Related press releases
Related research
New Computer Security In Fermilab
:: 25 September, 2007
Imagine: A pleasant, but flustered gentleman says he's late for a lecture and needs to print a copy of his presentation. He asks you to print it for him and hands you a memory stick.
Do you print it?
You could save his day or you could end up shutting down the laboratory's computer system. The Department of Energy wants to you err on the side of safety. And they plan to test you.
In the coming months, a computer security team from DOE will use scenarios like this to test Fermilab's computer security and security awareness. The would-be hackers are called the Red Team.
"If you don't know someone, ask for identification. This is counter to our culture. We like to be welcoming and helpful, but it can backfire," said Mark Leininger, Fermilab's computer security manager. "What the red team wants to see you do is challenge them, to request identification that they cannot provide and deny them access."
According to Leininger, printing the document in the proposed scenario isn't necessarily wrong, as long as you know and trust the person, or he or she presents you with accurate credentials.
The Red Team will use two tactics to try to compromise Fermilab's computer system: electronic penetration and social engineering. Penetration testing attempts to gain unauthorized access to Fermilab computers. Social engineering uses deceptive practices to trick users into giving out personal information or other details that allow unauthorized access. The Red Team may follow others into a secure location by asking them to hold the door, or even walk around during the lunch hour in search of computers without screen locks activated to gain unauthorized access.
Once the test is completed and the information processed, the Red Team will give the laboratory a narrative report of their attempts, highlighting weak areas that the laboratory should strengthen. That gives the laboratory a way to improve its security before real security breaches occur.
"The really important thing is that everyone should practice good computing habits," Leininger said. "Computer security measures should be thought of the same way as safety - they should be included in the way we do our jobs every day."
What you can do to ensure security:
Don't allow "tailgating" of an unknown person into locked areas, especially property protection areas.
Don't give out personal information or passwords.
Do not open or use unsolicited e-mail attachments, Web links, CDs, DVDs or memory sticks.
Don't allow anyone you don't know and trust to access your computer.
Ask for identification from anyone you don't know.
Set your computer screen to "lock" if you are away from you desk or have the computer inactive for more than a few minutes.
News Inside News:
Site Security Questions and Answers
The Department of Energy has recently approved changes to the Fermilab Security Plan. These changes, which will go into effect on January 24,
2005, will ease some of the site access restrictions that have been in place since 9/11 while at the same time enhancing the overall security of the Fermilab site.
Here are the highlights of the coming changes in Fermilab site security:
A central corridor of public areas, shown on the attached map, will enable the public to visit much of the Fermilab site without the need for visitors' passes. The public areas include most of the recreational features of the site. The public areas will be open to the visiting public from 8 a.m. to 6 p.m. from mid-October to mid-April and from 8 a.m. to 8 p.m. when daylight hours are longer. Roadways that are off limits to visiting members of the public will be posted with signs, and motorists will be given site maps to guide them to the public areas.
The public areas will extend into the Lederman Education Center and to the ground floor and atrium of Wilson Hall, and Ramsey Auditorium. Signs will tell visitors which areas of Wilson Hall are open to the public.
The Fermilab Security Plan identifies certain workspaces as "Property Protection Areas." These spaces include CDF; DZero; the Main Control Room and the associated computing space; parts of Feynman Computing Center; the Central Utility Building; the Central Helium Liquefier; and the Master Substation and the Kautz Road Substation. Fermilab ID badges will be required for entry into these areas, and people working in these areas must wear Fermilab ID badges or visitors' passes at all times.
Beginning January 24, only those who visit or work in Property Protection Areas will be required to wear Fermilab ID badges or visitors' passes. People will not need to wear ID badges or visitors' passes elsewhere on the site so long as the present threat level (yellow) remains in effect. However, everyone on the Fermilab site must produce valid identification if requested by a security officer.
Security officers will remain at the East and West gates. When entering the site you should be prepared to show your Fermilab ID badge so the security officer will know you are authorized to enter.
Visitors will now be able to enter the Fermilab site by car through the East and West gates. After presenting identification, most visitors will simply pass through the security checkpoint after telling the security officer the purpose for their visits. They will not need to obtain visitors' passes. However, when a visitor plans to enter a Property Protection Area, he or she must obtain a temporary visitor's pass (as in the current system) and wear it while inside the Property Protection Area.
If you do not normally work within one of the Property Protection Areas but need to visit one during the course of a day, you will need to use your Fermilab ID badge to open the card-key access doors of the area, and you must wear the identification badge at all times while inside the area.
These security changes will remain in effect at the current security level. If DOE directs Fermilab to raise the security level due to some imminent threat, access procedures may change and the site-wide wearing of identification badges may again be required until the threat subsides.
While we have planned carefully for implementing the changes I have outlined, there will doubtless be a learning curve as we put them into effect. With your patience and cooperation, I believe that these changes will make our site more welcoming to our neighbors and other visitors without compromising Fermilab's security.
In The Images-
1.Don't use unfamiliar CDs or memory sticks.
2.Fermilab map showing the public areas and
restricted sections on site. (Click on image for
larger version.)
Release link: http://www.fnal.gov
Tags: CDs , memory sticks , Fermilab's computer security , Social engineering , tailgating" , e-mail attachments ,
