DOE goes covert to check Fermilab computer security
Don't use unfamiliar CDs or memory sticks.
Imagine: A pleasant, but flustered gentleman says he's late for a lecture and needs to print a copy of his presentation. He asks you to print it for him and hands you a memory stick.
Do you print it?
You could save his day or you could end up shutting down the laboratory's computer system.
The Department of Energy wants to you err on the side of safety. And they plan to test you.
In the coming months, a computer security team from DOE will use scenarios like this to test Fermilab's computer security and security awareness. The would-be hackers are called the Red Team.
"If you don't know someone, ask for identification. This is counter to our culture. We like to be welcoming and helpful, but it can backfire," said Mark Leininger, Fermilab's computer security manager. "What the red team wants to see you do is challenge them, to request identification that they cannot provide and deny them access."
According to Leininger, printing the document in the proposed scenario isn't necessarily wrong, as long as you know and trust the person, or he or she presents you with accurate credentials.
The Red Team will use two tactics to try to compromise Fermilab's computer system: electronic penetration and social engineering. Penetration testing attempts to gain unauthorized access to Fermilab computers. Social engineering uses deceptive practices to trick users into giving out personal information or other details that allow unauthorized access. The Red Team may follow others into a secure location by asking them to hold the door, or even walk around during the lunch hour in search of computers without screen locks activated to gain unauthorized access.
Once the test is completed and the information processed, the Red Team will give the laboratory a narrative report of their attempts, highlighting weak areas that the laboratory should strengthen. That gives the laboratory a way to improve its security before real security breaches occur.
"The really important thing is that everyone should practice good computing habits," Leininger said. "Computer security measures should be thought of the same way as safety - they should be included in the way we do our jobs every day."
What you can do to ensure security:
- Don't allow "tailgating" of an unknown person into locked areas, especially property protection areas.
- Don't give out personal information or passwords.
- Do not open or use unsolicited e-mail attachments, Web links, CDs, DVDs or memory sticks.
- Don't allow anyone you don't know and trust to access your computer.
- Ask for identification from anyone you don't know.
- Set your computer screen to "lock" if you are away from you desk or have the computer inactive for more than a few minutes.
-- Rhianna Wisniewski