Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.

Published byKelly Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security."— Presentation transcript:

1 1 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ ISS e G Integrated Site Security for Grids EU-FP6 Project 026745 Management case for site security David Jackson, STFC CHEP 07, Victoria BC, 4 September 2007

2 2 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Contents Part 1 - Executive Summary – 2 slides Part 2 – Detailed briefing – 22 slides

3 3 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Contents Part 1 - Executive Summary – 2 slides Part 2 – Detailed briefing – 22 slides

4 4 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Management case -Premise Science today requires participation in Grid environments where multiple sites act as one entity and share resources. As Grid use rises, all sites are at increased risk from electronic attack and compromise. Due to the interconnected nature of Grid sites, once one site has been compromised, all others sites are at increased risk of compromise. Q: Do we want to be the first site compromised? Q: What if we were, what would be the impact? Q: What can we do to prevent being compromised?

5 5 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Management case -Summary 1. Support the implementation of an annual risk assessment process to:  identify what assets are most at risk  review the current level of protection and detection  propose annual improvement plans  identify any additional staff time & costs required 2. Allocate appropriate resources to implement the agreed annual improvement plans 3. Support an integrated approach within the improvement plans to ensure that technical, administrative and educational security aspects are coordinated You are asked to:

6 6 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Contents Part 1 - Executive Summary – 2 slides Part 2 – Detailed briefing – 22 slides

7 7 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Contents  Source of electronic attacks  Impact of an attack  What has the Grid changed?  Prevention: Effective security controls  Concept of Integrated Site Security  Selection of effective security controls  Summary

8 8 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Source of attacks  Who are the attackers?  Internal: Sometimes known to you (e.g. staff, students, visitors)  External: Organised crime conducting electronic attacks - Not just lone teenagers!  What do they want?  Potential to use the Grid/site resources for other attacks and/or illegal activity.

9 9 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Internal - Source of attacks Internal e.g. Known individual Enron  Fraud – Jeffrey Skilling sentenced to 24 years in prison. Oxford University  Two students hacked into the network and exposed personal data & CCTV images with “good intent” (2004) In some cases the liability is clear and can result in the large direct losses (e.g. Enron). In other cases, the potential liability may be equally high (e.g. Data Protection issues for Oxford University) but the organization’s reputation is damaged first

10 10 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ External - Source of attacks External e.g. unknown individual TK Maxx  Parent company (TJX) lost 45 million customer payment card records as the result of an information security breach (2007) Estonian e-government  During early May 2007, most Estonian on line e- government services were targeted using a high bandwidth distributed denial of service attack. It is believed that the TJX incident was the result of organised crime and not a lone teenager.

11 11 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ External - Near Grid example  Fermi National Accelerator Lab In June 2002, the lab network was broken into 17 times and triggered a massive security alert. Due to uncertainty of the nature of the ‘attack’, the lab was disconnected from the Internet for 3 days. The clean up costs were estimated at £21,215 (~ 32,400 USD, 33,300 EUR) plus staff time. Fermi lab reputation for security is intact. They successfully reacted to the incident and could show due diligence. http://www.fnal.gov/pub/news04/inthenews20040105.html

12 12 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ External - Near Grid example  Fermi National Accelerator Lab  Attacker: Joseph McElroy  Age: 16 (at time of attack)  Reason: Wanted to use the network resources to download and store GBs of copyrighted material. ©Image copyrighted by BBC. http://news.bbc.co.uk/1/hi/technology/3452923.stm

13 13 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Question: Is the neat Grid event Q: Is the FERMI incident event relevant?  Grid sites are attractive targets as they have  Large Internet connections (~ 10s of Gbps)  Large data storage (~10s TB)  Large computing resource (~1000s of CPUs)  Allow external access  Highly interconnected (e.g. breaking in at one point gives you access to many sites.) A: Yes. The questions is not “If”, more “When” and “Who”. The likelihood that some Grid sites will be compromised and used to attack other sites (Grid or non Grid) increases with Grid use.

14 14 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Impact of attack  What is most at risk of damage?  Reputation? Funding?  Grid nodes? Computing time?  Staff time?Staff time to restore service? By reacting appropriately to incidents the reputation of an organization can be strengthened. By reacting inappropriately to incidents the reputation of an organization can be damaged.

15 15 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ What has the Grid changed?  Q: What has changed with Grids?  Site boundaries?  Number of users?  Closer interaction and operation with academic partners?  A: All three have changed and expanded. That was how the Grid was designed and we all use it for Science. Turning it off is not a realistic option.

