Successful cyberattacks always start with the compromise of a PC. Once the attacker “owns” that PC, he or she can install additional software to spy on the user, extract data and passwords, enable the microphone and webcam, and manipulate any software, application or transaction by the user. Hence it is reasonable to try to prevent this initial compromise as thoroughly as possible. And while Windows PCs remain the most susceptible, here is what CERN is doing to “harden” the Windows PCs and laptops managed by CERN’s IT department.
Of course, not only Windows PCs are under attack. Linux, MacBook, Android and iOS devices are also vulnerable. But Windows still has a big market share and many attack vectors are aimed at it. In addition, Windows is used widely in CERN’s administrative sector, which manages lots of sensitive data. And, finally, a large fraction of Windows systems are still centrally managed by CERN’s IT department. They can easily help to protect end users from cyber threats but, due to CERN’s academic environment, for most other platforms the paradigm is “bring your own device” (BYOD) – and with your freedom to do so, you also inherit the responsibility to deploy adequate protection measures. At CERN, in the first instance you are responsible for the security of your own devices…
But if you run a centrally managed Windows PC or laptop, the IT department is ready to help you with that responsibility – in particular if you are working in an environment dealing with lots of sensitive data or are often required to access “random” webpages or open unsolicited e-mails and attachments (like our colleagues in the administrative sector, in procurement, in senior management, or in the secretariats). Our “hardened Windows PC” configuration provides you with a more secure and protected Windows PC.
The first rule for a hardened PC is the use of Windows 10 instead of Windows 7. Windows 10 comes with enhanced and state-of-the-art security (and, admittedly, a few privacy concerns still to be resolved), as well as additional protective measures. Full hard disk encryption is enabled by default (but don’t worry, at no performance cost!). Dedicated anti-exploit tools protect against malicious links and the (hidden) download of malware from infected websites. The local firewall is configured so that some malicious payloads using Windows Powershell are inhibited, and we have enabled additional logging and traceability options just in case an attacker makes it through.
Furthermore, we are locking down program execution rights to prevent the execution of malicious macros so that, for example, malicious Word or Excel files cannot create havoc. Using an alternative PDF reader and limiting (or even disabling!) Adobe Flash will remove two often used attack vectors, as vulnerabilities in Adobe Reader and Adobe Flash are often used by adversaries to gain unauthorised access to Windows systems (as well as to MacOS devices). We are even considering introducing some “fake” processes to make malware think the PC is a security researcher’s “honeypot”: a lot of malware avoids such honeypots in order not to reveal its internal workings...
On the user side, administrator rights for regular users will be removed and execution of software from the user profile will be restricted (no software usually needs to run from this location and it is often abused by malware). For browsing the Internet, reading unsolicited e-mails and opening unknown attachments, it is also possible to use a hardened PC configuration in an additional – virtual – environment so that neither browsing nor opening e-mails can be a vector for infecting the primary PC.
Of course, we are trying to make these PCs as convenient and transparent as possible for you and your everyday work. The more “standard” your usage is, the easier it will be for you to have a “hardened PC”. Some of these measures will certainly also make it into the configuration of normal Windows PCs managed by the IT department. Some other measures might also be deployed, to our Mac community for example. So, please stay tuned. If you want to participate in our pilot programme, please contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.