1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for Grids EU-FP6 Project ISSeG Training Session: Improving Site Security David Jackson, STFC CHEP 07, Victoria BC, 4 September 2007
2 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Time table Welcome! How to sell security – and get resources for it! Risk assessments 16: :30 Coffee break Recommendations Feedback & questions
3 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Welcome
4 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Welcome We are improving the slides and would like your feedback. Feedback form Attendance form Questions
5 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Welcome! How to sell security – and get resources for it! Risk assessments 16: :30 Coffee break Recommendations Feedback & questions Session 1
6 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Session 1 How to sell security – and get resources for it …..what,…..who,…..why, ……how
7 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Session 1 How to sell security – working with managers (1 of 2) We want resources (staff time and money) We need support Managers want reassurance Managers see security as a necessary evil Management case for site security (V6) Management case for site security
8 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Updating management case The example presentation needs to be adapted and updated for your site. Try to sell the positive – do not scare everyone Keep the presentation non technical Do not underestimate your audience (they may not know how to configure a firewall in detail, but they do understand risk and politics) Do not underestimate the value of telling someone something that they already know Simple messages – repeated, repeated, repeated (Guidance notes are being developed.)
9 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project For Management 2 How to sell security – working with managers (2 of 2) The Joint Security Policy Group (JSPG) is an international group that coordinates policy development between Grid environments. Do not assume that senior site managers know what the JSPG is and what it does. They need to see this as an advantage and not a threat.
10 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project For Management 2 Joint Security Policy Group - Membership The JSPG contains representatives from the following Grid infrastructures: NDGF
11 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project For Management 2 Joint Security Policy Group - Mandate The JSPG mandate is to advise and make recommendations on matters relating to security. It has produced a number of policies: as well as processes, agreements and guidance.
12 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project For Management 2
13 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project For Management 2 Joint Security Policy Group – relevance to sites Sites do not need to re-invent existing local policies Often you will be bound by the JSPG policies by virtue of being part of a Grid infrastructure Sites need to review existing local polices to identify if there are any major differences between local and JSPG polices.
14 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project How to sell security – working with general users Security is not a product - despite what product vendors tell you. General users Effective security can only be achieved when well trained people use well designed processes.
15 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project General users Why should general users care about security? Appropriate technology should support your users. Without their support, all your technical measures may be rendered useless. A key activity is training and awareness. never underestimate users…
16 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project General users Remember, when you have the support of management: People are an essential part of any security solution. They are also a large source of potential vulnerabilities. Effective security requires well trained people using well trained processes that are supported by the appropriate technology, so USER TRAINING
17 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project General users General advice / material for users: Computer security advice for users (V4) Computer security advice for users Example presentation material. Local site updates: The contact details for your “IT Support team” To reflect your local password policy. Local practice
18 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project System Administrators How to sell security – working with Sys. Admins. Checklist for system administrators (V4) Checklist for system administrators Details of the ISSeG recommendations will be given in session 3.
19 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Developers How to sell security – working with developers Checklist for developers (V1) Checklist for developers Details of the ISSeG recommendations will be given in session 3.
20 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Summary: Session 1 How to sell security – and get resources for it Why ‘sell security’? Effective security needs resources. It can require some cultural changes within a site. Without senior management support, you will fail. Security is not often seen as attractive to senior management but rather as something they do not like but know must exist (a necessary evil). Educate your users so they know what to do.
