james a. marsteller
TRANSCRIPT
TeraGrid Security Incident HandlingTeraGrid Security Incident Handling
James A. Marsteller, CISSPTG Security Working Group Lead
Information Security Officer – Pittsburgh Supercomputing Center
TAGPMA ‘Grid Day’Noverber 5th 2008
La Plata, Argentina
James A. Marsteller, CISSPTG Security Working Group Lead
Information Security Officer – Pittsburgh Supercomputing Center
TAGPMA ‘Grid Day’Noverber 5th 2008
La Plata, Argentina
AgendaAgenda
TG Security WG BackgroundPolicy DevelopmentIncident Coordination and ResponseCurrent/Future Projects
TG Security WG BackgroundPolicy DevelopmentIncident Coordination and ResponseCurrent/Future Projects
TeraGrid Security WorkGroup
TeraGrid Security WorkGroup
Formed in January 2004
Eleven Resource Providers + More
Security WG Charter:• Development of Policies and procedures and guidelines• Provide security related advice/direction on TG projects• Coordinate Teragrid Incident Response team• Lead Risk Assessments
Formed in January 2004
Eleven Resource Providers + More
Security WG Charter:• Development of Policies and procedures and guidelines• Provide security related advice/direction on TG projects• Coordinate Teragrid Incident Response team• Lead Risk Assessments
TeraGrid Security WorkGroup
TeraGrid Security WorkGroup
Security WG Policies:• Security M.O.U. • Baseline Security Guidelines• Public Info Disclosure• Two Factor Auth• Reporting Procedures
Procedures• Incident Response Playbook/Flowchart• Compromised Account Questionnaire• Security ‘Newbie’ guide• Password Reset procedure for User Portal
Security WG Policies:• Security M.O.U. • Baseline Security Guidelines• Public Info Disclosure• Two Factor Auth• Reporting Procedures
Procedures• Incident Response Playbook/Flowchart• Compromised Account Questionnaire• Security ‘Newbie’ guide• Password Reset procedure for User Portal
Teragrid Security Coordination
Teragrid Security Coordination
Rapid, Secure, Coordinated Response and Information Sharing
is Critical!
Rapid, Secure, Coordinated Response and Information Sharing
is Critical!
TG Incident ResponseTG Incident Response
Weekly “Response” Calls24 Hour Security “hotline”Incident Mailing ListEncrypted CommunicationsCoordinated Evidence Gathering
Weekly “Response” Calls24 Hour Security “hotline”Incident Mailing ListEncrypted CommunicationsCoordinated Evidence Gathering
TG Incident ResponseTG Incident Response
Weekly IR Calls• Very Valuable Tool• 5 to 45 minutes in length• ‘Closed’ Participant List• Share Latest Attack Vectors• Vuls, worms, scans, other:p2p
• Honeypots, Non-TG News• Update On Investigations
Weekly IR Calls• Very Valuable Tool• 5 to 45 minutes in length• ‘Closed’ Participant List• Share Latest Attack Vectors• Vuls, worms, scans, other:p2p
• Honeypots, Non-TG News• Update On Investigations
TG Incident ResponseTG Incident Response
TG Security “hotline”• 24/7 Reservation less Conference #• Any Site Can Initiate• Only Known To Response Personnel• 800 Number & International Access
TG Security “hotline”• 24/7 Reservation less Conference #• Any Site Can Initiate• Only Known To Response Personnel• 800 Number & International Access
TG Incident ResponseTG Incident Response
Response Playbook• Who/How To Contact Methodology• Initial Responders• Secondary Responders• Help Desk Staff
• How to Respond to Event• Reporting Guidelines: Press, Privacy,
Funding sources (in progress)
Response Playbook• Who/How To Contact Methodology• Initial Responders• Secondary Responders• Help Desk Staff
• How to Respond to Event• Reporting Guidelines: Press, Privacy,
Funding sources (in progress)
TG Incident ResponseTG Incident Response
Compromised Account Questionnaire
• Do you use the password of the account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)?
• What was the time of your last known login? Where was it from?
• From what locations do you usually login (hostnames/IP)?
• Which sites/machines have you used?• Which do you expect to use?• What locations (hosts) can we expect to you to login
from?
Compromised Account Questionnaire
• Do you use the password of the account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)?
• What was the time of your last known login? Where was it from?
• From what locations do you usually login (hostnames/IP)?
• Which sites/machines have you used?• Which do you expect to use?• What locations (hosts) can we expect to you to login
from?
TG Incident ResponseTG Incident Response
Site Incident Response Report
• How much time (in person-hours) did staff at your site spend dealing with the incident?
• How were you notified?• What steps did you take to investigate at your site to
determine if there was a compromised account or system?
