www.cern.ch IT Department Homepage
CERN Home   IT Home   Sitemap   Phonebook   Need Help?
 
IT Home > Computer Security
 

All CERN
IT Division
Security Site
IT Services
spacer
Access to Facilities
Desktops and Portables
Administrative Computing
Physics Computing
Technical Computing
Telecom
Index of Services
Other Services
spacer
  Department Information
spacer
 
What We Do
Department Structure
Administration
Minutes & Reports
Safety in IT
Job Opportunities
spacer
  More on Computing
spacer
 
CERN School of Computing
Colloquia
Seminars
Newsletter
Bookshop
  spacer
   
  
 
  Printable version

CERN Computer Security Recommendations

1. Don't open unexpected e-mail attachments.

Viruses often hide in e-mails from strangers, but can also appear to come from someone you know. Opening an attachment can activate a virus and place your computer at risk. If you are not expecting the attachment then either delete the e-mail directly or obtain further details from the sender before opening the attachment. The safest way to read an attachment is to first copy it to disk and then open it using the appropriate program (word, excel, ...). You can also run an anti-virus check on the file before opening it.

2. Click "cancel" (instead of "ok") or close unexpected dialogue boxes when using the web.

Visiting a web site sometimes results in dialogue boxes. If you don't expect them or don't understand them then either click "cancel" or close the dialogue box. If you click "ok", you may be agreeing to transfer and run a file containing a virus.

3. Don't answer or forward unsolicited e-mail - delete it immediately.

We all receive unexpected e-mail: advertising, requests for money or support for a cause. Sometimes it appears to come from an organisation or person that we know, maybe even from someone at CERN. The from address of these e-mails has usually been forged and cannot be trusted. The contents of the e-mail  may contain a trick, particularly if it invites you to visit a web site or contains an attachment. If you react to such e-mails you risk introducing a virus into CERN, exposing your personal information (such as your e-mail address and getting even more of these e-mails), and wasting time and money. The more realistic the mail, particularly if it is related to a recent or topical event, the more dangerous it is likely to be. Hoax e-mail warning you of a virus is extremely common - delete it. If the mail asks you to forward it to other people: DO NOT. Unsolicited e-mail can usually be recognised by checking the subject and sender, so don't even read it - delete it rapidly. If you continue to receive unsolicited e-mail from the same sender then you can report this to spam-report@cern.ch. Advice on recognising e-mail intended to trick you is at http://cern.ch/security/spam.

4. Run anti-virus software which is automatically updated (several new viruses appear each day).

CERN's centrally managed NICE PCs are equipped with anti-virus software and are automatically updated to limit damage from known viruses. If a virus is discovered, the anti-virus software will notify you, and prevent it from running (by placing it in quarantine). You should continue to work normally, as the anti-virus service will be automatically informed and will contact you if any further action is required. Occasionally, the anti-virus software cannot completely prevent damage, so if you do experience problems contact helpdesk@cern.ch (tel: 78888),  with the name of your PC, details of the error message and problem, and request a virus check.

Anyone managing their own Windows PC is responsible for obtaining, installing and keeping their anti-virus software up-to-date. This applies to all PCs on the CERN network, including those of visitors. Regularly updated anti-virus software is particularly important for portable PCs which are used at other locations and connect to other Internet Service Providers since they bypass CERN's security protections. This not only increases their own chance of infection, but places the whole CERN site at risk, since once infected, they can spread an infection from inside our firewall.

5. Don't copy or run software from non-trusted sources, e.g. via the Internet or physical media such as diskettes or CDs.

Viruses are often hidden inside files. When you copy and run a file containing a virus, you can infect not only your own PC, but can start to spread a virus inside CERN's firewall. Only copy files from trusted sources, such as commercial companies with whom CERN has a software agreement. 

6. Choose secure passwords and change them regularly.

Programs to crack passwords or read them from the network are readily available. To limit the risk of your password being cracked, it should be at least 8 characters long and include letters (both upper and lower case), digits and punctuation. You should change your password regularly and always after a trip where you could have exposed your password at a remote site. More detailed advice is at http://cern.ch/security/passwords.

7. Avoid applications with unencrypted sessions, especially when connecting to CERN from off-site.

Applications such as telnet, ftp and X windows, expose all session data, including passwords, in clear on the network. Using such applications, especially to connect to CERN from other sites, has a strong risk that your password and other personal data will be exposed and used by intruders for malicious activity. You are strongly recommended to use applications, such as ssh,  which encrypt session data. More detailed advice is at http://cern.ch/security/ssh.

Web sites prefixed by "http" expose data in clear text on the network. For sensitive data, such as passwords and credit card numbers, ensure that the data is encrypted, e.g. by using web sites prefixed by "https".

8. Use CERN's recommended and centrally managed systems - if you manage your own system or have installed your own applications, you are responsible for keeping the software secure:

  • ensure the software is permitted by CERN's restrictions on software for personal and professional use, documented at http://cern.ch/security/software-restrictions)
  • ensure you have sufficient knowledge of the software you are installing or configuring
  • limit application services listening on network port numbers to the absolute minimum
  • limit the number of users authorised to access the system to a minimum
  • ensure that the system and applications are securely configured
  • ensure that security patches are regularly applied - this may require upgrading to later versions
  • respond quickly to actions proposed by CERN's computer security team

9. Protect your system by CERN's firewall.

Systems connected to CERN's network must be registered at http://network.cern.ch/register. The default OUTGOING network access allows direct connections to the Internet from CERN, while still offering some protection by CERN's firewall. If your system does not need to access the external Internet and you want extra protection in the firewall, you can register the network access called NONE. If you have other requirements then you must check their implications with CERN's computer security team, please send a message to Computer Security.

10.  Keep yourself informed of CERN's security rules and advice:

Related Links
Computer Security
Computing Rules
Recommendations
Scans
Passwords
SSH
Viruses
Feedback: Computer Security
Last update: Tuesday, 21. August 2007 16:00 		Computer Security
Copyright CERN