Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security."— Presentation transcript:

1 1 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ ISS e G Integrated Site Security for Grids EU-FP6 Project 026745 What is a ‘risk’? David Jackson, STFC CHEP 07, Victoria BC, 4 September 2007

2 2 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Content 1. What is a ‘risk’? 2. Is risk static? 3. Are there Grid-specific risks? 4. Emerging risks

3 3 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk?  A risk is the potential that some threat may use or exploit a vulnerability to compromise your site and cause you harm. “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation. It is measured in terms of a combination of the probability of an event and its consequence.” (Section 2.19, ISO/IEC 13335-1:2004)

4 4 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk?  For a risk to exist, three things need to be present:  Threat  Vulnerability  An impact on an asset (or group of assets)

5 5 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk?  A threat is a person (or event) with the motivation and capability to cause harm to an asset (or group of assets).

6 6 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk?  A vulnerability is a weakness within the infrastructure or a management process that can be exploited to expose an asset (or group of assets) to possible compromise or damage.

7 7 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk?  The impact is the effect on your business.

8 8 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk?  If you remove any one of the three components of risk, you have removed the risk.

9 9 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk?  Example: An external attacker used a weak password to gain access to your finance system.

10 10 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk?  A threat is “a potential cause of an incident that may result in harm to a system or organisation.” (Section 2.25, ISO/IEC 13335-1:2004) “a person (or event) with the motivation and capability to cause harm to an asset (or group of assets).” (Slide 5) “something or someone that has the potential to cause you harm”

11 11 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk? HumanEnvironmental DeliberateAccidental Flood Fire Heating Power EavesdroppingErrors HackingFile deletion SpamOmissions PhishingAccidents Theft Social engineering Example threats

12 12 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk? Removing a threat - Human, Deliberate  Threats can be from individuals who have the motivation and capability to attack you. If you remove their capability to attack you (e.g. make it more difficult), you are likely to reduce the threat. Example: Use a firewall to restrict access to your site.

13 13 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk? Removing a threat - Human, Accidental  Individuals are not motivated to cause accidental damage. If you remove their capability to cause an accident (e.g. make it more difficult), you are likely to reduce the threat. Example: Users to not need to use Root or administrative privilege to access the Internet.

14 14 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk? Removing a threat - Environmental  Environmental threats have are not motivated to cause damage and are difficult to remove. It is possible to avoid some but not all such threats. Example: Do build data centres in flood plains near rivers.

15 15 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk? Removing a threat  It is difficult to change the motivation of external attackers. Policies, guidance and training can motivate users to be less of a threat.

16 16 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk? Removing a vulnerability  Once you know the vulnerabilities within your site, you can remove them. Example: Keep IT software updated.

17 17 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk? Reducing the imapct  Reduce the impact that the potential risk could have on your organization. Example: Have more than one connection to the Internet.

18 18 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is a risk? You can reduce risk down to an acceptable limit (residual risk) and then you just need to deal with it. Example: Have more that one connection to the Internet.

19 19 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is risk?

20 20 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is risk? So how do you implement security controls? Technical controls: Site implements a firewall to stop external attackers but allow academic collaboration. Education: Explain to users why there is a firewall (to stop attackers) and how to ask for exceptions (to allow collaboration). Administrative controls: The Security Policy states that Internet services must be used safely.

21 21 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What is risk?  Risk is part of everyday life  It gives us opportunities for development  We need to accept some level of risk – you cannot get rid of it all

22 22 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Is risk static? 1. What is a “risk”? 2. Is risk static? 3. Are there Grid-specific risks? 4. Emerging risks

23 23 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Is risk static? Once you know the risks, are they static?  Administrative changes  e.g. merge with another organization OR join a Virtual Organisation  Technical changes  e.g. new patches for PCs/Grid nodes  Educational changes  e.g. new users

24 24 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Is risk static?  New opportunities for science often result in changes at your site.  Sites should use a management process to assess any risk associated with the change. Once you know what you have, you can gauge how much risk you will accept. Commonly called “risk analysis” Identify Implement Analyse Monitor Continuous process

25 25 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Is risk static?  Q: Once done, are you “safe”?  A: No. Risk is not static and evolves with time. As such, you must continually (or at least regularly) reassess how much risk you are prepared to accept. Identify Implement Analyse Monitor Continuous process

26 26 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Is risk static? As a natural consequence of your activates (and life) risk levels change, giving opportunities for improvement. Some individuals and organisations accept more risk, some less. If risk is managed, it can be a positive driver for improvement. If not, it can be disruptive. Identify Implement Analyse Monitor Continuous process

27 27 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Grid-specific risks 1. What is a “risk”? 2. Is risk static? 3. Are there Grid-specific risks? 4. Emerging risks

28 28 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Grid specific risks?  Question: Are there Grid specific risks?

