Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gerard Frankowski, PSNC Tomasz Nowocień, PSNC Wayne Routly, DANTE

Published byFlora Griffin Modified over 7 years ago

Similar presentations

Presentation on theme: "Gerard Frankowski, PSNC Tomasz Nowocień, PSNC Wayne Routly, DANTE"— Presentation transcript:

1 Addressing Complex Security Requirements for Network Services in GÉANT Multi-Domain Environments
Gerard Frankowski, PSNC Tomasz Nowocień, PSNC Wayne Routly, DANTE TNC, Reykjavik, 22nd May 2012

2 Agenda Security Landscape Defense-in-Depth Approach
Multi-Domain Security Team (SA2T4) Incident Reporting & Handling Multi-Domain Incident Handling Multi-Domain Security Team Knowledgebase Components Supporting MDS Security Improvements Risk Assessments Fire Drills Supporting Multi-Domain Deployments Cookbooks Penetration Testing and Risk Assessments Security Consultancy Providing Support to Developers Secure Code Training Alternative Security Models Conclusion

3 Security Landscape Growing number of threats on Internet
Increasing number of code vulnerabilities linked to financial losses due to criminal activity Negative impact of not employing consistency secure programming Complexity of multi-domain systems add to complexity of securing services and tools Bad News is that …… Software vulnerabilities are unavoidable in produced software!!

4 Defence-in-Depth Approach
Holy Grail – Towards achieving a state (?) of “Perfect Security” D-in-D is “the ability to manage risks with diverse and defensive strategies” if one layer fails to prevent an attack another layer will prevent a breach Different classes of security solutions are able to identify different threats Approach is amore important in a heterogeneous environment such as GEANT Security is not an extra feature at the end, but must be considered at every stage of the project life span Security Built-In Not Bolted-On

5 Multi-Domain Security Team (SA2 T4) - Cooperating Towards Security
QA Experts SDT: SA2 T5 Programming Experts SA2 T4 Security Experts

6 Incident Reporting & Handling

7 Multi-Domain Incident Handling
Incident Handling is bread and butter of CERT Teams GEANT project is comprised of multi-domain systems and services Need to co-ordinate between multiple CERT Teams in multiple domains – Facilitate communication Multi-Domain Security Incident Handling Workflow Virtual Security Team (VST) Manages this IH Process Pool of NREN CERT Specialists Ticketing System for tracking incidents Provides assistance to CERT Teams and Development Teams MD IH Workflow is a process that ensures that all the relevant and correct parties are kept informed when dealing with an incident

8 Multi-Domain Security Team Knowledgebase
Objective - Retain Knowledge of Incidents Web-Based : Uses RTFM Resource for: Attack Trends Mitigation Solutions Reporting Source Used by the Security Expertise Consultancy & VST Provide Technical Support to NREN CERTs Assist Development Teams to Improve their Systems Learn from incidents and improve the security solutions

9 (the part involving the developers)
SA2T4 Work Sheet (the part involving the developers)

10 Fire drills (1) Fire drill:
exercise that is a simulation of a computer security incident The main goal: to test the incident response procedures and efficiency of communication between NREN CERTs and security teams Test incident response and incident handling procedures Test the effectiveness of the cooperation between different teams Improve the points of contact in the involved teams Improve the cooperation between incident response teams

11 Fire drills (2) Types of fire drill defined by activity:
DDoS attack System compromises Spam Hosting a phishing site Fire drill is to be performed periodically

12 Risk assessment (1) A method of identifying and managing threats that may negatively impact an organization or project

13 Risk assessment (2) Schema

14 Risk assessment (3) Security Metrics
The less, the better MDS Tool is assessed in 3 categories: The MDS tool environment (OS, Web/database server etc.) The configuration of the platform itself The MDS tool in use 0-5 points may be scored for each categories Points for all categories are aggregated to produce the final score 1 point = the basic score +1 point if there are vulnerabilities (+2 points if they are critical) +1 point if exploitable by an unauthorized user +1 point if lead to a system compromise or a critical data loss -1 point if there are extra security measures

15 (the part involving the developers)
SA2T4 Work Sheet (the part involving the developers)

16 Cook Books Is a mechanism to review code for new & existing systems
How do we achieve this List Security Issues for each application Provide an easy to navigate issue compendium What is the cook book - Document Lists Problem What is the Severity of this Problem? What is the Ease of implementing the proposed solution What Activity owns this problem – Define ownership of problem Provides high level solution to mitigate problem Provides Technical solution for developers to implement directly Track effectiveness of cookbook: perform cyclical security review of systems – check for remediation

17 Penetration Testing (1)
„security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network” K. Scarfone, M. Souppaya, A. Cody, A. Orebaugh: “Technical Guide to Information Security Testing and Assessment”, NIST Special Publication , pp. 5.2, 2008 Pen tests are performed on demand on a particular MDS tool instance Methodology: standard (e.g. OISSG-based), but we do not make the full run)

18 Penetration Testing (2) Checklists
Checklists: a useful tool for testers serving a pen test The main goal of a checklist: to organize a test process SED checklists focus on a particular facet of an MDS tool Set of questions with detailed explanations Checklist sheet to be filled Examples of checklists that have been designed: Authentication forms Uploading files functionality SSL/TLS configuration Information disclosure XSS and SQL Injection

19 Security Expertise Consultancies (1)
Security Consultancies provide mechanism to improve the security knowledge amongst the GÉANT community The Main Goal: To provide the administrators and the developers of MDS Tools with necessary security knowledge that relates to their work at the field of security SEC consultants are specialists from NREN CERTs

20 Security Expertise Consultancies (2)
SED Consultancies cover: Network Security Each network layer End Host Security All popular operating systems Application security Each point of the lifecycle of the application Monitoring of network or systems Other security areas Security policies, incident handling procedures, etc.

21 SA2T4 Work Sheet (the part involving the developers)

22 Secure Coding Trainings
The main goal is to minimize the number of security vulnerabilities in the source code of MDS Tools 1 SCT every year for participants 2010 – Poznań, PSNC 2011 – Berlin, DFN 2012 (coming in July) – Prague, CESNET The main topics: High level issues Java secure programming Web services and Web applications Good/bad code patterns Static source code analysis

23 Alternative Security Models
Clusterix (a Polish R&D project, ) Strong orientation towards security Not optimal security/usability balance Only elements of the full security model (e.g. no thorough trainings and source code reviews) PL-Grid (the Polish NGI project, ) Project Security Center established Security audits formally built into the SDLC Much more consistent and full security model Slight optimizations useful: e.g. consistent error pentesting report format (as we apply in GN3)

24 Conclusion Diverse threats on the Internet pose a risk to users
Using multi-layered approach to security ensures all aspects are covered SA2T4 (MDST) Use the Defence-in-Depth Approach to Multi-Domain Security Tools to handling multi-domain security incidents…. KB & MD IH Workflow Supporting MDS Security Improvements…..Risk Assessments, Fire Drills Protecting multi-domain deployments through…Cookbooks, Pen testing, SEC Supporting Developers….Secure Code Training Alternative security approaches to R&D networks

25 Questions? Thank you for your attention!
Gerard Frankowski – Tomasz Nowocień – Wayne Routly –

Download ppt "Gerard Frankowski, PSNC Tomasz Nowocień, PSNC Wayne Routly, DANTE"

Similar presentations

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Cloud Usability Framework

Cloud Usability Framework
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Penetration Testing James Walden Northern Kentucky University.

Penetration Testing James Walden Northern Kentucky University.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Similar presentations

Ads by Google