Computer Security: A final marathon for service managers

The past two years have brought a lot of new computer-security deployments at CERN. Spurred on by the 2023 cybersecurity audit, the Computer Security Office in collaboration with the IT department have deployed silver-bullet 2-factor authentication (2FA) to CERN's Single Sign-On; new and enhanced spam filtering, email quarantining, and anti-spoofing protection; and subsequently 2FA protection for LXPLUS and the CERN Windows Terminal Servers, among many others. In 2026, the implementation of the recommendations of that audit should come to an end with the last batch of work packages to be finalised. Last but not least. So here's a short roadmap of what to expect for 2026, starting with mandatory requirements for folks developing or running IT services. In two future Bulletin articles we'll cover upcoming changes for accounts, passwords and two-factor protection as well as new deployments linked to network filtering and the CERN Wi-Fi.

Right in time for the MERIT period, and in order to close recommendation R-15.3 of the cybersecurity audit, the HR training team in collaboration with the Computer Security Office has put in place dedicated training sessions on security. The SecureFlag platform provides a plethora of security courses for programmers (C, C++, Java, Python, etc.) as well as for service managers and system administrators (Docker, Kubernetes, React, Terraform, etc.). Given that security courses are mandatory as per CERN's Operational Circular No. 5 (the CERN Computing Rules), please talk to your line manager now and Just. Sign. Up. And if none of those options are suitable for you, talk to your supervisor, your departmental training officer or the Computer Security Office for better suited alternatives.

Furthermore, and in order to fulfil recommendation R-5.1 of the audit, the Computer Security Office with the approval of the Computer Security Board has published a series of additional Subsidiary Rules and Security Principles. These Rules on data protection and privacy, endpoints, identities, authentication and authorisation, operating IT services, network use, and software development and configuration, as well as the Principles on how to deploy containers, maintain operating systems and servers as well as web applications, and how to do software development, are supposed to complement the mandatory but general rules outlined in OC5 ("The user shall take the necessary precautions to protect the user's personal computer or work station against unauthorised access."), bearing in mind that OC5's nomenclature dates back to the year 2000. Hence, these Subsidiary Rules and Security Principles, while not introducing anything new, set out more practical requirements with much more detail for better comprehension of what is expected (the Rules) and how this can be fulfilled (the Principles). Please have a look and ensure that your IT services are aligned with these Rules and Principles in the course of 2026.

Moreover, but by far not least, 2026 should see a tightening of CERN's "modsecurity " and "Falco"-based web application firewalls (WAF) as well as the more granular deployment of (distributed) denial-of-service protections. If you run an OpenShift-hosted website, WAF tightening might imply more filtering of unwanted visitors to your site, but perhaps also some work for you to adapt your page as some legitimate traffic might also be blocked.

Finally, a much harder nut to crack is still on the wish list of some LHC experiments and the Computer Security Office: a "Software Bill of Materials" (or "SBOM" in short). Such an SBOM should give a better overview of which software runs where at CERN, control from where packages, libraries, etc. can be downloaded in order to avoid malicious code being automatically introduced into the CERN software stack, and avoid any liability with regards to copyrights or non-proliferation constraints. While the BE department has already succeeded in deploying an in-depth software inventory, a central SBOM service is still out of reach. The best offers today are the Dependency List, Secret Detection and Static Application Security Testing (SAST) for any code hosted in CERN's GitLab instance as well as the vulnerability scoring in CERN's Harbor registry for containers and virtual machines. Hopefully, 2026 will see the dawn of an SBOM service, no matter how sophisticated.

Overall, thanks a lot for helping secure CERN by staying ahead of the curve, being well trained and keeping your services and developments to the highest security standard. And check out the next two articles for other races - next up are passwords and two-factor authentication as well as networking.

_______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at [email protected].