EGEE is a project funded by the European Union under contract IST-2003-508833 JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.

Slides:



Advertisements
Similar presentations
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Advertisements

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
(Geneva, Switzerland, September 2014)
Computer Security: Principles and Practice
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Network security policy: best practices
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Security Guide for Interconnecting Information Technology Systems
Incident Handling and Response Breakout Overview.
MWSG3 August 25, 2004 JRA3 - Incident Response Issues to decide on and next steps Yuri Demchenko EGEE is a project.
EGEE is a project funded by the European Union under contract IST Standards and Practices in Operational Security Yuri Demchenko, AIRG UvA.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
HIPAA COMPLIANCE WITH DELL
Cryptography and Network Security
IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
Computer Security: Principles and Practice
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Incident Object Description and Exchange Format
EGEE is a project funded by the European Union under contract IST Grid Security Incident definition and format Yuri Demchenko, AIRG UvA JSG.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Grid Operations Centre LCG SLAs and Site Audits Trevor Daniels, John Gordon GDB 8 Mar 2004.
INFSO-RI Enabling Grids for E-sciencE EGEE SA1 in EGEE-II – Overview Ian Bird IT Department CERN, Switzerland EGEE.
SecSDLC Chapter 2.
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
IS3220 Information Technology Infrastructure Security
1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.
Building Global CSIRT Capabilities Barbara Laswell, Ph. D
A Quick Overview of ITIL
Incident Object Description and Exchange Format
Regional Operations Centres Core infrastructure Centres
JRA3 Introduction Åke Edlund EGEE Security Head
Responding to Intrusions
LCG/EGEE Incident Response Planning
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
Computer Emergency Response Team
Risk Mitigation & Incident Response Week 12
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Cyber Security in a Risk Management Framework
Incident Object Description and Exchange Format
Presentation transcript:

EGEE is a project funded by the European Union under contract IST JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16,

MWSG2, June 16, Outlines Goal and motivation Incidents and Incident Response – Definitions Creating Incident Response Capability/Service Incident Response in EGGE Possible steps - Discussion

MWSG2, June 16, Goal and Motivation The goal of this presentation is to introduce into and rise awareness about the Incident Response problem area How to create an Incident Response Capability? What to respond? What standards and practices to follow? What may be the first steps?

MWSG2, June 16, Incident Response – Definitions  Incident  Specifics of perceived Grid Incidents  Incident Response  Incident Response vs Intrusion Detection

MWSG2, June 16, Incident A computer/ITC security incident is defined as any real or suspected adverse event in relation to the security of a computer or computer network. Typical security incidents within the ITC area are: a computer intrusion, a denial-of- service attack, information theft or data manipulation, etc.  An incident can be defined as a single attack or a group of attacks that can be distinguished from other attacks by the method of attack, identity of attackers, victims, sites, objectives or timing, etc. An Incident in general is defined as a security event that involves a security violation. This may be an event that violates a security policy, UAP, laws and jurisdictions, etc.  A security incident may be logical, physical or organisational, for example a computer intrusion, loss of secrecy, information theft, fire or an alarm that doesn't work properly. A security incident may be caused on purpose or by accident. The latter may be if somebody forgets to lock a door or forgets to activate an access list in a router.

MWSG2, June 16, Incident – any specifics for Grid? Depends on the scope and range of the Security Policy, ULA, or SLA Should be based on threats analysis and vulnerabilities model Should be based on Grid processes/workflow analysis  Is there a definite model and clear vision of these processes?  LCG definition of the Grid Job/Task submission Job submission will normally progress from a User Interface (UI) machine, through a Resource Broker (RB) to a Computing Element (CE) and hence to the compute resource (usually a batch system). In some cases the RB is not used and the UI submits the job directly to the CE. Data access is through a Storage Element (SE) service Q: Should we distinguish between Incidents with the Grid applications and processes and those with the underlying infrastructure?  Who will handle either of them?

MWSG2, June 16, Grid risks and threats analysis LCG Risk Analysis – is a good starting point   Classified by Misuse, Confidentiality and Data integrity, Infrastructure disruption and Accidental categories Known analyses of Grid Security Incidents nature mostly focus on vulnerabilities of AuthN/Z and Certificate compromise  E.g., Dane Skow’s “A walk through a Grid Security Incident”  However, question remains: How to define at early stage that PKC compromised?

MWSG2, June 16, Incident response Incident response includes three major groups of actions/services Incident Triage  Assessing and verification incoming Incident Reports (IR) Incident Coordination  Categorisation Incident information, forwarding IR around and arranging interaction with other CSIRTs, ISPs and sites Incident Resolution  Helping a local site (victim) to recover from an incident - in most cases offered as optional services.

