Recent articles on computer security (“Unwanted presents”) discussed CERN’s conscious – but also sometimes involuntary – dependence on external companies and service providers and software libraries and packages, and the resulting inherent computer security risks. While, in principle, there are solutions to cope with software dependencies, it is not so easy to protect against dependencies on physical external providers, companies and suppliers. A recent quick study by the Computer Security team revealed the tip of the iceberg.
The attack vectors into the Organization are multiple. Probing CERN’s web-sphere and internet-visible services is one attack vector, infecting your PC or laptop is another, and luring you into disclosing your password to an attacker is a third. Attackers employ many different methods to reach their goals, like vulnerability scanning, malware or sophisticated phishing emails. But given the various protective means that have been put in place, direct attacks may no longer be fruitful. Hence the shift to attacks against the supply chain, such as compromising often-used software packages, infecting external webpages and people “drive-by infecting” computers or impersonating people. A more sophisticated approach is when attackers compromise entire, less protected, less secure companies and suppliers and abuse their resources to attack the big fish. Like the machinery supplier to CERN whose invoicing system was abused by attackers who subsequently tampered with invoices that CERN was supposed to pay. Or like that other external machinery provider whose email system was abused to send seemingly reasonable emails, referring to real email exchanges between them and CERN experts, in order, once more, to extract money from CERN.
Recently, the CERN Computer Security team got their hands on a publicly available list of companies that have been subject to so-called “ransomware attacks” and – wisely – refused to pay the ransom. This still implies that the attackers compromised and got hold of those companies’ internal systems, including, probably, invoicing and email systems. In case of so-called “extortion attacks”, they might also have managed to exfiltrate confidential business data. A comparison of that list with the companies listed in CERN’s supplier database showed that approximately five (5!) CERN-registered companies fell victim to a ransomware or extortion attack every single month. That’s five new companies, on average, per month that were compromised and might be used by attackers to infiltrate CERN or might hold data related to our operations, contracts, NDAs and other sensitive information linked to the Organization. But not every business is necessarily pro-active in warning its customers of the fact that their data has been, or might have been, exposed through a security breach. So CERN may never be alerted to such by a supplier. Hence, CERN, like many other companies, is sitting on a computer security time bomb that is waiting to explode. So is there anything we can do?
Not much, apart from being even more vigilant and suspicious. Our external providers and suppliers are getting attacked. Apparently, they are getting compromised. Hence, if you are in contact with external companies, be warned. Of course, trust is important and they deserve the benefit of the doubt, but once it comes to transferring money or amending contracts or sensitive data, for example, be extra vigilant. Be suspicious. Proposed changes to banking details, IBANs and transfer methods, etc., should set alarm bells ringing, as should requests for more money than was in the contract or for additional personal or institutional sensitive data and attempts to lure you into installing unsolicited software. Try to check those change requests directly with your sales or contract contact person. Ideally by phone rather than return email because their email address could well be compromised and, hence, be under the control of the attacker. Check with other people who are part of the company and go up the hierarchy for confirmation of the answer. Also, raise this with the CERN Procurement Team in the IPT department or drop an email to us at Computer.Security@cern.ch. On the legal side, we are currently revising the General Conditions of CERN Contracts so that our suppliers will, in future, be contractually required to notify CERN in the event that they fall prey to a successful cyberattack.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.