Many people at Fermilab are diligent about managing their desktops or laptops. They keep them up to date with patches and incorporate them into one of the laboratory’s inventory and patching systems (as Windows, Mac or Linux users). However, we are only as strong against penetration by malicious adversaries as our weakest link.
Last week auditors from DOE who were checking out our computer security controls and our compliance with our own computer security policies found some of those weak links. They were able to gain access to a number of systems they could not have entered had we been fully conforming to our published security “baselines,” fully implementing password complexity guidelines and more carefully monitoring alerts, such as antivirus-scan warnings.
It’s time for a tune-up!
Today we launch a campaign to tune up our Information Technology (IT) to fully comply with our published security baselines and policies. We do this not only to comply with the audit requirements but to strengthen computing at Fermilab to support our physics mission.
In the coming months every desktop and laptop owned by Fermilab will receive either a physical or virtual visit from a trained system administrator who will check it for full compliance with required baseline configurations. Those who do not need administrative privileges to carry out their job functions will no longer have such privileges. Those who do will maintain administrative privileges and will be retrained in how to ensure that their systems meet requirements. We will incorporate every machine into the automated inventory and patching systems provided for Windows, Linux and Mac systems. We will remove from the network desktops and laptops that are not running an approved OS with a published security baseline. We will take out of service desktops and laptops that are too old to be updated or are running systems that cannot be brought up to standards; or we will fully document the need to run them and put in place compensatory controls (such as isolating them in their own network segment).
Let me be frank. This process is likely to be rather painful for some who are accustomed to having full control of their computers. It will considerably increase the number of Service Desk tickets, so we will increase the number of ticket responders. We will also add staff to carry out other aspects of our campaign.
The pain will be worth it. We will be safer and better off after this campaign. We may even find that it is less work to manage the many IT systems we have.