NERSC Users Group Meeting Stephen Lau NERSC November 6, 2014

Things Your Parents Never Told You About Practicing Safe

Computing in a High Performance Computational Environment

NERSC Users Group MeetingStephen Lau

NERSCApril 20, 2023

NUG Training April 20, 2023

Goals and Overview

• Goals– Increase Cybersecurity Awareness– Overview of Basic Techniques to Reduce Risk– What You Need to Do When You Have an Incident

• Overview– What, How and Why of Computer Security– How NERSC Handles Computer Security– Practicing Safe Computing– In Case of Emergency


What is Computer Security?

• What are we protecting?– Availability of our systems to users– Downtime of our users– Being good “net citizens”– Prevent bad publicity– New item – preventing cyberterrorism

• Computer security has no guarantees– Not “if” but “when”– Security measures will lower, not eliminate risk– There is no “blueprint” for computer security


Why Worry?

• Threats are on the increase– NERSC is scanned on average 30-40 times a day– Rate is increasing over time– Our experience

• Unpatched system on the open Internet will get exploited within an “average” of 4 hours

• Threats are becoming more sophisticated– Multi-vector attack methods– Large scale attacks becoming more prevalent


Hostile Scans

020406080

100120140

1-1

-99

3-8

-99

5-1

3-9

9

7-1

8-9

9

9-2

2-9

9

11-2

7-9

9

2-1

-00

4-7

-00

6-1

2-0

0

8-1

7-0

0

10-2

2-0

0

12-2

7-0

0

3-4

-01

5-9

-01

7-1

4-0

1

Truncated. Actual value = 1621

y = 0.0499x - 3.7754

0

20

40

60

80

100

120

140

Trend Line:Truncated. Actual value = 1621(Code Red 7-19-01) --->


Hostile Scans


Why Worry?

• Attack tools becoming easier to use– More and more automation– Technical expertise not required

• More exploitable systems– Industry not “security” savvy– Security typically an afterthought– Proliferation of Internet enabled devices

• Majority unpatched and unattended


Threat Vectors

• Scanning– Used as a reconnaissance tool– Determine vulnerabilities for later exploit– Fairly automated

• Poorly maintained systems– Exploit waiting to happen– Unpatched or poorly patched systems– Outdated operating systems– Systems running unneeded services


Threat Vectors

• Social Engineering / User Education (lack of)– Inadvertent misuse of available tools– Unaware of computer security risks– Hard to defend against– Best defense is education

• Worms and Viruses– Morris Worm, Code Red (v1, v2), Nimda, etc.– Self propagating code– Average of 40 worms knock on our door everyday


Code Red Worm Example

– Different variants of worm, CRv2 triggered July 19, 2001– Exploited Microsoft IIS vulnerability– ~300,000 hosts on the Internet were infected in about 13

hours


Worm Trends


Threat Factors

• Script kiddies– Typically clueless

• Attempts windows exploits on a Cray

• Dedicated attackers– Stepping stone platforms– Claim to fame

• Users and staff– Mobile staff introduces vulnerabilities– Offsite systems beyond our control – Remote and home systems can be compromised


Other Factors

• Maintaining our mission– Provide our users with an unimpeded environment– Promote development of new computational techniques– Encourage collaboration

• Post Sept 11th factor– Heightened awareness regarding cyberterrorism– New DOE mandates regarding cybersecurity– Effect on high performance computing TBD

• Stay tuned!


NERSC Computational Environment

• Unlike enterprise institutions– Enterprise oriented computer security techniques fail

• High performance platforms

• High bandwidth/performance applications – Unique applications with unique requirements and traffic

patterns

• Diverse and distributed resources• Multi-institutional collaborations across all levels


NERSC Computer Security

• NERSC uses a "layered approach" or "defense in depth”

• Use of multiple tools and techniques leverages off strengths and weaknesses– Multiple sensors to detect and prevent intrusions– No single points of failure

• No single tool or technique guarantees a secureenvironment


Defense in Depth

• External Perimeter Defense– Bro Intrusion Detection System– Router filtering– Host shunning

• Network Protection– Firewalls where appropriate– Subnet traffic filtering


Defense in Depth

• Host Level Security– Periodic host scanning– Vulnerability eradication– Anti-virus software

• Education– Periodic in-house training for NERSC staff– Education of NERSC users regarding cybersecurity


Bro (We’re watching you)

• High performance intrusion detection system developed at LBNL and AT&T ACRI

• Passively monitors a network link– Taps directly into fiber coming into NERSC

• Records all sessions• Selectively ignores some information

– i.e. ftp data

• Bro allows us to “reconstruct the crime”– Data recorded for unencrypted interactive sessions


