TeraGrid Planning Workshop — June 7, 2007 TeraGrid Science Gateways.
CyberSecurity Summit 2005 Teragrid Incident Response Overview
-
Upload
johannes-jesse -
Category
Documents
-
view
39 -
download
2
description
Transcript of CyberSecurity Summit 2005 Teragrid Incident Response Overview
![Page 1: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/1.jpg)
CyberSecurity Summit 2005
Teragrid Incident Response Overview
December 13th, 2005
James Marsteller CISSPInformation Security Officer
Pittsburgh Supercomputing [email protected]
![Page 2: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/2.jpg)
What is the Teragrid?
“The TeraGrid is an NSF funded open scientific discovery infrastructure combining leadership class resources at eight partner sites to create an integrated, persistent computational resource”
![Page 3: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/3.jpg)
Teragrid Facts
Launched August 200140 Teraflops of computing power
2 Petabyes of storage10-30 Gig Interconnects (Dedicated Network)
Specializes in data analysis and visualization resources
![Page 4: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/4.jpg)
Teragrid Partners
National Science Foundation Indiana UniversityNCSAORNLPSCPurdue UniversitySDSCUniversity of TexasUC/ANL
![Page 5: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/5.jpg)
Teragrid Backbone
![Page 6: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/6.jpg)
The Challenge…
Developing a security baseline that satisfies a broad range of organizations including: Major Universities and Government Research Facilities.
Need A TG Security BaselineDifferent Organizations, Different Goals
Government, Higher Ed, Research Service Requirement, Public Relations, Privacy Reqs, Acceptable Use
How To Handle Non-TG Customers?
![Page 7: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/7.jpg)
Building a Teragrid Security Team
ANL: Ti Leggett, JP Navarro, Gene Rackow SDSC: Abe Singer, Bill Link, Victor Hazelwood NCSA: Jim Barlow, Jeff Rosendale, Tim Brooks, Aashish
Sharma PSC: Jim Marsteller (Chair), Derek Simmel, Bryan Webb ORNL: James Rome, Greg Pike CalTech: Mark Bartelt UTexas: Bill Jones Purdue: David Seidl, Anna Squicciarini, Greg Hedrick IU: Dave Hancock, Doug Pearson
![Page 8: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/8.jpg)
Building a Teragrid Security Team
First Steps:Drafted a Security Memorandum of Understanding (M.O.U)
Incident Response Contact ListSecurity “Hotline”
![Page 9: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/9.jpg)
Security M.O.U.
Goal: A communications tool to define security expectations among EFT Sites. Not intended to replace existing site policy. Establish Policy - Not Implementation
Focus Areas: Security BaselinesIncident ResponseChange/Patch ManagementAwarenessAccountability/Privacy
![Page 10: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/10.jpg)
Incident Response Framework
…a “crash” course IR Team Creation IR Procedures
Playbook and IR Flowchart Secure Communications
Encrypted Email 24/7 Security “Hotline” Information Repository Encrypted IM
![Page 11: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/11.jpg)
Identifying, Responding & Communicating Events
Response Playbook Who To Contact Methodology
Initial Responders Secondary Responders Help Desk Staff
How to Respond to Event PR Guidelines 800 Number & International Access
![Page 12: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/12.jpg)
![Page 13: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/13.jpg)
Identifying, Responding & Communicating Events
Security “hotline” 24/7 Reservation less Conference # Any Site Can Initiate Only Known To Response Personnel All participants are announced and challenged
800 Number & International Access Only transmitted encrypted to protect eavesdropping
![Page 14: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/14.jpg)
Identifying, Responding & Communicating Events
Mailing Lists“General” List: Used to announce weekly IR calls, new vulnerabilities, share IR related information.
Emergency List Used to alert TG Staff of an incident Response Staff Subscription Can be tied to Trigger (Pagers, Phones, NOC)
![Page 15: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/15.jpg)
Encrypted Communications
Encrypted Communications Are VERY IMPORTANT!
PGP/GPG encrypted email
Shared Password for Email Communications (Changes Frequently)
Encrypted Website To Archive Critical Information
Site Based Encrypted Instant Messaging (JABBER)
![Page 16: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/16.jpg)
Coordinated Evidence Gathering
Playbook Outlines Requirements:Protecting “Chain Of Custody”Proper LoggingReliable Copies Of Process Accounting
Level Of Effort Responding Staff Hours & Capitol
![Page 17: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/17.jpg)
Weekly Response Calls
‘Closed’ only to TG IR Personnel
Forum for Detailed Description of Security Events and Q&A
Share Latest Attack VectorsNon-TG NewsUpdate On Current Investigations
![Page 18: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/18.jpg)
Current Teragrid IR Challenges:
Customer Service Coordination Single point of contact for user
User services and Security Getting useful information from the user Managing accounts across TG Resource Providers
Which sites have disabled? What needs to be done to reactivate? User Service insight to all of this information
IR Sharing/Reporting Today all email based w static webpages IR Trouble Ticket System
Action taken site by site Action/information needed
NSF Notification procedure/threshold Expansion of the Teragrid and beyond
![Page 19: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/19.jpg)
Customer Service Coordination
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
![Page 20: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/20.jpg)
Customer Service Coordination
User Questions for a Compromised Account:
1.Do you use the password of the compromised account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)?
2.What was the time of your last known login? Where was it from?’
3.From what locations do you usually login (hostnames/IP)?4.Which sites/machines have you used?5.What locations (hosts) can we expect to you to login from?6.Can accounts at other TG sites be closed down, or do you expect to use them in the future? If so, which sites are not needed: (PSC, SDSC, NCSA, ANL, Purdue, Indiana, ORNL, Texas, etc.)
7.Do you have any idea how someone may have gotten your login info (login/password)? what machines may possibly be compromised? your desktop? some other machine you used?
![Page 21: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/21.jpg)
Expanding beyond the Teragrid
What is the criteria for notifying funding sources?Every Account/Host compromise?
How to maintain as TG grows?Newbie Guide & Security M.O.U.How to effectively engage other organizations? Other Grid Communities, Research communities and International organizations
![Page 22: CyberSecurity Summit 2005 Teragrid Incident Response Overview](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812b29550346895d8f34bf/html5/thumbnails/22.jpg)
Useful Resources
security.teragrid.orghttp://www.first.org/Research and Education Networking ISAC: http://www.ren-isac.net
My Email: [email protected]