EGEE is a project funded by the European Union under contract IST-2003-508833 Grid Security Incident definition and format Yuri Demchenko, AIRG UvA JSG.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
Lecture 1: Overview modified from slides of Lawrie Brown.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
Information Security Policies and Standards
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Intrusion Detection Systems and Practices
Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.
Handling Security Incidents
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction (Pendahuluan)  Information Security.
Lecture 11 Intrusion Detection (cont)
The 10 Most Critical Web Application Security Vulnerabilities
Web Application Security
EGEE is a project funded by the European Union under contract IST JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.
MWSG3 August 25, 2004 JRA3 - Incident Response Issues to decide on and next steps Yuri Demchenko EGEE is a project.
EGEE is a project funded by the European Union under contract IST Standards and Practices in Operational Security Yuri Demchenko, AIRG UvA.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
COEN 252 Computer Forensics
A Framework for Automated Web Application Security Evaluation
IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
What is FORENSICS? Why do we need Network Forensics?
Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński
Incident Object Description and Exchange Format
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
The european ITM Task Force data structure F. Imbeaux.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Kemal Baykal Rasim Ismayilov
Deconstructing API Security
Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
INFSO-RI Enabling Grids for E-sciencE Models for Security Vulnerabilities and Threats Yuri Demchenko Advanced Internet Research.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Web Applications on the battlefield Alain Abou Tass.
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
CS457 Introduction to Information Security Systems
Incident Object Description and Exchange Format
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
JRA3 Introduction Åke Edlund EGEE Security Head
WEB SERVICES.
Secure Software Confidentiality Integrity Data Security Authentication
Marking Scheme for Semantic-aware Web Application Security
INFORMATION SYSTEMS SECURITY and CONTROL
Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update Yuri Demchenko
Intrusion Detection system
Module 4 System and Application Security
Incident Object Description and Exchange Format
Presentation transcript:

EGEE is a project funded by the European Union under contract IST Grid Security Incident definition and format Yuri Demchenko, AIRG UvA JSG Meeting, October 4,

JSG meeting October 4, Outline Background Grid Security Incident definition Proposed Incident Description Format Summary and next steps Additional information Goal: Provide initial information and establish common language/terminology as a basis for further cooperative development

JSG meeting October 4, Background - EGEE JRA3.4 documents Framework for establishing Incident Response Capability  Joint document with OSG/JSG/LCG/EGEE (presented by Bob Cowles) Grid Security Incident definition and exchange format  Ongoing development, current version presented as milestone Dictionary of the Computer Security and Incident Response terms (more than 100 terms) response-00.doc

JSG meeting October 4, Grid Security Incident (GSInc)  Computer Security Incident – general definition  Grid Security Incident - specifics  Grid/OGSI/OGSA threats analysis Based on Web Services threats analysis –Summary is provided at the end of this presentation –Extended analysis is available in the JRA3.4 Milestone document  Format for Grid Security Incident description As an extension to the IODEF (Incident Object Description and Exchange Format) developed by IETF INCH WG

JSG meeting October 4, From Vulnerability to Incident Vulnerability -> Exploit -> Threat -> Attack/Intrusion -> Incident Vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy Exploit is a known way to take advantage of a specific software vulnerability Threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm Attack is an assault on system security that derives from an intelligent threat Incident is a result of successful Attack

JSG meeting October 4, Computer Security Incident A computer/ITC security incident is defined as any real or suspected adverse event in relation to the security of a computer or computer network. Typical security incidents within the ITC area are: a computer intrusion, a denial-of- service attack, information theft or data manipulation, etc.  An incident can be defined as a single attack or a group of attacks that can be distinguished from other attacks by the method of attack, identity of attackers, victims, sites, objectives or timing, etc. An Incident in general is defined as a security event that involves a security violation. This may be an event that violates a security policy, UAP, laws and jurisdictions, etc.  A security incident may be logical, physical or organisational, for example a computer intrusion, loss of secrecy, information theft, fire or an alarm that doesn't work properly. A security incident may be caused on purpose or by accident. The latter may be if somebody forgets to lock a door or forgets to activate an access list in a router.

