MWSG3 August 25, 2004 JRA3 - Incident Response Issues to decide on and next steps Yuri Demchenko <demch@science.uva.nl> www.eu-egee.org EGEE is a project.

Slides:



Advertisements
Similar presentations
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Advertisements

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works
Information Security Policies and Standards
WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Intrusion Detection Systems and Practices
Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
(Geneva, Switzerland, September 2014)
Stephen S. Yau CSE , Fall Security Strategies.
Maintaining and Updating Windows Server 2008
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Incident Handling and Response Breakout Overview.
APA of Isfahan University of Technology In the name of God.
EGEE is a project funded by the European Union under contract IST JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.
EGEE is a project funded by the European Union under contract IST Standards and Practices in Operational Security Yuri Demchenko, AIRG UvA.
COEN 252 Computer Forensics
HIPAA COMPLIANCE WITH DELL
Cryptography and Network Security
Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY
IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.
INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Web Services Description Language CS409 Application Services Even Semester 2007.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Incident Object Description and Exchange Format
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Web: Minimal Metadata for Data Services Through DIALOGUE Neil Chue Hong AHM2007.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Security monitoring boxes Andrew McNab University of Manchester.
EGEE is a project funded by the European Union under contract IST Grid Security Incident definition and format Yuri Demchenko, AIRG UvA JSG.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Kemal Baykal Rasim Ismayilov
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Introduction to Web Services Presented by Sarath Chandra Dorbala.
INFSO-RI Enabling Grids for E-sciencE Models for Security Vulnerabilities and Threats Yuri Demchenko Advanced Internet Research.
Role Of Network IDS in Network Perimeter Defense.
Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK
26/01/2007Riccardo Brunetti OSCT Meeting1 Security at The IT-ROC Status and Plans.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Maintaining and Updating Windows Server 2008 Lesson 8.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
March 23, 2015 Missouri Public Service Commission | Jefferson City, MO.
CS457 Introduction to Information Security Systems
Cybersecurity - What’s Next? June 2017
Security Engineering.
Presentation transcript:

MWSG3 August 25, 2004 JRA3 - Incident Response Issues to decide on and next steps Yuri Demchenko <demch@science.uva.nl> www.eu-egee.org EGEE is a project funded by the European Union under contract IST-2003-508833

Outlines Goals Creating Incident Response Capability/Service in EGEE Discussion Grid Security Incident definition and description format Suggestion on further work

Goal The goal of this presentation is to start discussion to define next steps in creating Incident Response Capability for EGEE Discuss and decide on an organisational structure for IRC How to proceed with organisation and implementation Who will do this job/activity? Define coordination and cooperation framework Grid Security Incident description format (informational)

Suggestions from the last meeting Inventory and Taxonomy – ongoing/done Decide on organisational structure for EGEE Incident Response Capability/Infrastructure Contact with GOC/ROC Prepare 1st CSIRT Workshop for EGEE

Incident Response Components CSIRTs Organisational form depends on type of organisation and required level of support to community Security Policy Define what is required/allowed/acceptable Incident Response Policy What is provided, who receives it and who provides support Incident Response Plan Which incidents will be responded and how RFC 2350 – defines template for Incident Response Policy

Types of CSIRT Security Group Distributed (Internal) CSIRT Not formally a CSIRT but may be a first step to create a CSIRT Normally emerges from NOT (Network Operation Team) Distributed (Internal) CSIRT Has well defined constituency, central office and (minimum) designated staff Most of staff is sharing responsibility or on duty Maintains common Security and Incident Response policy Publish Advisories, Warnings, Reports, Recommendations – (vuln.) Coordinating CSIRT Coordinates wide range of Incident Response activities Creates and maintains common Security and Incident Response policy

Subject for discussion - two possible scenarios/models Scenario 1 – Coordinating CSIRT or Security Group GOC/ROC – Security contacts Cooperation – Network related Security Incidents Outsourcing services – Large scale or critical Security Incidents Scenario 2 – Central or Distributed CSIRT GOC/ROC – local CSIRTs or shared-time CSIRT members Outsourcing services – GOC/ROC and/or IRC

Incident Response in EGEE Actual Incident Response will be done at GOC By Security Groups or Internal/External CSIRTs Incident Coordination for EGEE Coordinating Central or Distributed CSIRT servicing EGEE infrastructure is required Outsourcing services (?) Discussion

IRC organisation in EGEE [Currently left blank]

Grid Security Incident Computer Security Incident – general definition Any specifics of the Grid Security Incident? Web Services threats analysis To be extended with Grid/OGSI/OGSA threats analysis Format for Grid Security Incident description

Incident A computer/ITC security incident is defined as any real or suspected adverse event in relation to the security of a computer or computer network. Typical security incidents within the ITC area are: a computer intrusion, a denial-of- service attack, information theft or data manipulation, etc. An incident can be defined as a single attack or a group of attacks that can be distinguished from other attacks by the method of attack, identity of attackers, victims, sites, objectives or timing, etc. An Incident in general is defined as a security event that involves a security violation. This may be an event that violates a security policy, UAP, laws and jurisdictions, etc. A security incident may be logical, physical or organisational, for example a computer intrusion, loss of secrecy, information theft, fire or an alarm that doesn't work properly. A security incident may be caused on purpose or by accident. The latter may be if somebody forgets to lock a door or forgets to activate an access list in a router.

