Cybersecurity incidents

One of the lab’s most significant vulnerabilities is its Web servers, so Fermilab limits systems offering Web services. Image: ivanpw

We do not have many cybersecurity incidents at Fermilab, but when we do, it is useful to examine their root causes and draw lessons on how we can improve our security practices. Minor incidents, like a virus infection on a single machine, are expected to happen with modest frequency and don’t necessarily require extreme scrutiny. But unusual and unexpected occurrences, such as an incident we had last week, do require rigorous examination.

Last week’s incident began with a Web server offering Plone services. Plone is a popular mechanism for sharing documents with authorized individuals, as well as for providing managed workflows. There are several instances of Plone in use at the laboratory.

Employees must obtain approval before creating a Plone account. However, one Plone instance allowed self-registration by anyone on the Internet, with no approvals required. This allowed individuals not associated with the lab (or, more likely, robot programs running on some compromised computer) to sign up for Plone accounts and post material on that particular lab Web server. In this case, they posted links that supported various spam enterprises (and pointers to their Plone pages elsewhere on the Internet), resulting in the security incident.

This incident was quickly contained, as we removed the server with the illicit Plone content from the Internet. However, it raised several issues that we can learn from to improve our security:

  1. Obviously, we will make sure no other Web servers offering applications like Plone allow this type of self-registration. More generally, we will be looking at other applications that allow user signups without approvals.
  2. This again points out that one of our most significant security vulnerabilities is with our Web servers. All systems offering Web services to the Internet present an attractive target, especially when they are running applications, like Plone, that may not be configured in the most secure ways. We will continue efforts to limit systems offering Web services both by migrating Web pages to centrally managed systems and by controlling services and applications offered on laboratory Web servers.
  3. We will try to improve our system and application administrators’ knowledge of what services are running on their systems so they can help ensure those applications are configured securely, even when installed by others.

Please be understanding as we roll out policies and procedures to accomplish these objectives. And thanks to the entire lab community for their collective efforts to help minimize security incidents.

Irwin Gaines