16 16 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Change in site boundaries  The traditional or conventional approach to site security is to draw a border around your site and only let in people that you trust. Site X R  You have administrative control and can decide who can use the resources at your site. You set the boundaries.

17 17 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Change in site boundaries Site Security Boundaries R Site X R R Site Y R R Site Z R Projects within a Grid environment operate as Virtual organizations that share resources between sites.

18 18 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Change in site boundaries R Site X R R Site Y R R Site Z R Virtual organizations use and share resources between sites. Virtual organization

19 19 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ R Site X R R Site Z R R Site Y R Change in site boundaries Your site now has holes within its original boundary. You are at increased risk from others and pose a risk to them as well. Remaining Site Security Boundaries Virtual organization holes in ‘traditional’ site boundaries.

20 20 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Change in site boundaries BeforeAfter Site X R R Our effective site security boundary is now world wide and limited only by the location of users. consequently For effective security we must collaborate with other partners to implement controls to detect and respond to security incidents.

21 21 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Prevention: effective security controls  Security controls A security control is a means of managing risk. They can include: PoliciesProceduresGuidelines Practicesorganizational structuresetc. Typically administrative, technical or educational in nature they are used to:  Protect  DetectAgainst security incidents/events  Respond

22 22 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Prevention: effective security controls So how do you implement security controls? Technical controls: All PCs have anti-virus software on them and they get updates automatically. Education: Explain to users why anti-virus software is on their PC and that they should not turn if off. Administrative controls: The Security Policy states that every PC must run a valid anti-virus software product.

23 23 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Concept of Integrated Site Security In practice: Policy Implementation Inform users

24 24 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Concept of Integrated Site Security Examples Know who is using your network Close accounts when people leave Require all computer users to be officially registered in your organization Explain technical changes to users before, during and after implementation Create and maintain training and awareness campaigns for security polices and best practice. Follow incident response procedures Use security mechanisms and tools, e.g. anti-virus, firewall management, central patch management, intrusion detection etc.

25 25 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Prevention: selecting security controls  Selecting appropriate security controls There are numerous potential security controls that we could use, some appropriate, some not. We should establish a “risk assessment” management process to regularly  Identify what assets or resources are at risk  Analyse the impact these resources have on our site  Implement any agreed safeguards or controls based on the level of risk we are prepared to accept  Monitor that the controls are effective

26 26 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Prevention: selecting security controls Annual improvement plans can be identified and resourced with your help. Changes within the site are opportunities to develop and enhance our security needs. This will help demonstrate due diligence and protect our reputation. Identify Implement Analyse Monitor Continuous process

27 27 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/  As Grid use ↑ => the risk of attack ↑ and attractiveness to attack.  Internal and external individuals may attack us.  Our effective site security boundary is now world wide and limited only by the location of users.  For effective security we must collaborate with other partners to implement controls to detect and respond to security incidents. Appropriate resources need to be allocated to:  Detect and respond to security incidents appropriately  Protect you from the potential liability resulting from the action of others  Protect the reputation of our site within the academic and wider community Summary (1 of 2)

28 28 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Summary (2 of 2) 1. Support the implementation of an annual risk assessment process to:  identify what assets are most at risk  review the current level of protection and detection  propose annual improvement plans  identify any additional staff time & costs required 2. Allocate appropriate resources to implement the agreed annual improvement plans 3. Support an integrated approach within the improvement plans to ensure that technical, administrative and educational security aspects are coordinated You are asked to:

29 29 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Questions  Questions

30 30 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Copyright © Members of the ISSeG Collaboration, 2008.Members of the ISSeG Collaboration Licensed under the Apache License, Version 2.0 (the "License"); you may not use this material except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, Work distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Download ppt "1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Child Safeguarding Standards

Child Safeguarding Standards
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
BRC Storage & Distribution Safety and Quality Management System Training Guide www.brcfoodsafety.com.

BRC Storage & Distribution Safety and Quality Management System Training Guide
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
Security Controls – What Works

Security Controls – What Works
Riverside Community School District

Riverside Community School District
Mercury Payment Systems Dan Osby Director, Technical Services Technical Lead, Incident Response

Mercury Payment Systems Dan Osby Director, Technical Services Technical Lead, Incident Response
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Introduction to Network Defense

Introduction to Network Defense

Similar presentations

Ads by Google