EGEE is a project funded by the European Union under contract IST Standards and Practices in Operational Security Yuri Demchenko, AIRG UvA GGF12 OpSec Workshop September 20,

GGF12 OpSec Workshop September 20, Outlines Standards and practices CSIRT community and projects Grid Security Incident definition and description format Summary Format: Short overview and extensive additional material

GGF12 OpSec Workshop September 20, Goal The goal of this presentation is to provide a short overview of existing standards and practices in the area of Operational security and Security Incident Response Reference information - for future developers CSIRT communities and projects information – for possible cooperation Grid Security Incident definition and description format - for further discussion and contribution

GGF12 OpSec Workshop September 20, Standards and Practices Incident Response and Incident Handling  Standards and Recommendations on Incident Response procedures and CSIRT operation IETF, NIST, OGSF, OASIS  Security risk management ISO, NIST, ISACA Formats and Protocols  IDMEF – Intrusion Detection Message Exchange Format  IODEF – Incident Object Description and Exchange Format  Emerging RID – Real-time Internetwork Defense (supported by US AFC) Trace Security Incidents to the Source, stop or mitigate the effects of an Attack or Incident Incident Response practices  CERT/CC Recommendations and Advisories  Trusted Introducer (TERENA/TF-CSIRT) CSIRT certification procedure

GGF12 OpSec Workshop September 20, Standardisation bodies ISO/IEC - Wide scope of coverage, focusing on standardization, more general framework and most relevant IETF – Focuses on Internet related technical Security requirements NIST-CSRC ( ) – Wide scope of coverage for both government and enterprise needs. Many relevant documents that can be leveraged OASIS ( ) - Application Vulnerability Description Language (AVDL) OGSF (Open Group Security Forum, - specifications, tools, guidelines and best practices for businesses, responsibilities, liabilities and trust relationships; started Intrusion Attack and Response Workshop Best practices and recommendations CERT/CC ( ) – a center of Internet security expertise; recommendations, advisories, practices, research SANS (System Administration, Networking, and Security) Institute – focuses on SysAdmin, Audit, Network, and Security research and education. ISACA ( ) – Most noted for CoBIT, provides a comprehensive framework for IT Governance, including security ISSA ( ) – comprehensive coverage of security issues and solutions for InfoSec practitioners, GAISP (Generally Accepted Information Security Principles)

GGF12 OpSec Workshop September 20, ISO/IEC 17799:2000 – Code of Practice for Information Security Management High level, general description of the areas considered important when initiating, implementing or maintaining information security in an organization 1. Establishing organizational security policy 2. Organizational security infrastructure 3. Asset classification and control 4. Personnel security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. Systems development and maintenance 9. Business continuity management 10. Legal Compliance ISO17799 provides a basis for different audit checklists, risk analysis methodologies, compliant security policies Additional: BS : Specification for Information Security Management Systems (ISMS).

GGF12 OpSec Workshop September 20, IETF Working Groups and documents GRIP (concluded) - Guidelines and Recommendations for Security Incident Processing IDMEF (concluded) – Intrusion Detection Message Exchange Format INCH – Extended Incident Handling WG ( )  IODEF and RID development OPSEC - Operational Security Requirements (OPSEC) Working Group  Requirements to secure deployment and operation of managed network elements at OSI layers 2 and 3; targets ISP’s and vendors RFC Guidelines for Writing RFC Text on Security Considerations  Discusses Internet threat model, including active and passive attacks, DoS,

GGF12 OpSec Workshop September 20, Incident Response and Operational Security Product of GRIP WG RFC Site Security Handbook (replacing RFC1244) RFC Expectation for Security Incident Response Teams RFC Users' Security Handbook RFC Recommended Internet Service Provider Security Services and Procedures RFC Guidelines for Evidence Collection and Archiving RFC Internet Security Glossary

GGF12 OpSec Workshop September 20, Incident Response Components (according to RFC 2350)  CSIRT’s Organisational form depends on type of organisation and required level of support to community  Security Policy Define what is required/allowed/acceptable  Incident Response Policy What is provided, who receives it and who provides support  Incident Response Plan Which incidents will be responded and how  RFC 2350 – provides templates for Incident Response Policy and other documents