JSG meeting October 4, Incident – any specifics for Grid? Grid Security Incident definition  Depends on the scope and range of the Security Policy, ULA, or SLA  Should be based on threats analysis and vulnerabilities model  Should be based on Grid processes/workflow analysis GSInc definition is a base for GSInc description format  What information should be collected and how to exchange and handle it Requirements to Events logging and Intrusion detection  Common format is a basis for community wide statistics and coordinated response  Incident statistics provides feedback for the Security Policy improvement

JSG meeting October 4, Grid Security Incident vs Grid Security Event Security Incident is a result of successful attempt/attack  Attempt generates security event Examples of Grid specific security events  Few sequent failed logins – far too common event everywhere What is the threshold?  WSDL probing and SOAP port scanning  Patterns of suspected private key compromise  Patterns of suspected AuthN/AuthZ security tokens compromise  Attempt to access sensitive information  Credit limit probing Event is an issue for Intrusion Detection – Incident is an issue for Incident Response

JSG meeting October 4, Types of GSInc and audit events (1) Security credentials compromise (e.g., private key, proxy cred)  patterns of credential usage  broken chain of PKC/keys/credentials  copy is discovered in not a proper place  originated not from default location  sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems  How to define at the early stage that a private key has been compromised?  May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Note: Audit/log events together with related data can be also referred to as an Evidence

JSG meeting October 4, Types of GSInc and audit events (2) Attempt to access sensitive data/information with lower level of privileges  Access log, system log Credit limit on resource exhausted  Few unsuccessful attempts to run actions with unmatched credit  Access log Web Services based Security Incidents  Application server log  Security services log  Etc.

JSG meeting October 4, GSInc description format Can be based on IODEF currently being developed by IETF INCH WG -  XML based format compatible with IDMEF (for IDS)  Top level element – Incident  Incident data in EventData element - Incident/EventData Elements extended or added  EventData/Record/RecordData - extended  EventData/System/XMLWebService - new  EventData/System/Principal - new

JSG meeting October 4, IODEF top level elements EventData Element where the Grid Security Incidents data can be placed in RecordData Element

JSG meeting October 4, Principal Element

JSG meeting October 4, XMLWebService Element

JSG meeting October 4, Summary and next steps Current Grid Security Incident definition provides a basis for discussion and cooperation between software developers and operational security teams  Continue with Grid/OGSI/OGSA threats analysis  Provide requirements for logging to most software modules Proposed GSInc description format based on IODEF can provide a common Incident reporting format for OCST and GOC’s/ROC’s  Continue with GSInc format definition based on documented Grid Security Incidents Need contribution from and cooperation with GOC’s/ROC’s

JSG meeting October 4, Additional information Tools for Intrusion Detection and Incident Reporting Top ten Web applications Vulnerabilities from OWASP Web Services threats IODEF top level elements datamodel

JSG meeting October 4, Tools for Intrusion Detection and Incident Reporting Intrusion Detection automation  Snort with IDMEF support (by Silicon Defense) Benefits in simple integration, information exchange and easy outsourcing Implemented also by CERT/CC in their AirCERT distributed System More information - Incident Handling  Mostly proprietary systems with growing move to standardisation of exchange format based on IODEF  IODEF Pilot implementation CERT/CC AirCERT Automated Incident Reporting - and JPCERT/CC: Internet Scan Data Acquisition System (ISDAS) - eCSIRT.net: The European CSIRT Network -

JSG meeting October 4, Top ten Web applications Vulnerabilities from OWASP A1 - Unvalidated Input A2 - Broken Access Control A3 - Broken Authentication and Session Management A4 - Cross Site Scripting (XSS) Flaws A5 - Buffer Overflows A6 - Injection Flaws A7 - Improper Error Handling A8 - Insecure Storage A9 - Denial of Service A10 - Insecure Configuration Management Reference -

JSG meeting October 4, Web Services threats Web Service interface (WSDL) probing Brute force attack on XML parsing system Malicious XML Content External Reference attacks SOAP/XML Protocol attacks Underlying transport protocol attacks Extended analysis is provided in the JRA3.4 Milestone document -

JSG meeting October 4, Web Services threats analysis (1) Web Service interface (WSDL) probing  WSDL describes the methods and parameters used to access a specific Web Services, and in this way exposes Web Service to possible attacks Brute force attack on XML parsing system  XML parsing is a resource and time consuming process. Maliciously constructed XML files may overload XML parsing system Malicious XML Content  XML documents may contain malicious parsing or processing instructions (XML Schema extensions, XPath or XQuery instructions, XSLT instructions, etc) that may alter XML parsing process  Malicious content that may carry threats to the back-end applications or hosting environment

JSG meeting October 4, Web Services threats analysis (2) External Reference attacks  This group is based on the generic ability of XML to include references to external documents or data types. Poor configuration, or improper use of external resources can be readily exploited by hackers to create DoS scenarios or information theft. SOAP/XML Protocol attacks  SOAP messaging infrastructure operates on top of network transport protocols, uses similar services for delivering and routing SOAP messages, and therefore can be susceptible to typical network/infrastructure based attacks like Denial of Service (DoS), replay or man-in-the-middle attacks. Underlying transport protocol attacks  These are actually not related to XML Web Services but directly affecting reliability of SOAP communications.

JSG meeting October 4, IODEF top level elements

JSG meeting October 4, EventData where the Grid Security Incidents data can be placed

JSG meeting October 4, RecordData Element

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.