James A. Marsteller


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

James A. Marsteller

  1. 1. TeraGrid Security Incident Handling James A. Marsteller, CISSP TG Security Working Group Lead Information Security Officer – Pittsburgh Supercomputing Center TAGPMA ‘Grid Day’ Noverber 5 th 2008 La Plata, Argentina
  2. 2. Agenda <ul><li>TG Security WG Background </li></ul><ul><li>Policy Development </li></ul><ul><li>Incident Coordination and Response </li></ul><ul><li>Current/Future Projects </li></ul>
  3. 3. TeraGrid Security WorkGroup <ul><li>Formed in January 2004 </li></ul><ul><li>Eleven Resource Providers + More </li></ul><ul><li>Security WG Charter: </li></ul><ul><ul><li>Development of Policies and procedures and guidelines </li></ul></ul><ul><ul><li>Provide security related advice/direction on TG projects </li></ul></ul><ul><ul><li>Coordinate Teragrid Incident Response team </li></ul></ul><ul><ul><li>Lead Risk Assessments </li></ul></ul>
  4. 4. TeraGrid Security WorkGroup <ul><li>Security WG Policies: </li></ul><ul><ul><li>Security M.O.U. </li></ul></ul><ul><ul><li>Baseline Security Guidelines </li></ul></ul><ul><ul><li>Public Info Disclosure </li></ul></ul><ul><ul><li>Two Factor Auth </li></ul></ul><ul><ul><li>Reporting Procedures </li></ul></ul><ul><li>Procedures </li></ul><ul><ul><li>Incident Response Playbook/Flowchart </li></ul></ul><ul><ul><li>Compromised Account Questionnaire </li></ul></ul><ul><ul><li>Security ‘Newbie’ guide </li></ul></ul><ul><ul><li>Password Reset procedure for User Portal </li></ul></ul>
  5. 5. Teragrid Security Coordination <ul><li>Rapid, Secure, Coordinated Response and Information Sharing is Critical! </li></ul>
  6. 6. TG Incident Response <ul><li>Weekly “Response” Calls </li></ul><ul><li>24 Hour Security “hotline” </li></ul><ul><li>Incident Mailing List </li></ul><ul><li>Encrypted Communications </li></ul><ul><li>Coordinated Evidence Gathering </li></ul>
  7. 7. TG Incident Response <ul><li>Weekly IR Calls </li></ul><ul><ul><li>Very Valuable Tool </li></ul></ul><ul><ul><li>5 to 45 minutes in length </li></ul></ul><ul><ul><li>‘ Closed’ Participant List </li></ul></ul><ul><ul><li>Share Latest Attack Vectors </li></ul></ul><ul><ul><ul><li>Vuls, worms, scans, other:p2p </li></ul></ul></ul><ul><ul><li>Honeypots, Non-TG News </li></ul></ul><ul><ul><li>Update On Investigations </li></ul></ul>
  8. 8. TG Incident Response <ul><li>TG Security “hotline” </li></ul><ul><ul><li>24/7 Reservation less Conference # </li></ul></ul><ul><ul><li>Any Site Can Initiate </li></ul></ul><ul><ul><li>Only Known To Response Personnel </li></ul></ul><ul><ul><li>800 Number & International Access </li></ul></ul>
  9. 9. TG Incident Response <ul><li>Response Playbook </li></ul><ul><ul><li>Who/How To Contact Methodology </li></ul></ul><ul><ul><ul><li>Initial Responders </li></ul></ul></ul><ul><ul><ul><li>Secondary Responders </li></ul></ul></ul><ul><ul><ul><li>Help Desk Staff </li></ul></ul></ul><ul><ul><li>How to Respond to Event </li></ul></ul><ul><ul><li>Reporting Guidelines: Press, Privacy, Funding sources (in progress) </li></ul></ul>
  10. 10. TG Incident Response <ul><li>Compromised Account Questionnaire </li></ul><ul><ul><li>Do you use the password of the account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)? </li></ul></ul><ul><ul><li>What was the time of your last known login? Where was it from? </li></ul></ul><ul><ul><li>From what locations do you usually login (hostnames/IP)? </li></ul></ul><ul><ul><li>Which sites/machines have you used? </li></ul></ul><ul><ul><li>Which do you expect to use? </li></ul></ul><ul><ul><li>What locations (hosts) can we expect to you to login from? </li></ul></ul>
