ALL NPPS Members

[Torre Wenaus <wenaus AT gmail.com>]

---------- Forwarded message ---------

From: Jerome LAURET <jlauret AT bnl.gov>
Date: Mon, Mar 8, 2021 at 9:22 AM
Subject: Indico incident
To: liaisons <liaisons AT rcf.rhic.bnl.gov>

        Dear liaison,

A recent security incident related to the BNL Indico website involved
the public exposure of  documents that should have been protected for
internal access and use only. Since this was a recurring event, the case
gained the attention of the BNL Site and Director's Offices. The
discussion focused on changing Indico’s  settings to make all meetings
private by default -- however, this setting, if applied at the top level
of the Indico instance, would make all its groups, sub-groups, and
events that had inherited permissions private by default. BNL’s
Cybersecurity consulted with SDCC’s representatives for guidance, who
argued instead to isolate the identified area and proceed with a review
of content, hence minimizing the near-term impact. BNL Cybersecurity
also determined that the national lab who was unaffected by direct
exposure of sensitive data via their Indico website, had configured
default private meetings. BNL’s directorate took SDCC’s advisory
feedback, but as their stance is to consider these recurring incidents
as a risk they are not willing to take, we were instructed to change the
default Indico setting to be private (with the aforementioned
consequence).  This would be done sometime this week; the exact date and
time are still pending.

Please consider this as an advanced notice of these changes, and inform
your respective teams of the impact: meetings previously set as public
may become private and inaccessible by non-authenticated users.
Authenticated users will not have access to private content unless their
account is explicitly given access or the group / subgroup managers
change the content to be accessible by either an access code that they
know or make the content public. We will let you know when this change
will occur, and once it is changed, each team’s managers will be invited
to review their content and meeting protection in a proactive manner to
ensure that sensitive data is not again made public.

Guidelines to aid teams in reviewing their Indico content will be
forthcoming. Stay tuned.


--
                  Dr. Jerome LAURET - Deputy Director / Cyber rep
                  Scientific Data & Computing Center (SDCC)
       ,,,,,      Physics Department, Brookhaven National Laboratory
      ( o o )     Bldg 510a, Upton, NY 11973
  ---m---U---m---------------------------------------------
  E-mail: jlauret AT bnl.gov
  He/him/his

--

-- Torre Wenaus, BNL NPPS Group, ATLAS Experiment

-- BNL 510A 1-222 | 631-681-7892 |  wenaus AT gmail.com | npps.bnl.gov | wenaus.com

-- NPPS Mattermost room: https://chat.sdcc.bnl.gov/npps/channels/town-square