During a recent audit of CERN’s computer security, the question was raised of how many attacks CERN is subjected to each day. It was a difficult question as there is no good metric for what constitutes an attack and how you quantify it. Does one connection to CERN constitute one attack? Or many connections to CERN from the same source? Or all connections linked to the same attack pattern or theme? Or from the same group of adversaries? Does one brute-force attempt to log into one CERN account count as an attack? Or many different attempts to break into one account at CERN via a so-called dictionary attack? Or is it one attack when one adversary brute forces their way into many CERN accounts via such a dictionary attack?
As you can see, answering that initial question is difficult, and other entities outside CERN answered it with “300-500 million a day”. Apparently, they count every connection, every attempt. The basic fact, as measured with our intrusion detection mechanisms, is that CERN is under constant attack. Always. Even right now. There are few moments when we do not see brute force attacks against CERN accounts. Few moments when public CERN webpages and Internet-facing computing services are not being probed for vulnerabilities. Few moments when CERN mailboxes are not receiving SPAM or so-called phishing e-mails. And few moments when CERN computers are not subjected to viruses, worms and other malware… And that number is not even the most interesting one…
Delving deeper into the numbers from our digital trenches:
- Every day, CERN’s Security Operations Centre (SOC) digests about 3-5 TB of log data, sifting through for suspicious or malicious activities;
- CERN’s firewall monitors a stream of 40 Gbps of incoming and outgoing traffic and tries to reject any unwanted or unauthorised packages. In the near future, the CERN Network Team will replace this firewall with a more powerful solution allowing the filtering of up to 200 Gbps of traffic in each direction and the blocking of advanced, sophisticated or targeted attacks;
- The CERN SPAM filters usually reject about 70% of the 2 million e-mails CERN receives each day. For those that pass through, the subsequent advanced malware detection filters quarantine about 50 phishing campaigns and 20 campaigns using malicious attachments to target CERN per day;
- The SOC sends dozens of notifications per month to colleagues whose CERN e-mail address or external e-mail address – together with external passwords and other personal data – have been disclosed in data breaches from Internet-based cloud services. Much more widely, our automatic tools also regularly inform hundreds of peer organisations, institutes and universities about thousands of their e-mail addresses and passwords potentially being exposed;
- Members of the Computer Security Team run dozens of dedicated campaigns per year, informing users and those managing CERN’s computing services about newly reported vulnerabilities (e.g. TeamViewer, RDP, SMBv1, WordPress, iOS, Flash) and ensuring, when needed, that these vulnerabilities are closed as fast as possible before the corresponding systems, devices or accounts are compromised by adversaries;
- Similarly, we receive dozens of external reports a year from friendly people and students of our CERN WhiteHat Challenge programme pointing us to sub-optimal configurations or weak set-ups, which are all well deserving of follow-up for improvement;
- On the proactive side, the IT department is running a series of projects (PC hardening, a new identity management system including multifactor authentication, deploying a new anti-virus solution, and providing better tools for programmers...) to improve CERN’s cyber-security posture.
Despite those numbers, what matters more is the – hopefully low – number of successful attacks. In these more severe cases, the Computer Security Team engages five to ten times a year in direct incident response, figuring out how adversaries (like the RockeGroup but also nation-state sponsored actors) might have managed to infiltrate CERN, along with their motives and attack vectors. Due to severe violations of the CERN Computing Rules, three people were dismissed from CERN last year. Furthermore, we also assist several other HEP and HPC sites as well as the WLCG and EGI/EOSChub in incident response. Indeed, our academic community has suffered in recent months from Ransomware attacks. And, finally, we actively help Swiss health institutions protect their assets against attacks using “Covid-19”-related themes as a pretext.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.