotron radiation facilities—including biology, chemistry, geology, materials science and environmental engineering. Operated on behalf of the DOE by Stanford University, SLAC is a national user facility serving universities, industry and other research institutions throughout the world. Its mission can be summarized as follows:

• Perform world-class research in high energy physics, particle astrophysics and cosmology, and in the use of synchrotron radiation
• Provide accelerators, detectors, instrumentation and support for national and international research programs in elementary particle physics and allied fields that use synchrotron radiation
• Advance the art of accelerators and related devices through development of sources of high energy particles and synchrotron radiation, plus new techniques for their scientific utilization
• Advance the critical technologies necessary to maintain its leadership and excellence in particle physics, accelerator physics, particle astrophysics and cosmology, and synchrotron radiation
• Transfer practical knowledge and innovative technology to the private sector
• Contribute to the education of the next generation of scientists and engineers, and to the scientific awareness of the public
• Achieve and maintain excellence in matters of environmental concern and provide for the safety and health of its staff and the general public.

The Unclassified Computer Security function is responsible for coordinating and promoting programs within the Laboratory to assure that information resources provide protection commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access or from modification of such information resources and to assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection.

The Unclassified Computer Security functional area self-assessment is based on, and measured against, performance objectives and standards as reflected in the SLAC contract.

Bob Cowles, Computer Security Officer (CSO), SLAC

Richard Mount, Director, SLAC Computing Services (SCS)

Scope of Self-Assessment

A computer security briefing was included in the September, 2003, Integrated Safety Management System (ISMS) training given to all SLAC staff. Over ninety students attended a variety of security-related classes taught by Microsoft or by Gene Schultz from Lawrence Berkeley National Lab.

Almost all incoming mail enters SLAC through a single gateway that runs flexible algorithms for scanning and stripping potentially harmful attachment files. Further scanning is performed at the MS Exchange server, and real-time anti-virus scanning is performed at the user’s workstations and home directory file servers. There were no reportable incidents of serious virus infection at SLAC in FY2003, other than individual machines brought into the lab by collaborators – and these few machines were quickly detected and cleaned. According to our monthly scans, over 90% of all Windows machines on-site have InoculateIT installed and their virus signature is up-to-date.

In order to improve the management of the web servers, files with restricted access were moved to a new web server, www-internal. By segregating these files to be protected from open access, we significantly reduced the likelihood that configuration errors on the Windows-based web servers could result in the inadvertent disclosure of information intended for SLAC staff and users.

Continuous work is being performed on the business system network to accommodate several changes in services that are planned:

	PeopleSoft HR and Financials applications are moving to PeopleSoft version 8, which will require substantial changes in the security structure to accommodate broader access to PeopleSoft information through a web and application server (3 tier) architecture.
	A business systems’ DMZ network has been developed, driven by the need to exchange information with Stanford campus HR systems.

In May, 2003 SLAC introduced spam-tagging software (PureMessage) at the mail gateways and stopped the long-standing process of blocking IP domains when SPAM was received (more than 30,000 domains had been blocked). SLAC has chosen to: scan; tag-if-spam; and deliver all email; and not to quarantine any emails. For the most part, the user community has been extremely happy with this solution. Since the introduction of the service, only 23 users out of more than 1700 have requested to be opt-ed out. We did not remove the prior IP blocking but continue to remove blocks on request.

Traditionally, desktop administrators have had to visit individual systems to apply security patches. While this is quite time consuming, until this year the border firewall and stripping of executable attachments gave us a substantial time buffer to get patches applied to all systems. As desktop systems are converted to Windows XP, the plan is to be able to distribute OS updates through a Software Update Server (SUS) and application updates through Group Policy Objects (GPO). With the flurry of critical security patches starting in July, 2003, SLAC gained a lot of experience in how these systems worked in practice and experienced significant time savings in departments where conversion to Windows XP was substantially complete.

The SCS Unix Systems Group uses software to standardize the management of Red Hat Linux and Sun Solaris systems. This software is used on all central Linux and Solaris servers and is strongly encouraged for desktop systems. Once the code was available to protect against a recently announced vulnerability, use of this software allowed over two thousand systems to be patched within four hours.

Performance Criteria: 3.1

Through a documented unclassified computer security program, SLAC will ensure its information systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection.

10/02 Solaris patches for TTYPROMPT overflow

10/02 Microsoft VPN servers patched for DoS vulnerability

11/02 cumulative patch for IIS MS02-062

11/02 Warned users about email mass mailing hoax

11/02 Dial-up account password change

11/02 Blocked UDP/53 from offsite except for official DNS servers

11/02 Holiday greeting card alert

12/02 Fix multiple vulnerabilities in KDE

01/03 Mozilla security upgrade

01/03 Cleanup of old DHCP entries

01/03 Warn users to update CVS

01/03 Block MSSQL server ports following SQL Slammer worm

01/03 MSSQL patch against slammer worm

02/03 Solaris patches for priocntl and utmp_update vulnerabilities

02/03 Oracle security patches applied

03/03 Sendmail patch applied to all Unix/Linux systems

03/03 Notified admins of systems running Sun’s Answerbook to patch

04/03 Linux ptrace vulnerability patched

04/03 Sendmail vulnerability patched

04/03 All IIS servers patched for WebDAV exploit

04/03 Solaris dtsession vulnerability patched

05/03 Red Hat Linux kernel security fixes for local root vulnerability

05/03 Notified users of Axis camera of security patch

05/03 Linux systems patched for xpdf vulnerability

06/03 IIS web servers patched MS03-018

06/03 Warned Apple MAC X users of an important security update

07/03 Windows RPC parch MS03-026

07/03 Cisco routers & switches patched for DoS vulnerability

07/03 Mozilla patches applied to Linux systems

07/03 MSSQL patch SP3

07/03 Started removing attachments with filetype of "mid"

08/03 Microsoft networking ports blocked outbound

08/03 Warned admin of IRIZ systems about remote root vulnerability

08/03 Oracle systems patched for EXTPROC vulnerability

08/03 Solaris patch levels updated incl runtime linker vulnerability

08/03 Change in Windows patching schedule

08/03 Warning to users about SoBig virus spoofing "From" addresses

08/03 Windows critical patches MS03-030 (DirectX), 032 (IE), 033 (MDAC)

09/03 MS Office patches – patching started, plus VBA vulnerability

09/03 Windows RPC DCOM patch MS03-039

09/03 Pine security patches applies on Unix/Linux systems

09/03 Block additional outbound ports UDP/445 and TCP/593

09/03 OpenSSH patched on all Unix & Linux systems

09/03 OpenSSH patched again on all Unix & Linux systems

09/03 Backlevel Red Hat Linux machines shut down

09/03 Sendmail patch for remote root exploit

09/03 Solaris – shutdown sadmind on systems where still running

09/03 ProFTPD patched for ASCII file vulnerability

With the recent vulnerabilities in Windows desktop systems, the security team has been performing almost daily scans for desktop systems remaining to be patched, based on which report is sent to system administrators. The chart below shows that as we gain more experience, we are getting the systems patched with less delay.

In late March, a user had their password compromised at another institution. It appears that the Linux "ptrace" vulnerability was used to compromise several systems and install the SK rootkit. These systems were reinstalled and all users who had logged into a compromised were required to change their password at SLAC and were advised to change their passwords everywhere else.

As a result of this incident, we have become much more aggressive about applying patches for vulnerabilities involving local root compromises.

• Update CSPP and submit to DOE