Security quiz: answers and explanations 1. On average, an unprotected computer connected to the Internet is infected after...  a few minutes  10‐12 hours  3 days  more than a week It’s really a matter of minutes for an exposed, unprotected computer to get infected. That’s why you should: Protect your private and home computers: Use CERN antivirus; apply software updates; don’t install untrusted software. Use operating systems provided by CERN’s IT department: They are securely configured and automatically updated for you. 2. What are attackers trying to achieve? They seek to… (mark all correct answers)  deface our Web sites  break into our Web servers or computing services  steal users’ passwords ("phishing")  find confidential or sensitive information Attackers are indeed trying to deface our Web sites, break into our Web servers or computing services, steal users’ passwords but also find confidential or sensitive information. So… Protect your files and data: Restrict access to your documents and folders; follow the principle of least privilege. 3. What could be the consequences of a successful attack against CERN? (mark all correct answers)  CERN physics or computing operations affected  lost data  negative impact on CERN’s reputation All these points are potential consequences of a successful attack against CERN. 4. You may give someone your password if: (mark all correct answers)  your boss asks you for your password  the Helpdesk asks you for your password  it is never OK to give out your password  you send it by e‐mail and change it soon afterwards  your boss says it is OK to give someone your password You should never give your password to someone else. And your boss shouldn’t ask you for your password. Protect your passwords: Never share them; beware of attempts to trick you into revealing your password (“phishing”); don’t reuse them (use different passwords for different purposes); don’t type them on untrusted computers or Web sites. 5. What are the usual consequences of someone breaking into your computer or account? (mark all correct answers)  your computer infected (you will have to reinstall it)  your computer physically destroyed  your account deleted forever  your files modified, deleted or stolen  your account blocked Although some viruses may occasionally try to cause physical damage to hardware, in most cases an intrusion means your computer could be infected, your files modified, deleted or stolen and your account blocked. 6. Why would a cybercriminal break into your computer (e.g. at home) even though you have nothing of value on it? (mark all correct answers)  to steal your CERN password (which is valuable)  because he will use it to send spam messages to other people  because he doesn't like you personally  to attack other computers using your computer  because he thinks you work for a bank Even if you don’t have anything valuable on your computer, it can be used for “spamming” or infecting other computers. Plus, if you type your CERN password on an infected computer, attackers can see it, and then try to break into CERN, abusing your account. 7. Which of the following links go to ebay.com ?  http://www.ebay.com\cgi‐
bin\login?ds=1%204324@%31%33%37%2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d  http://www.ebaỵ.com/ws/eBayISAPI.dll?SignIn  http://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo&siteid=0&co_partnerid=2&usage=0&ru=http%3
A%2F%2Fwww.ebay.com&rafId=0&encRafId=default  http://secure‐ebay.com The following links don’t go to ebay.com:  first one because of the @ character in the middle of the URL;  second one because the “y” character in ebay.com is not a real “y”, but a different, similar character (note an additional dot: ebaỵ.com);  fourth one because the domain name secure‐ebay.com is different from the ebay.com one. Finding the correct answer is really tricky – so if in doubt, just type the address yourself. Remember: Be careful while browsing the Web: Don’t click on suspicious links and don’t install untrusted plug‐ins. 8. Which of the following courses are offered as CERN Technical Training? (mark all correct answers)  "Secure coding for Web applications and Web services"  "Secure coding in ActionScript"  "Secure coding in C/C++"  "Secure E‐mail and Web browsing"  "Developing secure software" The following training courses are offered as CERN Technical Training:  "Secure coding for Web applications and Web services"  "Secure coding in C/C++"  "Secure E‐mail and Web browsing" (for free!)  "Developing secure software" (for free!) but also:  "Secure coding in Java"  "Secure coding in PHP"  "Secure coding in Perl"  "Secure coding in Python" 9. Who is responsible for computer security at CERN?  the Computer Security Team and the IT Department  you (and everyone who uses CERN computing facilities)  your supervisor (and management in general)  the security contact of your department or experiment At CERN, every computer user is responsible for security of his computer, documents and data, software (s)he develops, and services (s)he provides. Remember: using services and infrastructure provided by the IT department makes it much easier to ensure security. Use operating systems provided by CERN’s IT department: They are securely configured and automatically updated for you. Follow CERN Computing Rules: Respect copyrights; don’t run restricted software; check http://cern.ch/ComputingRules And remember: 10. What is the fastest way to contact the Computer Security Team at CERN (to ask for advice, to report an incident etc.)?  call the Helpdesk  send an e‐mail to Computer.Security@cern.ch  call your colleague in the IT Department  find the security contact in your Department and e‐mail him/her Don’t hesitate to… Ask for advice: The Computer Security Team offers training courses, code reviews, Web and servers scanning etc., and is there to help you: contact Computer.Security@cern.ch or visit http://cern.ch/Computer.Security 11. (Optional technical question) What is the recommended configuration for a local firewall on a server?  open all ports to ensure that applications have correct network access  close down unused ports for incoming connections, allow outgoing connections  open only ports that you know must be opened, adding remote IP restrictions if known  do not open ports at all, as open ports can be used to attack that server The best idea is to follow the principle of least privilege – so only to open ports for services that need to be running, and visible on that server. And possibly restrict which remote machines (clients) can access your services. 12. (Optional technical question) Which advice would you follow to make your code more secure? (mark all correct answers)  trust user‐supplied data  for database access, use parameterized queries (prepared statements)  check and validate all user input  for Web applications, use POST instead of GET  use temporary files instead of pipes and other IPC (inter‐process communication) The most important security point to remember when developing software is: any input data, coming from potentially untrusted users, must be checked, validated and sanitized before it is used. 13. (Optional technical question) How to prevent an attacker with root access to implant a rootkit in the Linux kernel? (mark all correct answers) 




by preventing /dev/mem to be writable by preventing Linux kernel modules to be loaded by using SELinux by disabling the root user it is not possible Once an attacker has root access to a computer, it is virtually impossible to prevent him from doing further damage, or hiding himself with rootkit techniques.