Free Shipping on orders over US$39.99 How to make these links

Computer Security: Banks and work


In the last few months, the Computer Security team and the Identity and Account Management team have started to roll out two-factor authentication (2FA). 2FA is considered the silver bullet for protecting computer accounts. You can find it everywhere: for accessing Facebook, Twitter, Gmail and other services. Your bank uses it to protect your money. However, we face resistance. And I’m starting to wonder why the people at CERN are perfectly willing to protect their bank accounts with 2FA while trying to avoid using it to protect their work, which is putting the money into said accounts in the first place…

CERN was attacked, like any organization, institute or company, most of them were hacked or compromised and their data was stolen (see here and there). A successful ransomware attack against CERN could have devastating consequences for our operations and reputation. Ransomware attacks, like many other forms of attack, usually take the route of you clicking on a malicious link, opening a malicious attachment or browsing the a dodgy webpage, and then damage your computer. While the consequences for your laptop are local (and can be pretty bad), the next jump from the compromised device will likely require your password. A password that can easily be intercepted by an attacker who has access to your device. Some successful ransomware attacks are more direct. By asking questions. By giving your password directly to an attacker, through a fake login page. Every year, between 10% and 20% of us fall for the Computer Security team’s click campaign. Between 10% and 20% of all CERN passwords have been exposed. Lost.

More juice for the attacker if the campaigns are real. Just think about what they can access with your password. What power will they inherit from you. What the attacker can do if they see you working on different IT services, control systems and financial applications. And what happens when the attacker starts acting on their own. Stopping the accelerators? Manipulating experiments? Disabling safety systems? Stealing money? Delete files? Disclosure of personal data? Affecting CERN’s reputation?

To protect CERN against these types of attacks, we have added another – big – barrier for a potential attacker by deploying 2FA on your account. Not only does the attacker need your password, they also need your second-factor hardware token – ie your YubiKey or your smartphone. And you always know where your smartphone is, right? This is why we consider 2FA a silver bullet for account protection. Yes, we recognize that this adds another layer of discomfort. That’s why we’ve tried, and will continue to try, to make 2FA as easy as possible for you:

  • We deployed it at one point, the new CERN Single Sign-On (plus some dedicated service gateways, such as AIADM and the Remote Operations Gateways).
  • We’ve made changes so that authentication takes about 12 hours per browser, meaning you’ll need to use your token about twice a day, which is probably less often than some people would- drink coffee or smoke.
  • You can choose which token – YubiKey or smartphone – will be the default (just go to https://users-portal.web.cern.ch/, click on “configure multifactor” and choose your “default login method”).
  • You can choose between two tokens each time you log in. If you forget one, the other is there. If you lose one, the other can be used to reset it. And we will add more options once they agree with our set-up.
  • There are methods to help if you lose your token and you are locked out: the Service Desk and the Computer Security team put all the necessary means in place for a quick recovery.
  • Finally, a more comprehensive list of answers can be found in our FAQ.

So, doesn’t your CERN computing account deserve the same level of protection as your bank account? If you agree, try it out and let us know if you’re happy with it, so we can set it up permanently.

/Public Release. This material from the originating organization/author(s) will be of a point-in-time nature, edited for clarity, style and length. The views and opinions expressed are those of the author(s). See the whole thing here.



Source link

We will be happy to hear your thoughts

Leave a reply

Info Bbea
Logo
Enable registration in settings - general
Compare items
  • Total (0)
Compare
0
Shopping cart