GGF12 OpSec Workshop September 20, CSIRT Community and Projects CSIRT community  Incident Response infrastructure is based on mutual trust and established channels  New developments via projects and community initiatives FIRST – Forum for Incident Response Teams  List of member CSIRT teams - TF-CSIRT – TERENA Task Force for CSIRT Coordination in Europe -  List of European CSIRTs - CSIRT’s: National, governmental, NREN’s, corporate, etc.  Designated point of contacts in case of Computer/Cyber Security Incident

GGF12 OpSec Workshop September 20, TF-CSIRT Services for CSIRTs  Trusted Introducer for CSIRTs in Europe -  IRT Object in the RIPE Database (ripe-254) - TF-CSIRT activities  CHIHT - Clearinghouse of Incident Handling Tools -  TRANSITS – Training for new CSIRT’s (supported by EU project) -  IODEF – Initial definition and implementation (transferred to IETF INCH WG)

GGF12 OpSec Workshop September 20, European Initiatives and Projects European Network and Information Security Agency (ENISA) -  ENISA aims at ensuring particularly high levels of network and information security and will contribute to the development of a culture of network and information security within the Community eCSIRT.net (European CSIRT Network) –  Deployment of new techniques and practices to efficiently exchange incident related data, collect statistical information and cooperate in Incident prevention. Operational network of IDS sensors across Europe that allows collection of the data about attacks for further analysis. TRANSITS (Training of Network Security Incident Teams Staff)  European project to promote the establishment of the new CSIRTs and the enhancement of existing CSIRTs by means of training. Extended training materials are created.

GGF12 OpSec Workshop September 20, EGEE JRA3.4 documents Framework for establishing Incident Response Capability  Joint document with OSG/JSG/LCG/EGEE Dictionary of the Computer Security and Incident Response terms (more than 100 terms) Grid Security Incident definition and exchange format

GGF12 OpSec Workshop September 20, Grid Security Incident (GSInc)  Computer Security Incident – general definition  Any specifics of the Grid Security Incident?  Step (1): Web Services threats analysis Step (2): To be extended with Grid/OGSI/OGSA threats analysis  Format for Grid Security Incident description As an extension to the IODEF

GGF12 OpSec Workshop September 20, Computer Security Incident A computer/ITC security incident is defined as any real or suspected adverse event in relation to the security of a computer or computer network. Typical security incidents within the ITC area are: a computer intrusion, a denial-of- service attack, information theft or data manipulation, etc.  An incident can be defined as a single attack or a group of attacks that can be distinguished from other attacks by the method of attack, identity of attackers, victims, sites, objectives or timing, etc. An Incident in general is defined as a security event that involves a security violation. This may be an event that violates a security policy, UAP, laws and jurisdictions, etc.  A security incident may be logical, physical or organisational, for example a computer intrusion, loss of secrecy, information theft, fire or an alarm that doesn't work properly. A security incident may be caused on purpose or by accident. The latter may be if somebody forgets to lock a door or forgets to activate an access list in a router.

GGF12 OpSec Workshop September 20, Incident – any specifics for Grid? Grid Security Incident definition  Depends on the scope and range of the Security Policy, ULA, or SLA  Should be based on threats analysis and vulnerabilities model  Should be based on Grid processes/workflow analysis GSInc definition is a base for GSInc description format  What information should be collected and how to exchange and handle it Grid Security Incident vs Grid Security Event  Security Incident is a result of successful attempt Attempt generates security event  Event is an issue for Intrusion Detection – Incident is an issue for Incident Response

GGF12 OpSec Workshop September 20, Web Services threats analysis Web Service interface (WSDL) probing Brute force attack on XML parsing system Malicious XML Content External Reference attacks SOAP/XML Protocol attacks Underlying transport protocol attacks

GGF12 OpSec Workshop September 20, Types of GSInc and audit events (1) Security credentials compromise (e.g., private key, proxy cred)  patterns of credential usage  broken chain of PKC/keys/credentials  copy is discovered in not a proper place  originated not from default location  sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems  How to define at the early stage that a private key has been compromised?  May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Note: Audit/log events together with related data can be also referred to as an Evidence

GGF12 OpSec Workshop September 20, Types of GSInc and audit events (2) Attempt to access sensitive data/information with lower level of privileges  Access log  Etc. Credit limit on resource exhausted  Few unsuccessful attempts to run actions with unmatched credit

