CyberSecurity Summit 2005 Teragrid Incident Response Overview
-
Upload
johannes-jesse -
Category
Documents
-
view
30 -
download
2
description
Transcript of CyberSecurity Summit 2005 Teragrid Incident Response Overview
CyberSecurity Summit 2005
Teragrid Incident Response Overview
December 13th, 2005
James Marsteller CISSPInformation Security Officer
Pittsburgh Supercomputing [email protected]
What is the Teragrid?
“The TeraGrid is an NSF funded open scientific discovery infrastructure combining leadership class resources at eight partner sites to create an integrated, persistent computational resource”
Teragrid Facts
Launched August 200140 Teraflops of computing power
2 Petabyes of storage10-30 Gig Interconnects (Dedicated Network)
Specializes in data analysis and visualization resources
Teragrid Partners
National Science Foundation Indiana UniversityNCSAORNLPSCPurdue UniversitySDSCUniversity of TexasUC/ANL
Teragrid Backbone
The Challenge…
Developing a security baseline that satisfies a broad range of organizations including: Major Universities and Government Research Facilities.
Need A TG Security BaselineDifferent Organizations, Different Goals
Government, Higher Ed, Research Service Requirement, Public Relations, Privacy Reqs, Acceptable Use
How To Handle Non-TG Customers?
Building a Teragrid Security Team
ANL: Ti Leggett, JP Navarro, Gene Rackow SDSC: Abe Singer, Bill Link, Victor Hazelwood NCSA: Jim Barlow, Jeff Rosendale, Tim Brooks, Aashish
Sharma PSC: Jim Marsteller (Chair), Derek Simmel, Bryan Webb ORNL: James Rome, Greg Pike CalTech: Mark Bartelt UTexas: Bill Jones Purdue: David Seidl, Anna Squicciarini, Greg Hedrick IU: Dave Hancock, Doug Pearson
Building a Teragrid Security Team
First Steps:Drafted a Security Memorandum of Understanding (M.O.U)
Incident Response Contact ListSecurity “Hotline”
Security M.O.U.
Goal: A communications tool to define security expectations among EFT Sites. Not intended to replace existing site policy. Establish Policy - Not Implementation
Focus Areas: Security BaselinesIncident ResponseChange/Patch ManagementAwarenessAccountability/Privacy
Incident Response Framework
…a “crash” course IR Team Creation IR Procedures
Playbook and IR Flowchart Secure Communications
Encrypted Email 24/7 Security “Hotline” Information Repository Encrypted IM
Identifying, Responding & Communicating Events
Response Playbook Who To Contact Methodology
Initial Responders Secondary Responders Help Desk Staff
How to Respond to Event PR Guidelines 800 Number & International Access
Identifying, Responding & Communicating Events
Security “hotline” 24/7 Reservation less Conference # Any Site Can Initiate Only Known To Response Personnel All participants are announced and challenged
800 Number & International Access Only transmitted encrypted to protect eavesdropping
Identifying, Responding & Communicating Events
Mailing Lists“General” List: Used to announce weekly IR calls, new vulnerabilities, share IR related information.
Emergency List Used to alert TG Staff of an incident Response Staff Subscription Can be tied to Trigger (Pagers, Phones, NOC)
Encrypted Communications
Encrypted Communications Are VERY IMPORTANT!
PGP/GPG encrypted email
Shared Password for Email Communications (Changes Frequently)
Encrypted Website To Archive Critical Information
Site Based Encrypted Instant Messaging (JABBER)
Coordinated Evidence Gathering
Playbook Outlines Requirements:Protecting “Chain Of Custody”Proper LoggingReliable Copies Of Process Accounting
Level Of Effort Responding Staff Hours & Capitol
Weekly Response Calls
‘Closed’ only to TG IR Personnel
Forum for Detailed Description of Security Events and Q&A
Share Latest Attack VectorsNon-TG NewsUpdate On Current Investigations
Current Teragrid IR Challenges:
Customer Service Coordination Single point of contact for user
User services and Security Getting useful information from the user Managing accounts across TG Resource Providers
Which sites have disabled? What needs to be done to reactivate? User Service insight to all of this information
IR Sharing/Reporting Today all email based w static webpages IR Trouble Ticket System
Action taken site by site Action/information needed
NSF Notification procedure/threshold Expansion of the Teragrid and beyond
Customer Service Coordination
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Customer Service Coordination
User Questions for a Compromised Account:
1.Do you use the password of the compromised account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)?
2.What was the time of your last known login? Where was it from?’
3.From what locations do you usually login (hostnames/IP)?4.Which sites/machines have you used?5.What locations (hosts) can we expect to you to login from?6.Can accounts at other TG sites be closed down, or do you expect to use them in the future? If so, which sites are not needed: (PSC, SDSC, NCSA, ANL, Purdue, Indiana, ORNL, Texas, etc.)
7.Do you have any idea how someone may have gotten your login info (login/password)? what machines may possibly be compromised? your desktop? some other machine you used?
Expanding beyond the Teragrid
What is the criteria for notifying funding sources?Every Account/Host compromise?
How to maintain as TG grows?Newbie Guide & Security M.O.U.How to effectively engage other organizations? Other Grid Communities, Research communities and International organizations
Useful Resources
security.teragrid.orghttp://www.first.org/Research and Education Networking ISAC: http://www.ren-isac.net
My Email: [email protected]