21 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Welcome! How to sell security – and get resources for it! Risk assessments 16: :30 Coffee break Recommendations Feedback & questions Session 2
22 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Session 2 Security is not a “thing” you do, it is more a process of gradual improvement. You need some way of working out where to start and measure progress. A risk assessment process can help, so What are they and why bother? Establish a common understanding of risk ISSeG risk assessment questionnaire
23 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Session 2 Risk assessments – What are they and why bother? All organizations contain assets that they wish to protect from harm. The harm may be the result of an accidental or deliberate act by an individual or the result of some external event, e.g. Accidental - A user deletes all their data files Deliberate - An external attacker tries to access finance information External event - Flooding of a data centre or loss of power
24 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Session 2 Risk assessments – What are they and why bother? The senior managers within organizations are often required to establish a process to manage risks within the organization as part of a corporate governance strategy. Often a risk assessment process is established to support this understanding of risk so that it can: Identify the risks and assets Analyse the existing security controls Implement any identified and resourced improvement plan Monitor the existing controls to see that they are effective
25 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Session 2 Common understanding of “risk” and how to understand some of the many confusing terms. What is a “risk”? (V5) What is a “risk”? Example presentation to help set a common understanding of risk for both the “management” and “technical” people. Should help to understand advice from external sources such as auditors, security experts and web sites.
26 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISSeG questionnaire ISSeG risk assessment questionnaire Based on practical experience at a number of Grid sites, the ISSeG project have developed a risk assessment questionnaire that can help you assess the security of your site.
27 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISSeG questionnaire
28 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISSeG – Top 12 threats
29 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISSeG questionnaire ISSeG risk assessment questionnaire This can help you start the risk assessment process and identify what assets you have and some of the risks. You still need to develop the rest of the risk assessment and management processes for your site. Based on ISO/IEC 17799:2005 standard (e.g. the long list of technical controls)
30 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Summary: Session 2 Risk assessments help you Establish a common understanding of risk across the organisation Identify and prioritise what security controls need to be implemented first The risk assessments process should be repeated regularly to maintain the effectiveness of your security controls.
31 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Welcome! How to sell security – and get resources for it! Risk assessments 16: :30 Coffee break Recommendations Feedback & questions Coffee break
32 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Welcome! How to sell security – and get resources for it! Risk assessments 16: :30 Coffee break Recommendations Feedback & questions Session 3
33 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Session 3 The ISSeG project has identified 69 potential recommendations for sites so far. We will Discuss where to find the recommendations How they were developed (in brief!) Look at some examples in detail Recommendations and training are linked.
34 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Where to find the recommendations Based on practical experience, the ISSeG project has identified 69 potential recommendations for sites, each with implementation details. For example: R1.2: Centrally manage patches and system configurations Linux based method Windows based method Visit to see the full list as it develops.
35 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project
36 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project
37 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project
38 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project
39 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project
40 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Extracted from D3.1 and the web site S1: Broaden the use of centralised management R1.1: Centrally manage accounts R1.2: Centrally manage patches and system configurations R1.3: Centrally manage Internet Services S2: Integrate identity and resource management R2.1: Provide integrated identity management R2.2: Ensure resources link to the people in charge of them R2.3: Define responsibilities using roles and groups Long list ….. How were these developed?
41 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Development of recommendations
42 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Development of recommendations Scope of CERN site single discipline single administrative body sensitive industrial equipment Scope of FZK site: multi-disciplinary multiple administrative bodies commercial companies Resources
43 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Development of recommendations STFC Incidents virus infection web site defacement lost/stolen password compromised Server Threats
44 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Development of recommendations
45 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Development of recommendations S1: Broaden the use of centralised management R1.1: Centrally manage accounts R1.2: Centrally manage patches and system configurations R1.3: Centrally manage Internet Services S2: Integrate identity and resource management R2.1: Provide integrated identity management R2.2: Ensure resources link to the people in charge of them R2.3: Define responsibilities using roles and groups S3: Manage your network connectivity R3.1: Restrict Intranet access to authorised devices R3.2: Restrict Internet access to authorised connections R3.3: Segregate networks dedicated to sensitive devices R3.4: Expand the use of application gateways
46 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Development of recommendations S4: Use security mechanisms and tools R4.1: Strengthen authentication and authorisation R4.2: Increase the use of vulnerability assessment tools R4.3: Adapt incident detection to meet evolving trends R4.4: Strengthen and promote network monitoring tools R4.5: Enhance span filter tools and mailing security R4.6: Extend policy enforcement S5: Strengthen administrative procedures and training R5.1: Adapt training to requirements of users, developers and system administrators R5.2:Integrate security training and best practice into organisational structures R5.3:Maintain administrative procedures in step with evolving security needs R5.4: Extend policy regulations R5.5: Regulate the use and coexistence of legacy Operating Systems
47 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Development of recommendations ISSeG risk assessment questionnaire As the questionnaire has been developed, we have identified additional recommendations.
