<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname;   }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>Working remotely</h2> <p>Here we provide some hints and tips when tele-working from home, when traveling, or when working for CERN outside its sites.</p> <h4>Maintain a confidential work environment</h4> <ul> <li>Do not let other persons see what you are working on. Ideally, use a "privacy screen" when working in presence of other people (like on the train or plane). These screens are available through the <a href="https://edh.cern.ch/Document/MAG/?command=openPunchOutSession&punchOutSupplier=DISTRELEC">CERN store's "Distrelec" punch-out catalogue</a>;</li> <li>Never leave your device unattended. If you can't avoid it, lock the screen with a password or, even better, log off, so that other persons cannot see information that is not intended for them;</li> <li>Ideally, use your device only to <a href="/recommendations/en/connecting_to_cern.shtml">connect remotely to CERN's central services or your office PC</a> using CERN's Terminal Service or LXPLUS. Your office PC, however, would need to remain switched on during your absence.</a> </ul> <h4>Preferred: Use your CERN device</h4> <p>Ideally, you use your CERN device also for remote working. In that case, the basic CERN protections like operating system updates and anti-virus software are already applied to that device (for recent Windows, Mac and CentOS operating systems). In addition, please consider the following:</p> <ul> <li>Have your local harddisk encrypted with <a href="https://espace.cern.ch/winservices-help/NICEEnvironment/NICEHDDencryption/Pages/Bitlocker-for-Windows.aspx">Bitlocker for Windows</a>, <a href="http://information-technology.web.cern.ch/services/fe/howto/configure-filevault-encrypt-your-hard-disk">FileVault for Macs</a> or <a href="https://linux.web.cern.ch/linux/centos7/docs/rhel/Red_Hat_Enterprise_Linux-7-Security_Guide-en-US.pdf">LUKS for Linux</a>. Also consider encrypting external harddisks and USB sticks;</li> <li>Do not install any software other than what CERN holds a license for. Software catalogues can be found on <a href="https://cmf.web.cern.ch/cmf/ComputerFramework/AddRemove.aspx">CMF for Windows devices</a>, <a href="http://linuxsoft.cern.ch/">LXSOFT for Linux systems</a> and on the <a href="http://information-technology.web.cern.ch/services/fe/mac-support/howto/mac-self-service">CERN/Apple Mac Self-Service</a>. Dedicated licenses are also available for <a href="http://information-technology.web.cern.ch/services/software">engineering software</a> and for <a href="https://readthedocs.web.cern.ch/display/ICKB/Services">control software</a>. If these do not suit your needs, or if you are in doubt as to whether the licence conditions of your applications are compliant with usage at CERN, please contact the <a href="http://information-technology.web.cern.ch/about/organisation/role/software-licence-officer">CERN Software Licence Officer</a> to check your options and, if needed, agree to make a central purchase. Please note that some licensed software require you to be at CERN and/or have a connection to CERN's license servers;</li> <li>On CERN Windows devices, save your data only on in the standard "My Documents" folder or on the Desktop so we can ensure automatic data back-up once your device is back on the CERN network again;</li> <li>Recall that the <a href="https://cern.ch/computingrules">CERN Computing Rules</a> still apply to those devices even when being used outside CERN.</li> </ul> <h5>At the border</h5> <p> If you are on duty travel, any device owned by CERN is enjoying, as such, inviolability on the territory of the CERN Member and Associate Member States. This, however, does not imply that the customs or police officials are aware of CERN’s international status. As a precaution, we recommend to completely power off your CERN device before passing through customs. If you are requested to switch it on, we recommend that you state calmly that it is protected by the inviolability granted to CERN property and that you disagree with any search. If you are obliged to disclose your password or PIN code, please inform <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a> of this unauthorized access ASAP. Please also note that we need to be informed if your device has been taken away, even for a few minutes, or connected to another device. We will take the necessary measures to prevent any potential remote access and, if necessary, replace your CERN device. </p> <h4>When using your personal device</h4> <p>A "personal device" in this context is a computer, laptop or tablet you own and you use for mixed personal and professional purposes. It is yours and your full responsibility to keep it appropriately secured. In any case, consequences of its compromise are born by you...