GGF12 OpSec Workshop September 20, GSInc description format Can be based on IODEF currently being developed by IETF INCH WG -  Top level element – Incident  Incident data in EventData element - Incident/EventData Elements extended or added  EventData/Record/RecordData - extended  EventData/System/XMLWebService - new  EventData/System/Principal - new

GGF12 OpSec Workshop September 20, IODEF top level elements EventData Element where the Grid Security Incidents data can be placed in RecordData Element

GGF12 OpSec Workshop September 20, Principal Element - draft

GGF12 OpSec Workshop September 20, XMLWeb Service Element

GGF12 OpSec Workshop September 20, Summary There is an extensive standard base for Operational Security There is a well organised CSIRT community in Europe and in the world Cooperation is inevitable and beneficial, however to make it effective the Grid community needs to understand its needs and specifics  Grid risks analysis and Grid Security Incident definition are important steps on this way Ongoing EGEE developments  Continue on GSInc definition and format, providing also requirements to logging

GGF12 OpSec Workshop September 20, Appendix ISO/IEC Security Standards IETF Security RFC summary NIST CSRC Security Publications Incident Response components GSInc datamodel components

GGF12 OpSec Workshop September 20, ISO/IEC JTC1 SC27 Security Standards ISO/IEC – Code of Practice for Information Security Management Revision in progress; Part-2 being justified. ISO/IEC – Management of ICT Security From guidelines to standards – draft status ISO/IEC – Common Criteria New parts being drafted ISO/IEC – Framework for IT Security Assurance New extension to ISO/IEC – IT Network Security From Guideline to Standards ISO/IEC – Guidelines for Implementation, Operation, and Management of IDS New addition to ISO/IEC – Information Security Incident Management New addition to ISO/IEC – Methodology for IT Security Evaluation New addition to ISO/IEC – Security Assessment of Operational Systems New addition to ISO/IEC – Framework for Security Evaluation & Testing of Biometric Technology Collaboration with SC17

GGF12 OpSec Workshop September 20, IETF Security RFC RFC Site Security Handbook (replaces the now obsolete RFC1244) This handbook is a guide to setting computer security policies and procedures for sites that have systems on the Internet (however, the information provided should also be useful to sites not yet connected to the Internet). This guide lists issues and factors that a site must consider when setting their own policies. It makes a number of recommendations and provides discussions of relevant areas RFC Expectation for Security Incident Response Teams This document describes the general Internet community's expectations of Computer Security Incident Response Teams (CSIRTs). It is not possible to define a set of requirements that would be appropriate for all teams, but it is possible and helpful to list and describe the general set of topics and issues which are of concern and interest to constituent communities RFC2504. Users' Security Handbook This document provides guidance to the end-users of computer systems and networks about what they can do to keep their data and communication private, and their systems and networks secure. Part Two of this document concerns "corporate users" in small, medium and large corporate and campus sites. Part Three of the document addresses users who administer their own computers, such as home users. System and network administrators may wish to use this document as the foundation of a site-specific users' security guide; however, they should consult the Site Security Handbook first RFC3013. Recommended Internet Service Provider Security Services and Procedures The purpose of this document is to express what the engineering community as represented by the IETF expects of Internet Service Providers (ISPs) with respect to security. It is not the intent of this document to define a set of requirements that would be appropriate for all ISPs, but rather to raise awareness among ISPs of the community's expectations, and to provide the community with a framework for discussion of security expectations with current and prospective service providers RFC3227. Guidelines for Evidence Collection and Archiving The purpose of this document is to provide System Administrators with guidelines on the collection and archiving of evidence relevant to such a security incident. If evidence collection is done correctly, it is much more useful in apprehending the attacker, and stands a much greater chance of being admissible in the event of a prosecution.