Incident – any specifics for Grid? Grid Security Incident defintion Depends on the scope and range of the Security Policy, ULA, or SLA Should be based on threats analysis and vulnerabilities model Should be based on Grid processes/workflow analysis GSInc definition is a base for GSInc description format What information must be collected and how to exchange and handle it

Web Services threats analysis (0) Web Service interface (WSDL) probing Brute force attack on XML parsing system Malicious XML Content External Reference attacks SOAP/XML Protocol attacks Underlying transport protocol attacks

Web Services threats analysis (1) Web Service interface (WSDL) probing WSDL describes the methods and parameters used to access a specific Web Services, and in this way exposes Web Service to possible attacks Brute force attack on XML parsing system XML parsing is a resource and time consuming process. Maliciously constructed XML files may overload XML parsing system Malicious XML Content XML documents may contain malicious parsing or processing instructions (XML Schema extensions, XPath or XQuery instructions, XSLT instructions, etc) that may alter XML parsing process Malicious content that may carry threats to the back-end applications or hosting environment

Web Services threats analysis (2) External Reference attacks This group is based on the generic ability of XML to include references to external documents or data types. Poor configuration, or improper use of external resources can be readily exploited by hackers to create DoS scenarios or information theft. SOAP/XML Protocol attacks SOAP messaging infrastructure operates on top of network transport protocols, uses similar services for delivering and routing SOAP messages, and therefore can be susceptible to typical network/infrastructure based attacks like Denial of Service (DoS), replay or man-in-the-middle attacks. Underlying transport protocol attacks These are actually not related to XML Web Services but directly affecting reliability of SOAP communications.

Grid Security Incident vs Grid Security Event Security Incident is a result of successful attempt Attempt generates security event Examples of Grid specific security events few sequent failed logins – far too common event everywhere What is the threshold? SOAP port scanning HTTPS DoS attack – is it related to Grid? patterns of suspected private key compromise patterns of suspected AuthN/AuthZ security tokens compromise attempt to access sensitive information credit limit probing Event is an issue for Intrusion Detection – Incident is an issue for Incident Response

Types of GSInc and audit events (1) Private key compromise  patterns of key usage broken chain of PKC/keys/credentials copy is discovered in not a proper place  Audit/log events together with related data are also referred to as an Evidence

Types of GSInc and audit events (2) Other/general credentials compromise  patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from default location sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems How to define at the early stage that a private key has been compromised? Any external experience? May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this

Types of GSInc and audit events (3)  Attempt to access sensitive data/information with lower level of privileges  Access log Etc.  Credit limit on resource exhausted Few unsuccessful attempts to run actions with unmatched credit

GSInc description format Can be based on IODEF currently being developed by IETF INCH WG - http://www.ietf.org/html.charters/inch-charter.html Top level element – Incident Incident data in EventData element - Incident/EventData Elements extended or added EventData/Record/RecordData - extended EventData/System/XMLWebService - new EventData/System/Principal - new

IODEF top level elements

EventData where the Grid Security Incidents data can be placed

Principal Element - draft

XMLWeb Service Element

RecordData Element

Summary – next steps Decision on EGEE IRC organisational structure Contact with GOC/ROC Contacting CSIRT community - Coordination is essential Continue on GSInc definition and format, providing also requirements to logging

Additional information

Incident Response and Intrusion Detection Intrusion Detection normally is a component of the network infrastructure/services Intrusion Detection Systems (IDS) or Sensors are installed on or close to Firewalls, Routers, Switches or run as a special program on logfiles ID produces alerts to prevent suspected activity escalation to Incident ID is rather proactive service Incident Response is a complex of designated people, policies and procedures Incident Response is a reactive function Q: Do we need to tackle Intrusion Detection in JRA3/EGEE? ID/Network protection is a responsibility of Network Operator or Team May be outsourced to network provider or hosting organisation CSIRT often has an influence on network security policy and IDS policy/criteria

Incident Response Policy Types of Incidents and Level of Support Ordered by severity list of Incident categories Co-operation, Interaction and Disclosure of Information Based on organisation’s Security Policy Availability of information and ordered list of information being considered for release both personal and vendor’s Communication and Authentication Information protection during communication Mutual authentication between communicating parties Also depending on information category

Incident Response Procedures Should be documented in full or in critical parts Initial Incident Reporting and Assessment Progress Recording Identification and Analysis Notification – initial and in the progress Escalation – by Incident type or service level Containment Evidence collection Removal and Recovery

Incident response Incident response includes three major groups of actions/services Incident Triage Assessing and verification incoming Incident Reports (IR) Incident Coordination Categorisation Incident information, forwarding IR around and arranging interaction with other CSIRTs, ISPs and sites Incident Resolution Helping a local site (victim) to recover from an incident - in most cases offered as optional services.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.