How CERN Fights Hackers

Computer Security Officer Stefan Lueders explains how CERN keeps a vast number of servers, computers, and systems secure from constant attack.

Apr 5 2016, 1:40pm

Image: Victoria Turk/Motherboard

Security is all about balance—keeping users and data safe has to sit alongside usability and efficiency. At CERN, the European Organization for Nuclear Research and home of the Large Hadron Collider (LHC), Stefan Lueders has the daunting task of coordinating the security of systems while maintaining an environment of academic freedom.

Lueders, a computer security officer, told Motherboard in a phone call that CERN has to keep tabs on around 40,000 bring-your-own-devices from professors, technicians, and other workers; academics and engineers also connect to systems remotely. The organization's two main data centres in Switzerland and Hungary have around 100,000 hard-drives and 13,000 servers in total.

Then there's the LHC's computing grid, spread across North America, Europe, and Asia, which reprocesses data generated by the experiments. Control systems for equipment need to be secure as well, and CERN hosts around 10,000 websites.

"In terms of who is attacking us: everybody"

"The surface is vast," Lueders said. And that surface is under constant poking and probing: threats include low level denial-of-service attacks, hackers scanning CERN's web servers for vulnerabilities, and brute force attempts to break into systems. "This is permanently happening," Lueders said.

"On a daily basis, we're having infected computers and passwords which are lost through the cause of phishing, or being stolen outside in an internet cafe somewhere. This is stuff that is happening in any other organisation, in any other university. It's exactly the same problem," Lueders said.

CERN sees more advanced attacks a few times a year, Lueders added. Overall, hacking attempts don't seem to come from any particular part of the world.

"In terms of who is attacking us: everybody," Lueders said. "I do not see that we are more on the attack from the northern or from the southern hemisphere. I do not see that we're more under attack from country A or country B."

A slide from a talk Lueders gave at ITU

In the end, attack attribution doesn't matter all that much anyway, Lueders said, because they're treated in the same way. "Same game, same business, and we deal with all of them alike," he said.

One way CERN has bolstered its defenses is by adopting white hat hackers to test the organization's limits. Once approved, university students get the green light to hack CERN systems in order to uncover vulnerabilities. CERN has also trained around 120 engineers, technicians, and programmers in penetration testing, Lueders added.

But despite his job title, Lueders says he is not responsible for computer security at CERN. "I'm doing more or less the whole portfolio: I'm doing protection/prevention, I'm doing detection, and I'm doing response. However, I'm not responsible for computer security at CERN. I decline this responsibility," he said.

Instead, everyone has to patch and secure their own devices, and perhaps their own larger systems too, or delegate that task to somebody else if they don't feel capable. "If you are running a database, you are responsible for securing the database," Lueders said. That also applies to web servers, control panels, and individual computers.

Lueders's priority is balancing secure systems with academic freedom

Lueders and his team then scan the CERN networks constantly for signs of a compromised machine sending out spam, or visiting a malicious URL. This user will get a warning, and depending on the severity of the issue, be given a certain amount of time to get it under control. If they don't, there are consequences.

"There are administrative measures which will kick in, and these can be everything: warnings, reprimands, losing your job," Lueders said.

When it comes to the trade-offs of security, Lueders's priority is balancing secure systems with academic freedom.

If he's too cautious, and doesn't allow CERN workers to use whatever programming language or software they need, users might become stifled.

"I can, if I wanted, impose on everybody on this side to run a certain brand of computer, with a certain brand of operating system, and a certain software stack on top of that. No administrator rights; nothing. This I can do from a security perspective," said Lueders.

But this is not the balance that Lueders and CERN are after.

"People are used to having a certain liberty to choose what technology they would like to employ, the hardware they would like to run, the operating system they would like to use, and the applications they would like to install."

If not, the vibrancy of CERN's community is under threat. "If we don't do this we will force them into a corner, and all the intelligence, all the creativity will be killed," Lueders said.

Everyone is a target for hackers. In Shut the Back Door, we ask organizations and institutions across the globe how they approach security.