Tune IT Up

Questions & Answers

Posted: November 18, 2009 (Updated on November 24, 2009)

Q. I am located at CERN and have no computers at FNAL. My personal laptop is a CERN laptop. Do I still have to complete the Tune IT Up assessment?

A. If it is not an FNAL-owned computer at CERN, you do not need to complete the assessment.

Posted: September 15, 2009

Q. For which computers do I need to fill out the Tune IT Up assessment? I have a personal desktop and laptop. But I also manage and/or am the custodian for various other servers at Fermilab.

A. You should complete the assessment only for the desktop, laptop or smart phone you personally use to do your work. There is no need to do it for servers.

Posted: September 15, 2009

Q. If the person who uses a computer is not the person who manages it, who fills out the assessment?

A. If multiple people regularly use a computer, each should complete the assessment for it. If one or more people occasionally use it but one person is the primary user, the primary user should fill it out.

Posted: September 15, 2009

Q. Regarding the question on the Tune IT Up assessment about whether my computer provides services, does that include services like SSH and Telnet? The survey only mentions Web and file sharing.

A. If your computer provides a service to other computers (e.g. if other people SSH into your computer), then you should answer YES. The assessment is not asking what services you are running but what services you are providing to others -- at FNAL or outside.

Posted: September 15, 2009

Q. Some users in our Section do not have custody of any IT equipment, but they have accounts for services such as the Fermi Domain, Fermilab e-mail, Jabber and Meeting Maker. Should these users complete the Tune IT Up assessment?

A. Yes. If someone uses a desktop, laptop or smartphone connected to the Fermilab network to do his or her daily work, that person should complete the assessment.

Posted: August 21, 2009

Q. I just set my new services account password, and I thought I would eventually be able to use that to log into my e-mail account. Why do I need a new password for my e-mail account on the IMAP server?

A. You will be able to log into your e-mail account using your services account password, but only after the Computing Division has moved your account from the IMAP server to a new, up-to-date server that runs Microsoft Exchange and accepts services account passwords. All newly hired employees are already setting up e-mail accounts on the Exchange server. At an upcoming stage in the Tune IT Up campaign, the Computing Division will begin the process of moving Fermilab divisions and sections to the Exchange server. This will allow Fermilab employees to use their secure services account passwords to log into their e-mail accounts.

But until the Computing Division can complete the move, we need to ensure that those employees who remain on the IMAP server are secure in their e-mail use. So, in the interim, we have improved the complexity requirements for IMAP server passwords and require all IMAP users to change their passwords by Sept. 22.

Posted: August 10, 2009

Q. I cannot complete the IT assessment because the system does not recognize the property tag # SI-xxxxx. What should I do?

A. Property tags that begin with the letters SI are no longer in use. If your computer has another tag, such as a blue CD system tag starting with the letter 'S' or a yellow property tag with just a number on it, use that instead.

Posted: August 10, 2009

Q. I have a computer that is not currently in use or even powered. Do I need to enter information about it in the Tune IT Up assessment?

A. If you do not expect to use the computer again, please contact your supervisor or your system administrator and ask about procedures for reusing or retiring computers. If you would like to keep the information on your hard drive, you can store it on an external device or call your system administrator for help.

If you keep the computer, please fill out the assessment for it. We recommend keeping computers on the network and powering them up at least once every few weeks so that the operating system can be upgraded, patches installed, and antivirus signatures kept reasonably current.

Posted: July 31, 2009

Q. When software like Gmail offers to remember my password, should I take it up on doing that?

A. You should never answer "Yes" when a Web application prompts you to allow it to save your password. Saved passwords are vulnerable to attacks over the Internet and can be accessed by anyone who enters your office.

Posted: June 26, 2009

Q. The "Message from the Computing Division" talks about taking away my administrator privileges. Without those privileges, how will it be possible for me to do my job?

A. The audit found that Fermilab lacked a system to track who in the laboratory has "elevated privileges," including those of system administrators. To address the problem, we will put in place a process to track who has elevated privileges. We will require that line managers acknowledge that they know who in their organizations has these elevated privileges, and that they understand the risks and responsibilities associated with using elevated privileges. It is then the responsibility of line managers to decide what tools, including the use of elevated privileges, people need to do their jobs.

Posted: June 22, 2009

Q. The answer to a recent question about the security of using Fermilab computers offsite said "Make sure your operating system and applications are patched, the antivirus software is current and running, that firewalls are turned on, and that other aspects of our operating systems baselines are followed. If your system is managed centrally, these are all taken care of by your system administrator and the management tools." Some people in my department work at CERN and are almost never at Fermilab. Are their systems getting routinely patched, firewalled, antivirused and so forth, or do they need to do something special?

A. While they are at CERN, Fermilab employees must conform to CERN computer security policies. They should check with the CERN IT staff for any restrictions, special configurations, support requirements, etc. (Of course, this applies not just to CERN but to any laboratory where Fermilab employees are working.) In addition, if employees connect to Fermilab via the VPN, they must also conform to Fermilab security policies -- the VPN is an extension of the Fermilab site network.

Employees based at CERN should check with their Fermilab desktop support staff, via the service desk, to learn whether their systems are correctly configured for central management by Fermilab. In general, for a remote system to remain properly patched, inventoried and updated from the Fermilab central management systems, it needs to be connected to Fermilab via the VPN at least once a month for a 24-hour period. This allows the requisite Fermilab cybersecurity "housekeeping" to take place. Connecting once a week would be even better.

