OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012.

Slides:



Advertisements
Similar presentations
OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.
Advertisements

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
May 9, 2008 Reorganization of the OSG Project The existing project organization chart was put in place at the beginning of It has worked very well.
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
Network security policy: best practices
Release & Deployment ITIL Version 3
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Key Accomplishments and Work Plans OSG Security Team July 11, 2012.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
OSG Area Coordinators Meeting Operations Rob Quick 2/22/2012.
OSG Area Coordinators Meeting Cross-ProjectArea Report Ruth Pordes 2/8/2011.
Systems Development Life Cycle Dirt Sport Custom.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG Area Coordinators Meeting Operations Rob Quick 2/22/2012.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
OSG Operations Rob Quick July 10th, 2012 OSG Staff Retreat.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.
Obtaining Help for Pharmacy Issues. Sign up for the Pharmacy ListServ Send a message to DO NOT add.
Obtaining Help for Pharmacy Issues and Submitting Enhancements 1.
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
GGUS summary ( 4 weeks ) VOUserTeamAlarmTotal ALICE ATLAS CMS LHCb Totals 1.
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/3/2013.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
OSG Security Review Mine Altunay December 4, 2008.
Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch OSG Council August 23, 2012.
OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.
UKI ROC/GridPP/EGEE Security Mingchao Ma Oxford 22 October 2008.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 11/02/2011.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.
OSG PKI Transition: Transition Phase Report Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research.
Grid Operations Lessons Learned Rob Quick Open Science Grid Operations Center - Indiana University.
Meeting Minutes and TODOs TG has no distributed monitoring. During incident response, use a manual twiki page to distribute information TG monitors the.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
G Z LIGO's Physics at the Information Frontier Grant and OSG: Update Warren Anderson for Patrick Brady (PIF PI) OSG Executive Board Meeting Caltech.
The OSG and Grid Operations Center Rob Quick Open Science Grid Operations Center - Indiana University ATLAS Tier 2-Tier 3 Meeting Bloomington, Indiana.
Sergiu April 2006June 2006 Overview of TeraGrid Security Working Group Activities James Marsteller CISSP, Working Group Chair.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,
Opensciencegrid.org Operations Interfaces and Interactions Rob Quick, Indiana University July 21, 2005.
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Open Science Grid Security Activities D. Olson, LBNL OSG Deputy Security Officer For the OSG Security Team: M. Altunay, FNAL, OSG Security Officer, D.O.,
OSG PKI Transition Mine Altunay OSG Security Officer
OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.
Ruth Pordes, March 2010 OSG Update – GDB Mar 17 th 2010 Operations Services 1 Ramping up for resumption of data taking. Watching every ticket carefully.
Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.
New OSG Virtual Organization Security Training OSG Security Team.
OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research.
Software Tools Group & Release Process Alain Roy Mine Altunay.
OSG Security Review Mine Altunay March 12, Jan Security Overview Current Initiatives  OSG Security roadmap  Technical and operational.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
OSG Security Kevin Hill.
Presentation transcript:

OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012

WBS Ongoing Activities 1Incident response and vulnerability assessment Minimizing the end-end response time to an incident, 1 day for a severe incident, 1 week for a moderate incident, and 1 month for a low-risk incient. 2Troubleshooting; processing security tickets including user requests, change requests from stakeholders, technical problems Goal is to acknowledge tickets within one day of receipt. 3Maintaining security scripts (vdt-update-certs, vdt-ca-manage, cert-scripts, etc) Maintain and provide bug fixes according to the severity of bugs. For urgent problems, provide an update in one week; For moderate severity, provide an update in a month; For low risk problems, provide an update in 6 months. 4Supporting OSG RA in processing certificate requests Each certificate request is resolved within one week; requests for GridAdmin and RA Agents are served within 3 days. 5Preparing CA releases (IGTF), modifying OSG software as the changes in releases require CA release for every two months 6Security Policy work with IGTF, TAGPMA, JSPG and EGI Meet with IGTF and TAGPMA twice a year. Attend JSPG and EGI meteings remotely and face-face once a year. Track security policy changes and report to OSG management. 7Security Test and Controls Execute all the controls included in the Security Plan and prepare a summary analysis. 8Weekly Security Team Meeting to review work items Coordinate weekly work items. 9Weekly reporting to OSG-Production Report important items that will affect production; incidents, vulnerabilities, changes to PKI infrastructure 10Monthly reporting to OSG-ET Meet with ET once a month to discuss work items 11Quarterly reporting to Area Coordinator meeting Meet with area coordinators to discuss work items.