Bro

• Works in conjunction with border router to drop (shun) hosts at the border

• Detects stepping stones– Compromised system used as a gateway

• Detects “backdoors”– i.e. telnet servers on non-standard port

• Detects file sharing systems– Gnutella, Napster, KaZaa


Most Common Security Incidents at NERSC

• Sniffed passwords– Someone gets a hold of a user password– Externally compromised system– Exposure via unencrypted means

• Unpatched systems– New systems (not yet patched)– Toolkits used to exploit known vulnerabilities– Visitors and staff unknowingly bring in vulnerable or pre-

hacked systems


Practicing Safe Computing

• Things you can do to reduce your chance and the impact of a compromise– By no means is this list exhaustive– You can follow all these guidelines and still be hacked

• MAINTAIN BACKUPS– #1 preventive measure– Make sure your backups are actually backing up the right

thing

• Keep your workstation patched



• Use virus protection software on Windows systems– Remember to update your virus checker at LEAST once a

week– Don’t rely on “automatic” updating

• Eliminate clear text password usage– Use SSH, scp, sftp where possible– Don’t “stepping stone” from an unencrypted session into an

encrypted session• i.e. don’t telnet from home to work and then from work SSH into

NERSC



• Disable services that are not needed– Work with your local system administrators to do this– Unix

• Echo, discard, daytime, telnet, rcp, rsh, sadmind, dtspcd

– Windows• Disable IIS (just say NO to IIS)• Disable open shares

• Don’t run executable email attachments– Primary method of spreading viruses

• “I Love you” virus• “Melissa” virus



• Passwords– Choose a non easily guessed password

• NERSC has guidelines for choosing passwords– http://hpcf.nersc.gov/policy/password.html

• Mix alphanumeric with special characters (!@#$%^*()>?”{},.;l’-)• Example:

– Use first letters of a saying you can remember» Non politically correct example: Stellar sequence» “Oh, Be A Fine Girl, Kiss Me!” = o,BaF6,KM!

– If you must expose your clear text password, make sure it’s different than your encrypted ones!

– DON’T share your passwords

http://hpcf.nersc.gov/policy/password.html



• Use encryption wherever possible– Encrypt your email (especially private information)

• PGP

– Use SSH and SSH tunneling wherever possible• Remember to use a passphrase on your SSH key

– Encrypt private files– Ensure deletion of files (especially Windows systems)

• Freeware tools available to securely delete files



• Security isn’t only for your office environment– Home systems are heavily targeted– Be wary of public systems and networks– Wireless systems are NOT secure

• Physical security– Use screensavers with password lock

• Prevents other people from using your system

– Secure all portable electronic devices (Keep your seatbacks and tray tables in an upright and locked position)

• Laptops, cell phones, PDAs, voicemail• Keep them with you or lock them down


Practicing Safe Computing(for the more adventurous)

• Host based filtering systems– Windows Platform

• Kerio Firewall • Zone Alarm

– Linux / Unix• Ipchains• tcpwrappers

• Scan your workstation– Determines vulnerabilities and services enabled– Contact your local system administrator first– WARNING: Don’t scan other people’s workstations!


Free Scanning Tools

• Nessus– Server/client model– Client

• Windows/Java/Unix– Server

• Unix– http://www.nessus.org

• Nmap– Unix/Windows platforms– http://www.insecure.org

http://www.nessus.org/

http://www.insecure.org/


In Case of Emergency

• Be “cyber security” aware– Watch for strange “new” files– Odd behavior of your system– Unexplained accesses to your account– Processes you can’t account for– Watch what you “click”

• Are the ‘dancing pigs’ worth it?

• Report strange occurrences– Notify your local system administrators– NERSC mandates users report compromises

• This includes EXTERNAL compromises



• NERSC will NEVER do the following:– Ask you for your password, even over the phone– Give your email address to an outside source without your

permission

• Never underestimate social engineering– If in doubt, ask for a call back number and hang up

• Computer security related matters should be handled via telephone or encrypted email whenever possible



• For computer security related emergencies– Phone NERSC Operations

• 24hrs/day, 7 days a week• +1 (510) 486-8600

– Email: [email protected]

• To contact me:– Stephen Lau– Email: [email protected]– Phone: +1 (510) 486-7178– PGP Key Fingerprint:

• 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B

mailto:[email protected]

mailto:[email protected]


FIN

NERSC Users Group Meeting Stephen Lau NERSC November 6, 2014

Documents

Transcript of NERSC Users Group Meeting Stephen Lau NERSC November 6, 2014