sPHENIX is a new detector at RHIC.

[pinkenburg <pinkenburg AT bnl.gov>]

    Hi folks,
    
    this is more relevant for sPHENIX but I am sure there are some
    PHENIX users for the BNL indico. This Thursday at noon BNL's indico
    default will be changed to private which will block everyone who
    doesn't have explicit permission from viewing an agenda.
    
    admins can make agendas public but as you can read there are dire
    consequences if you do not watch out, so we can't just make our
    3000+ previously public events public again without review. But we
    should at least be able to change them case by case and make sure
    new agendas are readable (or provide access keys). Indico has its
    own accounts which makes this a real nightmare but there is some
    hope that at least sdcc accounts (with their group) can be used for
    bulk access management in the future.
    
    But this also means - if we go to public agendas - please be mindful
    what you upload to our public agendas (no budget numbers, internal
    info, company secrets - stuff like that)
    
    Sorry for the bad news
    
    Chris

-------- Forwarded Message -------- Subject: Re: Indico incident Date: Tue, 9 Mar 2021 14:42:45 -0500 From: Jerome LAURET <jlauret AT bnl.gov> To: pinkenburg <pinkenburg AT bnl.gov>, liaisons <liaisons AT rcf.rhic.bnl.gov>


Greetings,

We are all aware on how impactful this change will be (and
cruising the content that was created with default Inheritance
settings and changing them). This is why what we tried to argue
is not to take this route but isolate the problematic area - again,
the lab Directorate did not want to take that risk. Meetings can
be set in a few ways: accessed by a list of approved individuals
(or group) or the meeting is set in such a way that an access key
is needed. I am aware of the limitations of both (and infer it is
why you bring IDP integration).


I had a long meeting with Cyber this morning and the current
target is to change the setting this coming Thursday at noon (it was
confirmed 1.5 hours ago). A few more points and news.

- "admins who lack the time to go through ... let sensitive info
pass through by making agendas public".
I highly suggest to ensure this would not happen and clearly
carry forth the magnitude of this fallout. If admins do
not have the time, they should simply not take actions that would
(re)expose internal use only material. They should leave it private
until they have the time to make the proper assessment

- The OPSEC (Operations Security) office is involved - they are
trying to come up with a "process" that would allow defining when a
content is NOT public (a kind of more active review). For now, the
basic message is: consider "public" setting as meaning public and
accessible by the entire world (with this basic guideline, an
internal review meeting would naturally not be considered public).

- For the readiness of integrating IDP to Indico: I will get back to
you on this (certainly an opportunity to bring an Indico improvement
back on the table).


Time again: this coming Thursday at noon.

Regards.



On 2021-03-09 10:14, pinkenburg wrote:

Hi Jerome,

I can't stress how disruptive this is for sPHENIX, about 1/3 of the BNL indico content is sPHENIX. Could you give us an update? At least a time scale? Will there be a hook to the sdcc logins or do we have to create hundreds of indico accounts by the end of this week (or suffer the consequences for admins who lack the time to go through 3315 events and let sensitive info pass through by making agendas public)?

Thanks
Chris


On 3/8/2021 9:22 AM, Jerome LAURET wrote:

    Dear liaison,

A recent security incident related to the BNL Indico website involved the public exposure of  documents that should have been protected for internal access and use only. Since this was a recurring event, the case gained the attention of the BNL Site and Director's Offices. The discussion focused on changing Indico’s settings to make all meetings private by default -- however, this setting, if applied at the top level of the Indico instance, would make all its groups, sub-groups, and events that had inherited permissions private by default. BNL’s Cybersecurity consulted with SDCC’s representatives for guidance, who argued instead to isolate the identified area and proceed with a review of content, hence minimizing the near-term impact. BNL Cybersecurity also determined that the national lab who was unaffected by direct exposure of sensitive data via their Indico website, had configured default private meetings. BNL’s directorate took SDCC’s advisory feedback, but as their stance is to consider these recurring incidents as a risk they are not willing to take, we were instructed to change the default Indico setting to be private (with the aforementioned consequence).  This would be done sometime this week; the exact date and time are still pending.

Please consider this as an advanced notice of these changes, and inform your respective teams of the impact: meetings previously set as public may become private and inaccessible by non-authenticated users. Authenticated users will not have access to private content unless their account is explicitly given access or the group / subgroup managers change the content to be accessible by either an access code that they know or make the content public. We will let you know when this change will occur, and once it is changed, each team’s managers will be invited to review their content and meeting protection in a proactive manner to ensure that sensitive data is not again made public.

Guidelines to aid teams in reviewing their Indico content will be forthcoming. Stay tuned.

-- 
             ,,,,,
            ( o o )
         --m---U---m--
             Jerome
          <he-him-his>