Self-inspection for security

Fermilab conducts its own audits of computing systems to keep the site safe. Photo: Joe Hall

Fermilab’s cybersecurity team constantly scans and assesses the laboratory site and computing operations for security vulnerabilities. As most Fermilab Today readers know, finding vulnerabilities before a malevolent outsider does is critical. Less obvious, however, is that it’s important to find and fix these flaws before an external auditor discovers them. Unmitigated vulnerabilities may be seen as evidence of deficiencies in our security program.

Several DOE organizations regularly audit Fermilab on various items, including security. These auditors conduct external vulnerability scanning (using external Internet connections), internal scanning (using the Fermilab network), and the physical inspection of buildings, offices and computer systems. They may enter buildings they find unlocked after office hours and search for computers not locked by screen savers. They even require us to turn off some of our automated defenses in order to scan our site.

In years past, auditors have discovered cyber vulnerabilities and obtained access to systems they should not have been able to use. In most (but not all) cases, these findings did not represent significant risks to our security, since a successful breach would have required the attacker to be physically present on our site. However, such findings still represent security shortcomings.

Thus it is important for us to perform our own scans and audits, both for vulnerabilities we consider real dangers and for issues an auditor might be concerned about. We run continuous scans looking for instances of what we have classified as critical vulnerabilities, which may result in immediate network blocks for the affected systems. We watch for the appearance of outdated operating systems on our network. Several times a year we perform full-scale labwide penetration tests, looking for the full set of vulnerabilities an auditor might also look for. Once a year, we do our own physical walk-throughs after business hours, looking for open buildings and offices with computers left in a vulnerable state.

Discovery of any of these exposures will generate a message to the user to request fixes or patches but will not necessarily issue an immediate block.

Vigilant scanning coupled with good cooperation from users has had a positive effect, as recent external audits have not found any significant vulnerabilities. In our recently concluded physical walk-through, conducted without advance warning to users, we did find instances of passwords written down in close proximity to computers, and some buildings that had been locked in the past were open. On the positive side, we found only 21 systems with open sessions on their screens, which was significantly fewer than found in previous walk-throughs. Also, users stopped and questioned the Security Team more frequently. This is definitely a good indicator of user awareness.

It appears that good user conduct protects the large majority of systems. Let’s continue to be vigilant.

Irwin Gaines