Directory/Inventory – info sharing for security people Linda Cornwall, SIG-ISM 23rd Feb 2017
Main points Some information is public (e.g. already available on public web page) Some information is private We define level 1 information as information which is public We cannot tell people what they want to make public We define level 2 information as information which we share between ourselves We define level 3 as information which is more sensitive
Who do we share with? I reckon security people within NREN/Projects/Institutes Not just security officers? I’m not a security officer There are many security functions
Level 1, what to include Suggest 1 top level table containing Name of NREN/ Institute /Project 1 sentence description Location of NREN/Institute/Project table (in SIG-ISM) Location of public web page belonging to the NREN/Institute/Project
Then table per NREN/Institute/Project Name Link to homepage Description ISM description Link if public Policy docs (public/not public) - Link if public Software Vulnerability handling – Link to procedure, advisories Other Incident Prevention Incident Response Contact information (what is public)
Top level table EGI geant wiki page/table within SIG-ISM, Name and local link NREN/Institute/Project Local Public geant Wiki link What is it? Public web EGI https://wiki.geant.org/......./EGI Distributed computing Project for research https://www.egi.eu/ FIC-NREN Fictional NREN …… … EGI geant wiki page/table within SIG-ISM,
Then for e.g. for EGI Distributed Computing Infrastructure for Research incorporating over 300 datacentres EGI https://www.egi.eu/ EGI Intranet (public) https://www.egi.eu/intranet/ EGI Wiki – much technical documentation https://wiki.egi.eu/wiki/Main_Page Security Policy Documentation https://wiki.egi.eu/wiki/SPG Incident prevention – Software Vulnerability Group https://wiki.egi.eu/wiki/SVG Report a vulnerability E-mail: Report-vulnerability at egi.eu Incident prevention - Security Monitoring Sites monitored for critical vulnerabilities, not public CSIRT – report a security incident E-mail: Abuse at egi.eu Security Incident handling procedure https://wiki.egi.eu/wiki/SEC01 Security Officer Not public e-mail.
FIC-NREN Fictional NREN just to demonstrate FIC-NREN https://www.FIC-NREN Security Policy Documentation Not public Incident prevention
Alternative – 1 big table NREN/ Project/ Institute Description Public home Page Security Contact or officer Policy Docs Vulnerability Handling Incident Handling Report Incident Other EGI Distributed Infrastructure https://www.egi.eu/ Not public https://wiki.egi.eu/wiki/SPG https://wiki.egi.eu/wiki/SVG https://wiki.egi.eu/wiki/SEC01 Abuse at egi.eu FIC-NREN NREN I tend to prefer the ‘page’ per NREN/ Project/ Institute Decided don’t like this. But a table could work too as this would illustrate which NRENs are making what public
What do I think should be public? Policy documentation Procedure for handling vulnerabilities Procedure for handling incidents Most documentation such as TOR or procedures - which doesn’t identify specific security risks, problems. E-mail addresses for reporting problems Generic, not an individual With anti-spam – e.g. a ‘picture’ or security at nren But it is up to projects/NRENs/institutes to decide
Sharing level 2 info This needs to be controlled Can this be a ‘Private’ wiki? Who can have access? 2 options
Level 2 – Option 1 - Known to us To register, a group of us need to know the people, i.e. a group of (say) 10-20 of us This 10-20 we can register people we know Then people we know can recommend 1 other person No further away than that We know someone we trust, we trust them to recommend someone, but no more than ‘1 away’ In addition need institute e-mail?
Level 2 – Option 2 - institute e-mail If people have an institute e-mail – is this enough? We register people on request, provided they have an institute e-mail, and provided they agree to not make info public. This is simpler, and probably enough E.g. for EGI SVG “we ask for you to agree not to reveal information you learn about specific vulnerabilities which is not public except as part of the procedure without the agreement of the group.”
What should we share at level 2? Whatever people wish Table of NREN/Institute/Project – link to wiki page (within SIG-ISM) for that institute People put on that non-public page what they wish Recommend name and e-mail security officers, who to contact for non-public documents etc.
Who edits? If wiki page level 1 and level 2 per project/institute/NREN – can give member of that project access rights. People edit their own page. GEANT sig-ism wiki probably has the authz in place.
Other Each NREN/Project defines what roles there are Different people organise things differently NREN/Project responsible for keeping up to date Check every 6 months is up to date Confirm Who do we allow who don’t we allow What vetting mechanism?
Who can join in? Limited to education and research Start in Europe Later maybe go global.
Level 3 info More sensitive More controlled Probably a longer term aim Bart Bosmia e-mailed SCIRT – SURFnet Cooperating Incident Response Teams – good starting point Need a group where people ‘volunteer’ To join group all members need to have the opportunity to O.K. or object Further in the future. Start with level 1 and level 2.
Other ideas to include Public key – X509? Info for secure communication?
How secure is the wiki? Whatever we put, the security level of the wiki itself must be good enough for the info. FOTIS in charge??
Getting started 1st page – table of NRENs Points to page per NREN with public info. Start with level 1 and level 2 Have some templates for minimum info required. I’ll e-mail details to Sigita what is needed, action on me. Later think also about ‘virtual water cooler’, other virtual meetings. Groups within this.
Summary Set up a wiki for level 1 public info Up to people what they share Set up a wiki for level 2 info Prefer a wiki page within SIG-ISM in each case which individual NREN/Institute/Project can edit Restrict to Education and Research Level 3, other facilities – later