• What did you determine?• If there was a compromise:
• What damage was done?• What steps did you take to respond/recover?
Site Incident Response Report
• How much time (in person-hours) did staff at your site spend dealing with the incident?
• How were you notified?• What steps did you take to investigate at your site to
determine if there was a compromised account or system?
• What did you determine?• If there was a compromise:
• What damage was done?• What steps did you take to respond/recover?
Current ProjectsCurrent Projects
TAGPMA ParticipationCo-chair with members from SDSC, TACC, NCSA, Indiana University, PSC
Teragrid Risk Assessment
Support for Science Gateways/Community Accounts
Refining incident Response procedures
TAGPMA ParticipationCo-chair with members from SDSC, TACC, NCSA, Indiana University, PSC
Teragrid Risk Assessment
Support for Science Gateways/Community Accounts
Refining incident Response procedures
‘08 SUMMARY‘08 SUMMARY
Recent IR Activity (Jan ‘07- Present)• Decline in compromised accounts• Increase in campus BotNet activity
(Not on TG network)
Recent IR Activity (Jan ‘07- Present)• Decline in compromised accounts• Increase in campus BotNet activity
(Not on TG network)
• Responding to software vulnerabilities (Globus, GX-Map, BIND, etc.)• Developed vulnerability advisory procedure
TG security‘08 SummaryTG security‘08 SummarySELS mailing lists• Using since Jan’08• Mirrors OSG naming conventions
Incident Response• Secure wiki for information sharing/IR
coordination.
Encrypted Instant Messaging Server & Chat room
• Used for sharing sensitive info in real time
SELS mailing lists• Using since Jan’08• Mirrors OSG naming conventions
Incident Response• Secure wiki for information sharing/IR
coordination.
Encrypted Instant Messaging Server & Chat room
• Used for sharing sensitive info in real time
Teragrid ‘08 UpdateTeragrid ‘08 Update
Other efforts• Science Gateway Security Support• Accounting requirements• securing community accounts• SGW Security Summit
• Define SGW use cases• Methods of securing• RP response to community accounts• Key signing activity
Other efforts• Science Gateway Security Support• Accounting requirements• securing community accounts• SGW Security Summit
• Define SGW use cases• Methods of securing• RP response to community accounts• Key signing activity
Teragrid ‘08 UpdateTeragrid ‘08 Update
Other efforts• User Portal Security Support• Managing user information
(change/modify)• Password reset procedure
• Training Account Management
Other efforts• User Portal Security Support• Managing user information
(change/modify)• Password reset procedure
• Training Account Management
Teragrid ‘08 UpdateTeragrid ‘08 Update
More RP Security leads have joined the Research and Education Network Information Sharing and Analysis Center (REN-ISAC)
Two Teragrid certificate authorities have received IGTF accreditation• TACC and NCSA – accredited
Teragrid involvement in NSF’s Cybersecruity Summit
More RP Security leads have joined the Research and Education Network Information Sharing and Analysis Center (REN-ISAC)
Two Teragrid certificate authorities have received IGTF accreditation• TACC and NCSA – accredited
Teragrid involvement in NSF’s Cybersecruity Summit
Current WorkCurrent Work
Improve management of authorized CAs• Signing for integrity• GX-Map integration• Notification of changes to RPs, Users, etc.
Attribute capable Science Gateways (near future)• User ID• Timestamp• SGW Job ID• Remote user IP address• How to use this info proactively ???
Improve management of authorized CAs• Signing for integrity• GX-Map integration• Notification of changes to RPs, Users, etc.
Attribute capable Science Gateways (near future)• User ID• Timestamp• SGW Job ID• Remote user IP address• How to use this info proactively ???
Future WorkFuture Work
Continue development of IR tracking system
Explore how to use SGW attribute InfoTie to IR lists, Jabber Ims, notification to SGWs, Helpdesk, etc.
Identify security vulnerabilities in the TG architecture and means to fix or mitigate
Evaluate the software and protocols (risk Assessment)
Prepare for Transition to Extreme Digital (XD)
Continue development of IR tracking system
Explore how to use SGW attribute InfoTie to IR lists, Jabber Ims, notification to SGWs, Helpdesk, etc.
Identify security vulnerabilities in the TG architecture and means to fix or mitigate
Evaluate the software and protocols (risk Assessment)
Prepare for Transition to Extreme Digital (XD)
TG Security ChallengesTG Security Challenges
- As Resource Providers continue to increase how to Reach consensus? Move from informal to formal (voting)
- Increase participation- Few are funded, community effort
that does make as all more secure
- As Resource Providers continue to increase how to Reach consensus? Move from informal to formal (voting)
- Increase participation- Few are funded, community effort
that does make as all more secure