GGF Fall 2004

Brussels, Belgium September 20th, 2004

James MarstellerPittsburgh Supercomptuing Center

Jam@psc.edu

TeraGrid Security WorkGroup

• WG Charter Submitted To Executive Council Dec ‘03

• Weekly Meetings

• Initial SecWG Efforts:

– TG / E-Science SC03 Demo (Foreign Certificate Authority Acceptance Policy)

– SSH Implementation (Version & Password Recommendations)

– Site Security Points Of Contact• Security Officers & Incident Response Contacts

TeraGrid Security WorkGroup

• Jan 9th 2004 - First TG Security Event– TG Node was compromised– Focus of the TG Security WG is Response– Security Point Of Contact List Was First

Step– NOT TG CENTRIC!

• So What Did We Do????

Responding & Communicating

Events• Established Security “hotline”• Response “Playbook” Developed• Incident Mailing List• Encrypted Communications• Coordinated Evidence Gathering• Weekly “Response” Calls

Identifying, Responding & Communicating

Events• Established Security “hotline”

– 24/7 Reservation less Conference #– Any Site Can Initiate– Only Known To Response Personnel– 800 Number & International Access

Identifying, Responding & Communicating

Events• Response Playbook

– Who/How To Contact Methodology• Initial Responders• Secondary Responders• Help Desk Staff

– How to Respond to Event– PR Guidelines– 800 Number & International Access

Identifying, Responding & Communicating

Events• Incident Reporting Guidelines Example:

• How much time (in person-hours) did staff at your site spend dealing with the incident?

• How were you notified?

• What steps did you take to investigate at your site to determine if there was a compromised account or system?

• What did you determine?

• If there was a compromise:

What damage was done?

What steps did you take to respond/recover?

Identifying, Responding & Communicating

Events• Incident Mailing List

– Used To Alert TG Staff Of Incident

– Subscribed Response Staff

– Triggers Help Desk/Pagers/Cell Phones

Encrypted Communications

• PGP Key Signing

• Shared Password for Email Communications (Changes Frequently)

• Encrypted Website To Archive Critical Information

• Encrypted Communications Are VERY IMPORTANT!

Coordinated Evidence Gathering

• Playbook Outlines Requirements:– Protecting “Chain Of Custody”– Proper Logging– Reliable Copies Of Process

Accounting– Established Communication Channel

with FBI– Level Of Effort Responding

• Staff Hours & Capitol

Weekly Response Calls

• ‘Closed’ Participant List• Share Latest Attack Vectors• Honeypots, Non-TG News• Update On Current Investigations

Lessons Learned:

What Did We Learn?

Lessons Learned

• A Quick, Secure, Coordinated Response is Critical!– Shared Users Accounts & Passwords– Shared Authentication = Quick

Propagation – Separation Of Users and Admin

Accounts

Lessons Learned

• Need A TG Security Baseline– Different Organizations, Different

Goals• Government, Higher Ed, Research • Service Requirement, Public Relations,

Privacy Reqs, Acceptable Use• How To Handle Non-TG Customers?• Different OS’s, Software and Hardware

Lessons Learned

• How To Achieve A Security Baseline– Security Memorandum Of

Understanding (M.O.U.)• What is expected of each site• Communication of Events/Incidents• Confidentiality of others• Response Expectations• Site & TG Risk Assessment (FRAP)

Lessons Learned

• How To Achieve A Security Baseline– Security Baseline Requirements

• Host• Network• Testing• Patching• Change Mgmt - Certification Process• Response• Physical Security• Incident Detection• Auditing

Future Actions/Challenges

• Ensuring A Security Baseline• Uniform Compliance Auditing &

Reporting• Security Resources

– Personnel– Software/Hardware

• Maintaining Security In A Dynamic Distributed Environment

Useful Resources

• Stanford Release: http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html

• Research and Education Networking ISAC: http://www.ren-isac.net

• My Email: jam@psc.edu