Ongoing Work: Operational Security 1.Software Vulnerabilities/Incidents – Root level compromise at TTU. Affected all TTU machines, Glow pilot jobs and users (order of ten). Initial response happened within an hour of ticket creation. Affected users/services are contacted; attack contained within 24 hours. Attack vector unpatched ssh. Close-out summary sent to OSG ET. – Software vulnerabilities: Voms-admin, Voms, Tomcat, Apache, MySQL, Java, telnetd, glibc, sudo, RH6, and condor vulnerabilities are assessed. – A new Incident Drill is being prepared. Technical set up is completed. Identified Tier3s and sought agreement for participation. Will be conducted in May.

Ongoing Work: Operational Security 1.XSEDE operational security interface – Logistics are dealt with, joined the group, set up twiki accounts, PGP keys, etc. – Calling into weekly Incident Response calls and biweekly Security Operations calls. The latter may be dropped if we find the former sufficient. Too early to tell.

2. DOEGrids CA service outage – Lasted for 30 hours. Lost ability to renew user certificates and obtain service certificates. – Ran into issues in reporting tickets to ESNet NOC. Silent failure. Used GOC ticketing system to report to ESNet NOC. GOC had the incorrect address for ESNet NOC. But the confirmation from GOC had the correct address that should have been sent to. – GOC staff corrected the issue. – We added an additional step in our process to reach Esnet NOC via phone for emergencies. – Found workarounds to obtaining certificates, but that was not necessary due to fast response from DOEGrids. – Requested an analysis for the cause of the issue. Nothing concrete to report yet. – Services are restored back to normal. Ongoing Work: Operational Security

3. Maintaining security scripts. 6 separate issues since January is closed. 1 is still open. 5. Two items – DOEGrids CA certificate lifetime extension. DOEgrids has issued a new CA cert. We put a change request to disseminate the new Cert to end users. DOEGrids made the changes promptly: Put instructions and Linked the new cert to DOEGrids CA web pages; Put reminders to end users. OSG cert request web pages also updated with instructions and the new Cert. – CA release process update. CA rpm bundle is moved to the GOC software rpm cache. OLD rpm cache is still alive. Checked the sotes hitting the old rpm on 4/9/2012, will contact them soon. Reminders that old cache will be turned off on 5/31/2012

6. WLCG Risk Assessment, Worker Node risk assessment, and glexec evaluation documents are reviewed. 7. Security test and Controls: Planned to start in May. It will be finished before mid-July. Prepared a live incident demo at OSG AHM. Created a vulnerable ssh daemon and demo how easily it can be broken into. Showed hands-on tips on how to strengthen ssh. Chose ssh due to past attack history. Ongoing Work: Operational Security

4Security 4.1Identity Management Basney, Altunay Work Plan agreed by OSG Management and Security team Basney, Altunay8/1/11 9/15/1 1Completed Integrate a UCSD VO with CILogon CA to utilize local resources Basney, Altunay 8/15/1 1 9/30/1 1Completed Integrate a VO with Cilogon CA which can submit jobs to OSG resources Basney, Altunay 9/16/1 1 12/30/ 11Completed 4.2Conduct Security Controls and Tests Altunay, Slagell Execute the security controls in OSG Security Plan Altunay, Slagell5/1/127/1/ Prepare a report on findings from the Security Controls Altunay, Slagell7/1/12 7/22/ DigiCert Pilot ProjectAltunay 10/25/ 112/9/12 ***new*** Completed 4.3.1DigiCert Planing PhaseAltunay2/9/12 3/31/1 2 ***new*** in Jan Evaluate and update CA release process Altunay, Roy, Quick 12/21/ 11 2/29/1 2 ***new*** Completed 4.5 Provide DES VO with guidance over Security Policies and ProceduresAltunay 1/12/1 2 2/31/2 012 ***new*** Completed WBS Items

4.1.1, 4.1.2, and are complete replaced by Digicert Pilot. DigiCert pilot is completed. DigiCert Planning effort is continuing. – Per ET’s recommendation, this item will be taken out of security team WBS although I personally contribute effort to. WBS Items

4.4. Evaluate and Update CA Release process. We have two separate processes for releasing CA bundles : – Review and reconciliation of the processes by software, operations and security teams due before the end of 2/2012 – The work is completed in Feb. – Announcement was sent out to the sites. – Identified and contacted sites who used the old repo. – Searched sites who are still using old repo on 4/9/2012. Will contact them again. – The old RPM repo will be turned off 5/31.

4.5 Provide DES VO with guidance over Security Policies and Procedures – Per stakeholder’s request, this item is postponed (at least for 6 months). Revisit with the stakeholder at the end of August. New Work Item: – Making a list of prospective security projects. Collaborated with XSEDE and WLCG/EGI security teams. Ran it by Chander and Alain so far. After broader discussion in OSG, some items will be added to this list. WBS Items

Any Other Issues Kevin Hill is a great asset. He is transitioning into OSG security officially on June 1 st. Marco will ramp down to zero. Vacations coming up for the remainder of April. – Mine will be gone 4/13 to 5/1 – Anand will be gone 4/12 to 5/7

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.