ggf fall 2004 brussels, belgium september 20th, 2004 james marsteller pittsburgh supercomptuing...
TRANSCRIPT
GGF Fall 2004
Brussels, Belgium September 20th, 2004
James MarstellerPittsburgh Supercomptuing Center
TeraGrid Security WorkGroup
• WG Charter Submitted To Executive Council Dec ‘03
• Weekly Meetings
• Initial SecWG Efforts:
– TG / E-Science SC03 Demo (Foreign Certificate Authority Acceptance Policy)
– SSH Implementation (Version & Password Recommendations)
– Site Security Points Of Contact• Security Officers & Incident Response Contacts
TeraGrid Security WorkGroup
• Jan 9th 2004 - First TG Security Event– TG Node was compromised– Focus of the TG Security WG is Response– Security Point Of Contact List Was First
Step– NOT TG CENTRIC!
• So What Did We Do????
Responding & Communicating
Events• Established Security “hotline”• Response “Playbook” Developed• Incident Mailing List• Encrypted Communications• Coordinated Evidence Gathering• Weekly “Response” Calls
Identifying, Responding & Communicating
Events• Established Security “hotline”
– 24/7 Reservation less Conference #– Any Site Can Initiate– Only Known To Response Personnel– 800 Number & International Access
Identifying, Responding & Communicating
Events• Response Playbook
– Who/How To Contact Methodology• Initial Responders• Secondary Responders• Help Desk Staff
– How to Respond to Event– PR Guidelines– 800 Number & International Access
Identifying, Responding & Communicating
Events• Incident Reporting Guidelines Example:
• How much time (in person-hours) did staff at your site spend dealing with the incident?
• How were you notified?
• What steps did you take to investigate at your site to determine if there was a compromised account or system?
• What did you determine?
• If there was a compromise:
What damage was done?
What steps did you take to respond/recover?
Identifying, Responding & Communicating
Events• Incident Mailing List
– Used To Alert TG Staff Of Incident
– Subscribed Response Staff
– Triggers Help Desk/Pagers/Cell Phones
Encrypted Communications
• PGP Key Signing
• Shared Password for Email Communications (Changes Frequently)
• Encrypted Website To Archive Critical Information
• Encrypted Communications Are VERY IMPORTANT!
Coordinated Evidence Gathering
• Playbook Outlines Requirements:– Protecting “Chain Of Custody”– Proper Logging– Reliable Copies Of Process
Accounting– Established Communication Channel
with FBI– Level Of Effort Responding
• Staff Hours & Capitol
Weekly Response Calls
• ‘Closed’ Participant List• Share Latest Attack Vectors• Honeypots, Non-TG News• Update On Current Investigations
Lessons Learned:
What Did We Learn?
Lessons Learned
• A Quick, Secure, Coordinated Response is Critical!– Shared Users Accounts & Passwords– Shared Authentication = Quick
Propagation – Separation Of Users and Admin
Accounts
Lessons Learned
• Need A TG Security Baseline– Different Organizations, Different
Goals• Government, Higher Ed, Research • Service Requirement, Public Relations,
Privacy Reqs, Acceptable Use• How To Handle Non-TG Customers?• Different OS’s, Software and Hardware
Lessons Learned
• How To Achieve A Security Baseline– Security Memorandum Of
Understanding (M.O.U.)• What is expected of each site• Communication of Events/Incidents• Confidentiality of others• Response Expectations• Site & TG Risk Assessment (FRAP)
Lessons Learned
• How To Achieve A Security Baseline– Security Baseline Requirements
• Host• Network• Testing• Patching• Change Mgmt - Certification Process• Response• Physical Security• Incident Detection• Auditing
Future Actions/Challenges
• Ensuring A Security Baseline• Uniform Compliance Auditing &
Reporting• Security Resources
– Personnel– Software/Hardware
• Maintaining Security In A Dynamic Distributed Environment
Useful Resources
• Stanford Release: http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html
• Research and Education Networking ISAC: http://www.ren-isac.net
• My Email: [email protected]