48 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Development of recommendations R51: Create an information security policy R52: Review your information security policy R53: Allocate information security responsibilities R54: Establish confidentiality agreements R55: Maintain contacts with special interest groups R56: Maintain an inventory of assets R57: Establish ownership of assets R58: Define acceptable use for assets R59: Establish information classification guidelines R60: Develop information labeling and handling procedures R61: Define terms and conditions of employment R62: Encourage information security awareness, education and training R63: Ensure access rights are up to date R64: Establish a physical security perimeter R65: Implement physical entry controls R66: Provide physical protection and guidelines for working in secure areas R67: Protect equipment from disruptions in supporting facilities R68: Assure secure disposal or reuse of equipment R69: Document your operating procedures R70: Manage changes to information processing facilities and systems R71: Separate you development, test, and operational facilities R72: Implement capacity management R73: Install and regularly update malicious code detection and repair software R74: Manage the execution of mobile code R75: Establish backup and restoration procedures R76: Implement intrusion detection and prevention mechanisms R77: Control access to your network R78: Use cryptographic techniques for information confidentiality and integrity R79: Establish agreements for exchange of information and software with external parties R80: Enhance the security of your communications R81: Protect the integrity of publicly available information R82: Enable audit logging of user activities, exceptions and security events R83: Establish procedures for monitoring system use and reviewing results R84: Ensure protection of log information R85: Establish an access control policy based on security requirements R86: Establish a formal procedure to control the allocation of access rights R87: Restrict and control the allocation of privileges R88: Implement a formal management process for password allocation R89: Enforce good practices in the selection and use of passwords R90: Ensure that unattended equipment is appropriately protected R91: Prevent unauthorized access to network services R92: Implement strong authentication for external connections R93: Adopt appropriate security measures for mobile computing R94: Implement appropriate policy, procedures, and guidelines for teleworking R95: Establish training and guidelines for secure programming R96: Establish a formal application integration/qualification process R97: Implement an automated patch managementS5: Strengthen administrative procedures and training (cont.)
49 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example recommendations Common structure: What Why How Links
50 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example recommendations Restrict Internet access to authorized connections Closing firewall access impacts used applications Update mechanism is required Segregate networks dedicated to sensitive devices Requires careful analysis of requirements and impact Expand the use of application gateways Reduces spread of incidents Useful for untrusted devices Restrict Intranet access to authorized devices 802.1x functionality A mapping to the device owner is recommended Finance network Controls networks Campus network
51 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example recommendations Common policy between Grid sites The Joint Security Policy Group (JSPG) is an international group that coordinates policy development between Grid environments. This could have an impact on local site policy
52 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example recommendations
53 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example recommendations General users Computer users just want to get on and use the systems. Security needs to invisible. They need to know why security is relevant to them. this is not good security…
54 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example recommendations Application developers Check lists can be useful aids to secure software. Currently under development
55 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example recommendations System Administrators Check lists can be useful aids
56 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project General users General advice & material for users Computer security advice for users (V4) Computer security advice for users
57 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project System Administrators General advice & material for Sys. Admins. Checklist for system administrators (V4) Checklist for system administrators
58 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Developers General advice & material for developers Checklist for developers (V1) Checklist for developers Pilot material – See handout!
59 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Developers General advice & material for managers
60 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Summary: Session 3
61 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Welcome! How to sell security – and get resources for it! Risk assessments 16: :30 Coffee break Recommendations Feedback & questions Session 4
62 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Session 4 Feedback and questions We would like to improve the training materials based on your feedback, comments and questions Please complete the attendance form Please return your completed feedback forms Thank you for your time and attendance!
63 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Whales
64 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Whales