</p> <ul> <li>Make sure that your device is up-to-date, with all recent patches applied, and configured in a way that it is auto-updating itself. Permanently run an anti-virus software. Check out here for more general hints <a href="/recommendations/en/how_to_secure_your_pc.shtml">how to secure your PC or Mac</a>;</li> <li>Protect access to your local account on that device with a password known to you and only to you. Here are some hints for <a href="/recommendations/en/passwords.shtml">good passwords</a>;</li> <li>Have your local harddisk encrypted with <a href="https://support.microsoft.com/en-us/help/4028713/windows-10-turn-on-device-encryption">Bitlocker for Windows</a>, <a href="https://support.apple.com/en-us/HT204837">FileVault for Macs</a> or <a href="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md">LUKS for Linux</a>. Also consider encrypting external hard-disks and USB sticks;</li> <li>When charging your tablet (or smart-phone) using random USB ports, employ a so-called <a href="https://www.amazon.com/s?k=usb+blocker">“USB Blocker”</a> which physically blocks any data exchange but still lets you charge;</li> <li>Refrain from installing any CERN-owned software or using your CERN e-mail address to register for your personal software. Make sure that you own a valid license for all other software (recall that <a href="https://home.cern/news/news/computing/computer-security-when-free-not-free">"free" not always means "free"</a>);</li> <li>If you use P2P applications for sharing music or videos, make sure that those are disabled when you connect your device back to CERN;</li> <li>If you tunnel into CERN, recall that our monitoring tools will also be able to see all your private communications. Hence, please respect the <a href="https://cern.ch/computingrules">CERN Computing Rules</a>.</li> </ul> <h4>Avoid using shared/public devices</h4> <p>Those are devices shared regularly with others like a family's laptop used also by your kids and partner, or, more broadly, PC kiosks, hotel PCs, and computers in Internet cafés. Due to their mixed usage, it is not unlikely that those devices were infected, e.g. by kids browsing unconsciously malicious webpages, hotel guests opening infected emails, or Internet café run by fraudsters. Hence,</p> <ul> <li><b>Avoid them!</b></li> <li>If you can't,</li> <ul> <li>Use them only to <a href="/recommendations/en/connecting_to_cern.shtml">remotely connect to CERN</a>;</li> <li>Never tick "store your password for future use";</li> <li>Make sure that no confidential data is downloaded, or can be found in the cache or in temporary folders. Reboot the device once you have finished your work;</li> <li>When back at CERN, <a href="https://account.cern.ch/account/CERNAccount/ChangePassword.aspx">change your CERN password</a>.</li> </ul> </ul> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <h3>For All Users<br/> (Experts or Not)</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/good_practises.shtml">Seven easy good practises</a></li> <li><a href="/recommendations/en/how_to_secure_your_pc.shtml">How to secure your PC or Mac</a></li> <li><a href="/recommendations/en/passwords.shtml">Passwords &amp; toothbrushes</a></li> <li><a href="/recommendations/en/2FA.shtml">Starting with multi-factor authentication</a></li> <li><a href="/recommendations/en/bad_mails.shtml">Bad mails for you:<br/>"Phishing", "SPAM" &amp; fraud</a></li> <li><a href="/recommendations/en/malicious_email.shtml">How to identify malicious e-mails and attachments</a></li> <li><a href="/recommendations/en/how_to_remove_malicious_browser_notifications.shtml">How to remove malicious browser notifications</a></li> <li><a href="/recommendations/en/working_remotely.shtml">Working remotely</a></li> <li><a href="/recommendations/en/connecting_to_cern.shtml">Connecting to CERN</a></li> <li><a href="/recommendations/en/ssh.shtml">Connecting using SSH</a></li> </ul> <h3>For Software Developers</h3> <ul class="sidemenu"> <li>Good programming in <a href="/recommendations/en/program_c.shtml">C/C++</a>, <a href="/recommendations/en/program_java.shtml">Java</a>, <a href="/recommendations/en/program_perl.shtml">Perl</a>, <a href="/recommendations/en/program_php.shtml">PHP</a>, and <a href="/recommendations/en/program_python.shtml">Python</a></li> <li><a href="/recommendations/en/password_alternatives.shtml">How to keep secrets secret<br/> (alternatives to passwords)</a></li> <li><a href="/recommendations/en/checklist_for_coders.shtml">Security checklist</a></li> <li><a href="https://gitlab.docs.cern.ch/docs/Secure%20your%20application/">GitLab CI Security Tools</a></li> <li><a href="/recommendations/en/web_applications.shtml">Securing Web applications</a></li> <li><a href="/recommendations/en/code_tools.shtml">Static code analysis tools</a></li> <li><a href="/recommendations/en/more_on_software.shtml">Further reading</a></li> </ul> <h3>For System Owners</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/rootkits.shtml">Checking for rootkits</a></li> <li><a href="https://twiki.cern.ch/twiki/bin/viewauth/CNIC/WebHome">Securing Control Systems (CNIC)</a></li> <li><a href="/recommendations/en/containers.shtml">Securing Containers & Pods</a></li> <li><a href="/rules/en/baselines.shtml">Security baselines</a></li> <li><a href="http://linux.web.cern.ch/linux/docs/linux_exploit_faq.shtml"> The CERN Linux vulnerability FAQ</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>