MWSG2, June 16, Incident Response and Intrusion Detection Intrusion Detection normally is a component of the network infrastructure/services  Intrusion Detection Systems (IDS) or Sensors are installed on or close to Firewalls, Routers, Switches or run as a special program on logfiles  ID produces alerts to prevent suspected activity escalation to Incident  ID is rather proactive service Incident Response is a complex of designated people, policies and procedures  Incident Response is a reactive function Q: Do we need to tackle Intrusion Detection in JRA3?  ID/Network protection is a responsibility of Network Operator or Team May be outsourced to network provider or hosting organisation  CSIRT often has an influence on network security policy and IDS policy/criteria

MWSG2, June 16, Incident Response Infrastructure/Components  CSIRTs Organisational form depends on type of organisation and required level of support to community  Security Policy Define what is required/allowed/acceptable  Incident Response Policy What is provided, who receives it and who provides support  Incident Response Plan Which incidents will be responded and how RFC 2350 – defines template for Incident Response Policy

MWSG2, June 16, Types of CSIRTs Security Group  Not formally a CSIRT but may be a first step to create a CSIRT Distributed (Internal) CSIRT  Has well defined constituency, central office and (minimum) designated staff  Most of staff is sharing responsibility or on duty  Maintains common Security and Incident Response policy  Publish Advisories, Warnings, Reports, Recommendations Coordinating CSIRT  Coordinates wide range of Incident Response activities  Creates and maintains common Security and Incident Response policy  Publish Advisories, Warnings, Reports, Recommendations

MWSG2, June 16, Incident Response Policy Types of Incidents and Level of Support  Ordered by severity list of Incident categories Co-operation, Interaction and Disclosure of Information  Based on organisation’s Security Policy  Availability of information and ordered list of information being considered for release both personal and vendor’s Communication and Authentication  Information protection during communication  Mutual authentication between communicating parties Also depending on information category

MWSG2, June 16, Incident Response Procedures Should be documented in full or in critical parts 1. Initial Incident Reporting and Assessment 2. Progress Recording 3. Identification and Analysis 4. Notification – initial and in the progress 5. Escalation – by Incident type or service level 6. Containment 7. Evidence collection 8. Removal and Recovery

MWSG2, June 16, Incident Response in EGEE Actual Incident Response will be done at GOC  By Security Groups or Internal/External CSIRTs Incident Coordination for EGEE  Coordinating Central or Distributed CSIRT servicing EGEE infrastructure To start this activity (1) Inventory and Taxonomy (2) Contacting GOC/sites and building awareness (3) Training and Education  First CSIRT Training workshop at 2 nd EGEE (or even around GGF12?) (4) Establishing central EGEE coordinating CSIRT  Staffing  Defining policies and procedures, formats and forms  Promoting and building network of contacts

MWSG2, June 16, What do we have? LCG documents for sites – good starting point and initial framework Organisation of security on LCG-1  To implement the LCG-1 security procedures and to respond to security incidents, each LCG-1 Regional Centre and each LCG-1 site must designate a security officer  Rem: Need to be structured according to common CSIRT practices LCG Security Policy specifies (not detailed)  Physical Security  Network Security  Access Control  Rem: Refers to site Policies but are they defined?

MWSG2, June 16, Standards and Practices Incident Response and Incident Handling  Standards and Recommendations on Incident Response procedures and CSIRT operation IETF, NIST, TI/TF-CSIRT (TERENA), CERT/CC Formats and Protocols  IDMEF – Intrusion Detection Message Exchange Format  IODEF – Incident Object Description and Exchange Format  Emerging RID – Real-time Internetwork Defense (supported by US AFC) Trace Security Incidents to the Source Stop or Mitigate the Effects of an Attack or Security Incident CSIRT community and CSIRT certification  Important component of creating world-wide Incident Response infrastructure

MWSG2, June 16, Tools Intrusion Detection automation  Snort with IDMEF support (by Silicon Defense) Benefits in simple integration, information exchange and easy outsourcing Implemented also by CERT/CC in their AirCERT distributed System Incident Handling  Mostly proprietary systems with growing move to standardisation of exchange format based on IODEF  IODEF Pilot implementation CERT/CC AirCERT Automated Incident Reporting - and JPCERT/CC: Internet Scan Data Acquisition System (ISDAS) - eCSIRT.net: The European CSIRT Network -

MWSG2, June 16, Summary – next steps Inventory and Taxonomy Contact with GOC/ROC Decide on organisational structure for EGEE Incident Response Capability/Infrastructure Prepare 1st CSIRT Workshop

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.