GGF12 OpSec Workshop September 20, NIST Computer Security Resource Center (CSRC) Relevant NIST CSRC publications Relevant NIST CSRC publications ( ) Draft SP An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – May 2004 SP Computer Security Incident Handling Guide - January 2004 SP Building an Information Technology Security Awareness and Training Program, October 2003 SP Contingency Planning Guide for Information Technology Systems, June 2002 SP Rev. A - Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A, June 2004 SP Security Considerations in the Information System Development Life Cycle, October 2003 SP DRAFT Special Publication Rev A, Risk Management Guide for Information Technology Systems December Security Considerations in the Information System Development Life Cycle

GGF12 OpSec Workshop September 20, Incident Response and Intrusion Detection Intrusion Detection normally is a component of the network infrastructure/services  Intrusion Detection Systems (IDS) or Sensors are installed on or close to Firewalls, Routers, Switches or run as a special program on logfiles  ID produces alerts to prevent suspected activity escalation to Incident  ID is rather proactive service Incident Response is a complex of designated people, policies and procedures  Incident Response is a reactive function Different responsibilities  ID/Network protection is a responsibility of Network Operator or Team May be outsourced to network provider or hosting organisation  CSIRT often has an influence on network security policy and IDS policy/criteria

GGF12 OpSec Workshop September 20, Incident response Incident response includes three major groups of actions/services Incident Triage  Assessing and verification incoming Incident Reports (IR) Incident Coordination  Categorisation Incident information, forwarding IR around and arranging interaction with other CSIRTs, ISPs and sites Incident Resolution  Helping a local site (victim) to recover from an incident - in most cases offered as optional services.

GGF12 OpSec Workshop September 20, Incident Response Policy Types of Incidents and Level of Support  Ordered by severity list of Incident categories Co-operation, Interaction and Disclosure of Information  Based on organisation’s Security Policy  Availability of information and ordered list of information being considered for release both personal and vendor’s Communication and Authentication  Information protection during communication  Mutual authentication between communicating parties Also depending on information category

GGF12 OpSec Workshop September 20, Incident Response Procedures Should be documented in full or in critical parts 1. Initial Incident Reporting and Assessment 2. Progress Recording 3. Identification and Analysis 4. Notification – initial and in the progress 5. Escalation – by Incident type or service level 6. Containment 7. Evidence collection 8. Removal and Recovery

GGF12 OpSec Workshop September 20, Tools Intrusion Detection automation  Snort with IDMEF support (by Silicon Defense) Benefits in simple integration, information exchange and easy outsourcing Implemented also by CERT/CC in their AirCERT distributed System Incident Handling  Mostly proprietary systems with growing move to standardisation of exchange format based on IODEF  IODEF Pilot implementation CERT/CC AirCERT Automated Incident Reporting - and JPCERT/CC: Internet Scan Data Acquisition System (ISDAS) - eCSIRT.net: The European CSIRT Network -

GGF12 OpSec Workshop September 20, Web Services threats analysis (1) Web Service interface (WSDL) probing  WSDL describes the methods and parameters used to access a specific Web Services, and in this way exposes Web Service to possible attacks Brute force attack on XML parsing system  XML parsing is a resource and time consuming process. Maliciously constructed XML files may overload XML parsing system Malicious XML Content  XML documents may contain malicious parsing or processing instructions (XML Schema extensions, XPath or XQuery instructions, XSLT instructions, etc) that may alter XML parsing process  Malicious content that may carry threats to the back-end applications or hosting environment

GGF12 OpSec Workshop September 20, Web Services threats analysis (2) External Reference attacks  This group is based on the generic ability of XML to include references to external documents or data types. Poor configuration, or improper use of external resources can be readily exploited by hackers to create DoS scenarios or information theft. SOAP/XML Protocol attacks  SOAP messaging infrastructure operates on top of network transport protocols, uses similar services for delivering and routing SOAP messages, and therefore can be susceptible to typical network/infrastructure based attacks like Denial of Service (DoS), replay or man-in-the-middle attacks. Underlying transport protocol attacks  These are actually not related to XML Web Services but directly affecting reliability of SOAP communications.

GGF12 OpSec Workshop September 20, Grid Security Incident vs Grid Security Event Security Incident is a result of successful attempt  Attempt generates security event Examples of Grid specific security events  few sequent failed logins – far too common event everywhere What is the threshold?  SOAP port scanning  HTTPS DoS attack – is it related to Grid?  patterns of suspected private key compromise  patterns of suspected AuthN/AuthZ security tokens compromise  attempt to access sensitive information  credit limit probing Event is an issue for Intrusion Detection – Incident is an issue for Incident Response

GGF12 OpSec Workshop September 20, IODEF top level elements

GGF12 OpSec Workshop September 20, EventData where the Grid Security Incidents data can be placed

GGF12 OpSec Workshop September 20, RecordData Element