Irwin Gaines

It is with great sadness that I report the unexpected and untimely passing of Joe Klemencic, Fermilab’s deputy chief information security officer. Joe joined Fermilab in 2001 as the first full-time cyber security analyst to be hired by the lab. He first worked in the Business Services Section, running the small group that secured all the financial applications. He later moved to the Computing Division, where he established and ran the cyber security team that provides protection for the entire…

As phishing becomes more widespread and as attackers learn to make their phishing attempts more and more devious, exposure of usernames and passwords has become one of our primary cybersecurity risks. The best way to mitigate this risk is to use multifactor authentication. By doing so, a stolen credential alone will no longer provide access to Fermilab systems because one must also use a second factor to authenticate to these systems.

We will soon require the use of multifactor authentication for VPN. Beginning April 15, if you do not have a properly installed and configured Fermilab Root CA certificate on the devices you use for laboratory VPN access, you will receive an error message when you attempt to log in to the VPN client. Configure your certificate now if you haven’t already. The next step will be to issue MFA tokens.

Multifactor authentication has been in use at Fermilab for more than two years for a very limited group of employees. However, due to increased cybersecurity risks to our lab data, this will soon change. Currently, individuals who need access to our sensitive financial, HR and security systems use MFA. Over the next several months, we will be taking steps to expand MFA, most notably, to include VPN access.

Most Fermilab employees and users know how to identify a phishing email. Now let’s get everyone to recognize one.

We provide policies, procedures and guidelines for operating lab computing systems in a secure manner to avoid interruptions caused by attacks by unauthorized users.