Fermilab IT experts also recommend a "health checkup" by the Fermilab desktop support staff before reconnecting a system to the Fermilab network after a lengthy stay away.

Posted: June 10, 2009

Q. We received the HUGE Tune IT Up poster (it does not even fit the bulletin board), printed on expensive paper, just in case we did not notice the almost dozen email messages in the campaign thus far. Could it be that an occasional reminder of the accidents and findings is more effective?

A. We are advertising this campaign using many different forms of communication — posters, emails, "Fermilab Today", Web pages, seminars, and more — to reach as wide an audience as possible while promoting computer security and best practices. To put the cost of posters in perspective, other DOE laboratories have had to spend several millions of dollars on cybersecurity campaigns after receiving serious audit findings. We want to avoid spending large amounts of money correcting "accidents" and findings by spending much smaller amounts of money on posters and other educational materials to address the current findings and prevent them in the future.

Posted: June 10, 2009

Q. I take my lab laptop home every night where it joins a home wireless network provided by my LinkSys router and falls into the good (?) company of my teenage son's netbook, pc game computer, and my wife's Mac. Of course, I know better than to do any non-lab work on the computer. The lab work I do on it at home is mostly e-mail, Word, Excel, Power Point, and that kind of thing -- though I now have started doing VPN connections to approve time cards.

What kind of precautions should I be taking the next day when I bring the laptop back to work?

A. One advantage of Fermilab's relatively open environment is that we make few assumptions about our network and apply a "defense in depth" strategy to IT management and cybersecurity. This means that the same tools and practices that protect your system on the Fermilab network also protect it off our network --at home, at a conference, in an airport or elsewhere. Make sure your operating system and applications are patched, the antivirus software is current and running, that firewalls are turned on, and that other aspects of our operating systems baselines are followed. If your system is managed centrally, these are all taken care of by your system administrator and the management tools. You still need to followthe same safe computing practices as you would onsite:

Don't allow others to use your account.
Be careful with email and web surfing.
Download and open only trusted applications and documents.

If you follow all these practices, you should be as safe away from Fermilab as you are while here.

Posted: June 10, 2009

Q. As a supervisor, should I be doing walkthroughs of my employees' offices looking for passwords in their top desk drawers and such?

A. In general we don't require or even recommend that supervisors go looking around in employees' file and desk drawers, although if passwords are easily visible in a work area, they should be removed and changed. A better approach is to have regular discussions with your employees to raise their awareness about proper handling of passwords and sensitive information, and other safe computing practices regarding email, web surfing, downloading and opening applications and documents, and so forth. You can get help with this through your desktop administrator, your Division/Section/Experiment's General Computing Security Coordinator (GCSC), or the Computer Security Team. Some of these contacts are listed at http://security.fnal.gov/contacts.html.

Posted: June 9, 2009 (Updated on August 21, 2009)

Q. On the Tune IT Up web page, two of the top three computer security hints tell employees how not to store their passwords. With employees faced with memorizing an ever-increasing number of ever-more-complicated passwords, and changing them more frequently, suggestions for secure methods to store passwords would be greatly appreciated.

A. We are working hard to limit the number of passwords needed to access systems at Fermilab. Our eventual goal is to reduce the number of passwords to two your services account password and the password you use to log on to your desktop or laptop computer.

Commit to memory the password you use to log on to your computer. This is your first line of defense against unauthorized access. If you forget this password, you can contact the Service Desk for help.

Other passwords, such as those you use to access e-mail accounts, need to be protected to the same degree that you protect your social security number or credit card and pin number. If you write down one of these passwords, store it in a secure place such as locked drawer or in your wallet next to your credit card.

A variety of password storage applications are available for your computer or smart phone. Look for products that support AES-256 encryption. However, Tune IT Up does not recommend or support any specific products.

Posted: June 9, 2009 (Updated)

Q. What should the timeout be set on screensaver lock? Should you lock your computer to get a cup of coffee?

A. You should not leave your screen unattended for more than 15 minutes. The less time a screen is unlocked the better, particularly if your computer is in a public area or if you have a position that requires a higher level of security.

We have prepared a detailed "how-to" explanation of how to correctly set up and use a screen lock on each of the laboratory's supported operating systems (Windows, Mac OS and Scientific Linux Fermi). When setting this up, remember to enable the separate option that requires a password to be entered in order to unlock the screen.

Posted: June 8, 2009

Q. I worked on a particular machine on the 14th floor whereby I was able to navigate to any and all file folders on that machine. It seems that I can no longer do that. Also, one of the files that is an executable file on my desktop no longer works. I need this file to do my work, or I need to navigate to another location to fix the broken link. Since I can do neither, I am stuck and cannot do my work. What should I do?

A. For help with a question like this, you should contact the laboratory's Service Desk by following this url: http://servicedesk.fnal.gov

Follow the link for "Service Desk Requestor Console" to open an incident ticket. You can also call the Service Desk directly at x2345.

If Service Desk staff cannot answer the question, they will direct it to your desktop support person.

Posted: May 26, 2009

Q. I am a person involved with local administration. Are the audit results available regarding problems found with nodes under our control? I was not notified by users who had any contact with the auditors.

A. If specific problems were found during the audit, the Computer Security Team notified the necessary System Administrators of those cases. To learn more about the audit results, IT administrators can attend the System Administrator's Roundtable at 1:30 p.m. on June 4 in Curia II. The Computer Security Team has also requested that the auditor return to Fermilab to meet with the System Administrator's Roundtable and other staff to present additional technical details.

Last modified: 09/30/2011 |