Meeting Minutes and TODOs TG has no distributed monitoring. During incident response, use a manual twiki page to distribute information TG monitors the.

Slides:

Advertisements

Similar presentations

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.

Advertisements

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

Buffalo State College Internal Control Program Presented to: Buffalo State College Line Staff Delivered by: BSC IC Program & Department Managers.

IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.

Internal Auditing and Outsourcing

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Operations Rob Quick 2/22/2012.

MyOSG: A user-centric information resource for OSG infrastructure data sources Arvind Gopu, Soichi Hayashi, Rob Quick Open Science Grid Operations Center.

Information Security Issues at Casinos and eGaming

Basics of OHSAS Occupational Health & Safety Management System

Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Security Program Review OSG Security Team M. Altunay, FNAL, OSG Security Officer, D. Olson LBNL, Ron Cudzewicz FNAL J. Basney NCSA, Anand Padmanabhan.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Developing a Comprehensive GENI Cyber Security Program Adam.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.

GGF Fall 2004 Brussels, Belgium September 20th, 2004 James Marsteller Pittsburgh Supercomptuing Center

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/3/2013.

August Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

OSG Security Review Mine Altunay December 4, 2008.

Engineering Essential Characteristics Security Engineering Process Overview.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

 2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood Systems Implementation, Operation, and Control Chapter.

Professional Certificate in Electoral Processes Understanding and Demonstrating Assessment Criteria Facilitator: Tony Cash.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 11/02/2011.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

The OSG and Grid Operations Center Rob Quick Open Science Grid Operations Center - Indiana University ATLAS Tier 2-Tier 3 Meeting Bloomington, Indiana.

Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

June 6, 2006OSG - Draft VO AUP1 Open Science Grid Trust as a Foundation June 6, 2006 Keith Chadwick.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

OSG Storage VDT Support and Troubleshooting Concerns Tanya Levshina.

Area Coordinator Report for Operations Rob Quick 4/10/2008.

Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Operations Parallel Session Summary Markus Schulz CERN IT/GD Joint OSG and EGEE Operations.

Operations Area Coordinator Report. 31 Jan Overview Operations Current Initiatives  RSV Version 2  New Probes, Easier Configuration, Improved.

Components Selection Validation Integration Deployment What it could mean inside EGI

Opensciencegrid.org Operations Interfaces and Interactions Rob Quick, Indiana University July 21, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

Open Science Grid Configuring RSV OSG Resource & Service Validation Thomas Wang Grid Operations Center (OSG-GOC) Indiana University.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

New OSG Virtual Organization Security Training OSG Security Team.

Chapter 8 – Administering Security

OSG Security Kevin Hill.

Introduction to the Federal Defense Acquisition Regulation

Protect Your Critical Business Applications With Website Security Testing.

Leigh Grundhoefer Indiana University

Presentation transcript:

Meeting Minutes and TODOs TG has no distributed monitoring. During incident response, use a manual twiki page to distribute information TG monitors the recognized key files against the ssh incidents EGEE uses RSV probes and sites run Nagios tools. SAM probes are used by VOs? EGEE monitors whether sites installed the released patches. – EGEE assumes env at Gatekeeper and env at WN are identical Comment1: availability of security services takes up a lot of operational security. What other operational aspects are under security team’s responsibility TODO1: list the operational security responsibilities of the security team TODO2: Risk assessment must be done before the monitoring decisions are made. The security budget must be taken into account Comment2: sending usage (gratia) reports directly to users. TODO3: Write generic RSV probes to observe if sites have downloaded the patches (Ruth) 102/09OSG Security Review

TODO4: Identify when do we publicly announce the security vulnerabilities to our site and VO communities. If we delay the announcement due to a delay in finding a fix, we must make this policy explicit to our sites Comment: incident spread happens due to two aspects: community and software. Non-grid community can affect the incident spread Comment: our definition of incident is different than EGEE. EGEE’s include only malicious exploits TODO5: how we decide to kick a site off of OSG. – Quiz for site admins to demonstrate their security knowledge on OSG practices and policies TODO6: Engagement and Education team must speak the same security materials to incoming security users. A security welcome kit. England achieves this via site visits by security person. Ensure that we do speak the same material TODO7: What is the right metric to measure effectiveness of security team TODO8: What is the right metric to measure site’s security effectiveness TODO9: Can we measure the productivity lost due to security incidents. Include this in your security ticketing information TODO10: how do you ensure the security team’s online survey invitations are protected so that ST&E control results are reliable ? 202/09OSG Security Review

Comment: making security policies to keep up with JSPG and keep JSPG happy is not a very good idea. Executive decision is needed to spending less time Comment: On the policy work: OSG brings a sort of uniformity to sites and users such that users have less difficulty in finding sites with compliant policies. If OSG defines this out of the scope for its work, the burden will fall on the user Comment: On software vulnerability: we can give priority to the software produced by OSG. Evaluating other software is too time consuming for a small team like OSG. Why is this security team’s priority. Either outsource or ask VDT team’s help Comment: admin needs to know: downloading OSG service does not increase the risk at the site. – The risk will inherently increase because the site is opening up to new users TODO11: Learn to monitor how quickly sites download security fixes. TODO12: Define the procedure for announcing security advisories for the software vulnerabilities. Either refer to existing CVE numbers or consider getting CVE number. On the down side, CVE numbers will bring an increased exposure and can increase attack risk Comment: EGEE has a quarantine period by the end of which either an announcement to the sites are made, or a fix is released. 302/09OSG Security Review

TODO13: Understand the value of 24*7 service. Even when security team is 24*7, it cannot do anything with site and VO security contacts who aren’t 24*7. – Does this bring us an illusion of safety? – Weekends are especially problematic for reaching security personnel at sites Comment: SuperComputer Centers are not 24*7. TG security team and help desk is 24*7 TODO14: understand the relationship between GOC and VDT ticketing system. Software vulnerabilities are ticket in GOC. Security team does not open tickets with VDT TODO15: Include information leak as a risk in risk assessment document. Reputation aspect of our project must be regarded as a high loss. TODO16: media training for security team TODO17: write in incident response process explicitly about the confidentiality of the data exchanged between sites, users and security team. Comment: on future growth expectation: sites will grow 10%. VOs won’t grow. Users will grow within existing VOs. TODO18: list your top ten concerns regarding the security TODO19: how does sites requests/requirements be incorporated into security team’s WBS? 402/09OSG Security Review