  11. 11. TG Incident Response <ul><li>Site Incident Response Report </li></ul><ul><ul><li>How much time (in person-hours) did staff at your site spend dealing with the incident? </li></ul></ul><ul><ul><li>How were you notified? </li></ul></ul><ul><ul><li>What steps did you take to investigate at your site to determine if there was a compromised account or system? </li></ul></ul><ul><ul><li>What did you determine? </li></ul></ul><ul><ul><li>If there was a compromise: </li></ul></ul><ul><ul><ul><li>What damage was done? </li></ul></ul></ul><ul><ul><ul><li>What steps did you take to respond/recover? </li></ul></ul></ul>
  12. 12. Current Projects <ul><li>TAGPMA Participation </li></ul><ul><li>Co-chair with members from SDSC, TACC, NCSA, Indiana University, PSC </li></ul><ul><li>Teragrid Risk Assessment </li></ul><ul><li>Support for Science Gateways/Community Accounts </li></ul><ul><li>Refining incident Response procedures </li></ul>
  13. 13. ‘08 SUMMARY <ul><li>Recent IR Activity (Jan ‘07- Present) </li></ul><ul><ul><li>Decline in compromised accounts </li></ul></ul><ul><ul><li>Increase in campus BotNet activity (Not on TG network) </li></ul></ul><ul><ul><li>Responding to software </li></ul></ul><ul><ul><li>vulnerabilities (Globus, </li></ul></ul><ul><ul><li>GX-Map, BIND, etc.) </li></ul></ul><ul><ul><ul><li>Developed vulnerability advisory procedure </li></ul></ul></ul>
  14. 14. TG security‘08 Summary <ul><li>SELS mailing lists </li></ul><ul><li>Using since Jan’08 </li></ul><ul><li>Mirrors OSG naming conventions </li></ul><ul><li>Incident Response </li></ul><ul><li>Secure wiki for information sharing/IR coordination. </li></ul><ul><li>Encrypted Instant Messaging Server & Chat room </li></ul><ul><li>Used for sharing sensitive info in real time </li></ul>
  15. 15. Teragrid ‘08 Update <ul><li>Other efforts </li></ul><ul><ul><li>Science Gateway Security Support </li></ul></ul><ul><ul><ul><li>Accounting requirements </li></ul></ul></ul><ul><ul><ul><li>securing community accounts </li></ul></ul></ul><ul><ul><ul><li>SGW Security Summit </li></ul></ul></ul><ul><ul><ul><ul><li>Define SGW use cases </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Methods of securing </li></ul></ul></ul></ul><ul><ul><ul><ul><li>RP response to community accounts </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Key signing activity </li></ul></ul></ul></ul>
  16. 16. Teragrid ‘08 Update <ul><li>Other efforts </li></ul><ul><ul><li>User Portal Security Support </li></ul></ul><ul><ul><ul><li>Managing user information (change/modify) </li></ul></ul></ul><ul><ul><ul><li>Password reset procedure </li></ul></ul></ul><ul><ul><li>Training Account Management </li></ul></ul>
  17. 17. Teragrid ‘08 Update <ul><li>More RP Security leads have joined the Research and Education Network Information Sharing and Analysis Center (REN-ISAC) </li></ul><ul><li>Two Teragrid certificate authorities have received IGTF accreditation </li></ul><ul><ul><li>TACC and NCSA – accredited </li></ul></ul><ul><li>Teragrid involvement in NSF’s Cybersecruity Summit </li></ul>
  18. 18. Current Work <ul><li>Improve management of authorized CAs </li></ul><ul><li>Signing for integrity </li></ul><ul><li>GX-Map integration </li></ul><ul><li>Notification of changes to RPs, Users, etc. </li></ul><ul><li>Attribute capable Science Gateways (near future) </li></ul><ul><li>User ID </li></ul><ul><li>Timestamp </li></ul><ul><li>SGW Job ID </li></ul><ul><li>Remote user IP address </li></ul><ul><li>How to use this info proactively ??? </li></ul>
  19. 19. Future Work <ul><li>Continue development of IR tracking system </li></ul><ul><li>Explore how to use SGW attribute Info </li></ul><ul><li>Tie to IR lists, Jabber Ims, notification to SGWs, Helpdesk, etc. </li></ul><ul><li>Identify security vulnerabilities in the TG architecture and means to fix or mitigate </li></ul><ul><li>Evaluate the software and protocols (risk Assessment) </li></ul><ul><li>Prepare for Transition to Extreme Digital (XD) </li></ul>
  20. 20. TG Security Challenges <ul><li>As Resource Providers continue to increase how to Reach consensus? Move from informal to formal (voting) </li></ul><ul><li>Increase participation </li></ul><ul><ul><li>Few are funded, community effort that does make as all more secure </li></ul></ul>