Cern makes users responsible for cyber security

Cern, the European organisation for nuclear research, has made users responsible for their own cyber security

Cern, the European organisation for nuclear research has made users responsible for their own cyber security, a London conference has heard.

“We have been doing bring your own device (BYOD) for 20 years under Cern’s policy of academic freedom of choice", Stefan Lüders, head of computer security at Cern told the inaugural (ISC)2 EMEA Security Congress.

While Lüders and his team ensure a secure network architecture and provide full support for Cern’s scientists, they are each responsible for the devices and systems they operate.

“They have flexibility to install any applications and services and use any operating system or programming language and so there is no way I can be responsible for what I do not control,” he said.

“We have delegated the responsibility for security to everyone who uses digital devices in the organisation.”

Cern has a comprehensive set of intrusion and threat-detection systems that fire off alerts to invdividuals in the organisation if there is an indication that their computer has been compromised.

“Then it is up to them to resolve because they are responsible,” said Lüders, but the email does include suggested actions to resolve the problem.

And if the recipient do not understand the threat or cannot decide how best to resolve the problem, they can click the “help me” button.

The same principle is applied to software programmers and providers of databases and web services in Cern. Each member of these groups is responsible for delivering services as securely as possible.

Programmers, for example, are expected to ensure all their code is as secure as possible. They are supported by easy-to-use analysis tools and training programmes from Cern.

“Our approach is to help everyone to do their work in the most secure manner possible, but it is pointless putting security barriers in their way because they just find a way around them,” said Lüders.

Instead, his team works with scientists to find a secure, but acceptable way of doing things, while providing tech support wherever necessary and running continual education programmes.

By providing continual support and input, the IT security team is able to teach scientists how to work more securely.

“We used to have a big problem with phishing attacks, but since we ran phishing awareness training, almost no-one falls for that kind of attack anymore,” he said.

Lüders also ensures everyone working at Cern is aware of the latest threats and attacks that are targeting the organisation through publishing monthly bulletins.

“We are totally transparent about our cyber security incidents to help raise security awareness by ensuing everyone is aware of attacks that are taking place,” he said.

Everyone in the organisation is also required to complete a basic security course every three years, but the focus of the programme is cyber security in the home environment.

“We teach people why cyber security is important to them in their private lives and how to protect themselves at home in the belief that they will apply the same principles at work,” said Lüders.

The way in which Cern was able to respond quickly to news of the Heartbleed vulnerability in OpenSSL in April 2014 demonstrates how well this approach works, he said.

According to Lüders, all 500 of Cern’s internet-facing webservers were patched in two hours of the Heartbleed warnings being issued because all of the work was done in parallel.

“Rather than a central IT security firm having to do all the work, each team or individual responsible for a webserver was able to respond at the same time as all the others,” he said.  

Lüders said that at Cern the focus of IT security is on people and to act as facilitators and enablers to help the organisation’s scientists use technology securely.

Read more on Hackers and cybercrime prevention