Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Published byWhitney Paulina Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure."— Presentation transcript:

1 www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure Dr Linda Cornwall, STFC. HEPiX Spring 2015 24 th March 2015 Linda Cornwall, STFC1

2 www.egi.eu WLCG and EGI The (Worldwide) LHC Computing Grid and The European EGI Infrastructure share a lot of the same resources Also share Security teams and activities 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 2

3 www.egi.eu Contents Incident Prevention Policy definition Vulnerability handling Security monitoring Incident handling and incidents from the last year Evolving the work 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 3

4 www.egi.eu Security Incident Prevention Far more work goes into preventing incidents than handling them Security Policy definition Software Security, especially Software Vulnerability handling Security monitoring - monitoring for known vulnerabilities 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 4

5 www.egi.eu Security Policy Definition Security Policy definition is carried out by the EGI Security Policy Group (SPG) Defines the behaviour expected from NGIs, Sites, Users, VOs and other participants to maintain a beneficial and effective working environment Output is various policy documents Parties read and sign, so that they know and understand what they should and should not do 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 5

6 www.egi.eu Software Vulnerability Group message – if you find a vulnerability If it is NOT public knowledge DO NOT Discuss on a mailing list – especially one with an open subscription policy or which is archived publically Post information on a web page Publicise in any way without agreement of SVG DO report to SVG via report-vulnerability@egi.eu 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 6

7 www.egi.eu Software Vulnerability Handling – Approved Procedure If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG member, reporter as appropriate) If relevant to EGI, a risk assessment is carried out Critical, High, Moderate, Low If not fixed, Target date for resolution set according to risk Critical 3 days (special process), High 6 weeks, Moderate 4 months, Low 1 year. Advisory issued, if/when fixed or on Target date whichever is the sooner. (High and Critical only if ‘announced’) For ‘Critical’ vulnerabilities sites must patch in 7 days. 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 7

8 www.egi.eu High and Critical Vulnerabilities monitored Sites are monitored for ‘High’ and ‘Critical vulnerabilities In last year 5 new critical, 16 High EGI CSIRT chases sites which are exposing ‘Critical’ vulnerabilities For new vulnerabilities sites are given 7 days to patch or face suspension (2 days older) Respond if asked to by IRTF/CSIRT The threat of site suspension has reduced the time sites are exposed to ‘critical’ 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 8

9 www.egi.eu Time taken for sites to patch – courtesy of Daniel Kouril 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 9

10 www.egi.eu Incident Handling – according to approved procedure If you find or suspect an incident at your site report to:-- abuse@egi.eu Your NGI security contact Your Local institute security team Don’t power off the system Disconnect from the network if you can The EGI CSIRT team will help you investigate Fortunately there are not many incidents Incident prevention is quite successful. 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 10

11 www.egi.eu Emergency (User) suspension It is now possible to suspend a User (DN) across the whole infrastructure via ARGUS This may be done in the case of an incident where a DN is implicated E.g. user has mis-used resources Potentially compromised DN This is not 100% working yet Some sites not implementing yet Some types of SE’s not working yet. We need to get this 100% working 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 11

12 www.egi.eu Incidents during last year (8) Primecoin mining (Policy violation) Open Hostkey leaking private information User cert mis-use Fed Cloud incident Due to bad endorsed VM UI compromised (4 user IDs compromized) Shellshock related compromises to Perfsonar nodes (multiple sites) Compromise due to a port being left open DDoS to some EGI services 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 12

13 www.egi.eu Security Training and challenges EGI CSIRT provides security training to site administrators and others E.g. last week at the ISGC in Taipei This includes some hands on forensics training EGI carries out security challenges Challenges to sites with ‘mock’ incidents This year confined to contact challenges 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 13

14 www.egi.eu EGI CSIRT now Trusted Introducer certified 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 14

15 www.egi.eu Evolving the Security Work Evolving the security work is necessary due to e.g. The EGI federated Cloud Changing responsibility model - this has a major impact in incident response Changing technology Long Tail of Science Different trust model Have some EU H2020 funding for ‘EGI engage’ to carry out this evolution 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 15

16 www.egi.eu Policy documents revision Getting rid of ‘Grid’ Policies apply to all technology and services E.g. Acceptable use policy External draft – request for feedback and comments Data Protection Policy Formerly only had “Grid Policy on the handling of User Level Job accounting data Finding Data protection policy needed as User level data is being monitored and exposed inappropriately. 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 16

17 www.egi.eu Vulnerability handling evolution Now more software is coming into use where SVG members have no knowledge – solutions include:-- New members of SVG who know about cloud software, especially tools written within the community ‘Expert’ contact for all software Cloud enabling software deployed in the Fed Cloud VO software – assume VO security contact is responsible and know who to contact No more than 2 steps to the right person. 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 17

18 www.egi.eu Software security checking For some community cloud enabling software have a detailed ‘Technology provider’ questionnaire For other software propose something simpler:-- License details How long will it be under security support? How are security problems reported? Are security problems announced? Check compliance with Data Protection policy Some other simple technical checks – e.g. is user input validated, bad constructs – not obviously bad 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 18

19 www.egi.eu ‘Security Threat risk Assessment’ Security Threat Risk Assessment carried out in 2012 Based on the EGI Deployment as it was then – and other concerns Threats scoring high risk value included:-- New software or technology may be installed which leads to security problems (Highest value) The move to more use of Cloud technologies may lead to security problems Plan to carry out another assessment, based on the EGI Federated Cloud. Based on a written down situation as we understand it, and agreed with the EGI Fed Cloud team This will allow us to identify where the highest risk threats are and address them 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 19

20 www.egi.eu Questions?? 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 20

21 www.egi.eu Links List of policy docs at https://wiki.egi.eu/wiki/SPG:Documents New Acceptable Use Policy https://wiki.egi.eu/wiki/SPG:Drafts:Acceptable_Use_Policy_ March_2015 EGI Software vulnerability handling procedure https://documents.egi.eu/public/ShowDocument?docid=717 Approved Incident handling procedure https://documents.egi.eu/public/ShowDocument?docid=710 Security training example (Taipei March 2015) http://indico3.twgrid.org/indico/sessionDisplay.py?sessionI d=43&tab=time_table&confId=593#20150315 24 th March 2015 Linda Cornwall, STFC. HEPiX Spring conference, Oxford 21

Download ppt "Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure."

Similar presentations

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Network security policy: best practices

Network security policy: best practices
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.

Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.

EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
INFSO-RI-508833 Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes

INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL

Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Www.egi.euEGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 EGI Future activities Peter Solagna – EGI.eu.

RI EGI-InSPIRE RI EGI Future activities Peter Solagna – EGI.eu.

Similar presentations

Ads by Google