29 29 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Grid specific risks?  Threats: Some attackers are more motivated to attack Grid sites due to large resources.

30 30 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Grid specific risks?  Threats: There is at least one new class of Threat that can cause you harm, the VO (Virtual Organisation). VOs have the capacity but NO motivation to harm you. VO’s control there own membership Researchers join VOs. As a site, you no longer know who is using the resources that you host for the VO. Researchers can offer resources to VOs As a site, do you know what VOs you have in your network?

31 31 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Grid specific risks?  Vulnerabilities: There are new Grid specific vulnerabilities.

32 32 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Grid specific risks?  Vulnerabilities: There are new Grid specific vulnerabilities. Sites use homogenous IT resources Break in to one site => break in to many sites One flaw on one node = X flaws on X similar nodes Middleware Any new component of a system introduces new vulnerabilities Users and Activity The numbers of both are up. This is increases the probability of an password/pass phrase compromise.

33 33 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Grid specific risks?  Impact: Turning off the Grid at a site is a measure of last resort. Not impossible, just not probable.

34 34 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Grid-specific risks  At present, only one Grid specific threats has been identified.  By participating in Grid activity, you increase the probability of some risks, but they are not necessary new risks.  Attractiveness of site as a target  Number of vulnerabilities  Number of users  Level of activity Increased

35 35 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Emerging risks 1. What is a “risk”? 2. Is risk static? 3. Are there Grid-specific risks? 4. Emerging risks

36 36 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Emerging risks  Emerging risks are new risks that are likely to arise within the next 3 years. These are in addition to the current risks. http://www.enisa.europa.eu/rmra/er_home.html

37 37 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Emerging risks Current risks - SPAM - Botnets - Phishing - Identity theft - Route hijacking - Instant Messaging - Peer-to-peer systems - Malware on Cell Phones - Hackers in Stock Market - Software vulnerabilities - No protection (e.g. antivirus) in some devices Emerging risks  SCADA (Supervisory Control and Data Acquisition)  Increased home automation  Turning home appliances on/off  Massive collections of personal data  Invisible data collection in public places  Invisible data collection in private premises  Security is more an art than a science  DoS attack on the home telephone  Hacking home heat and/or air-conditioning system  Internet users are younger, less experienced and more prone to subtle attacks  Internet users may not have strong motives to clean up their compromised computers  Malware over multiple networks (GSM, GPRS, Internet, Bluetooth) http://www.enisa.europa.eu/rmra/er_home.html

38 38 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Summary  Risk is a fact of life. Each site has to set and agree what level of residual risk it is able to accept.  By being part of a Grid service, you are at risk from electronic attack and compromise.  By managing your risks you improve your site security and protect yourself.

39 39 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ ISSeG resources  ISSeG resources:  Training materials  Recommendations  Generic slides/resources All available from the www.isseg.eu web sitewww.isseg.eu

40 40 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Questions  Questions

41 41 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Copyright © Members of the ISSeG Collaboration, 2008.Members of the ISSeG Collaboration Licensed under the Apache License, Version 2.0 (the "License"); you may not use this material except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, Work distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Download ppt "1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security."

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
4 Information Security.

4 Information Security.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Security Controls – What Works

Security Controls – What Works
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Computer Security 1 Keeping your computer safe. Computer Security 1 Computer Security 1 includes two lessons:  Lesson 1: An overview of computer security.

Computer Security 1 Keeping your computer safe. Computer Security 1 Computer Security 1 includes two lessons:  Lesson 1: An overview of computer security.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.

CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.

Similar presentations

Ads by Google