Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.

Published byOpal Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency."— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency Suspension Dr Linda Cornwall STFC/RAL EGI OMB 18 th June 2013 6/5/2016 1

2 www.egi.eu EGI-InSPIRE RI-261323 Contents Why a procedure? Types of Certificate which may be compromised Central emergency suspension What does it mean? Relation to policy Criteria Other info Procedure for compromised user certificate Linda Cornwall.2

3 www.egi.eu EGI-InSPIRE RI-261323 Why a procedure? When a situation occurs, and a certificate is compromised, EGI CSIRT needs to have a procedure in place Act in an agreed manner Saves time, know what to do Protects sites EGI CSIRT have now agreed this procedure, and present it to the OMB 3

4 www.egi.eu EGI-InSPIRE RI-261323 Types of Certificate which may be compromised User certificate Most common case Host or service certificate Robot certificate CA compromise 6/5/2016 4

5 www.egi.eu EGI-InSPIRE RI-261323 Central security emergency suspension For proper incident response EGI-CSIRT needs a mechanism to quickly suspend a DN involved in an incident Infrastructure wide Central security emergency suspension provides this Sites are protected quickly, e.g. during an incident which occurs out of hours Suspension list under the control of EGI CSIRT and WLCG CSIRT – no involvement of 3 rd parties A DN can be re-instated quickly 6/5/2016 5

6 www.egi.eu EGI-InSPIRE RI-261323 Central security emergency suspension (2) The need for security emergency suspension to be carried out by EGI CSIRT is to protect sites from malicious and other mis-use Most likely reason is the certificate is linked to malicious jobs or a security incident Including if jobs have been submitted which are unlikely to have been submitted by the owner/user If the certificate has been used to submit jobs which are causing problems to the infrastructure but not due to a security incident, emergency suspension is NOT permitted by this procedure 6/5/2016 6

7 www.egi.eu EGI-InSPIRE RI-261323 Central security emergency suspension and policy Service providers are required to obey the Service Operations Security Policy https://documents.egi.eu/secure/ShowDocument?docid=1475 https://documents.egi.eu/secure/ShowDocument?docid=1475 “You must implement automated procedures to download the security emergency suspension lists defined centrally by security operations and should take appropriate actions based on these lists, to be effective within the specified time period” Sites are obliged to consume this list; but they may choose to give local policies priority over it. Sites held accountable if they overrule it 6/5/2016 7

8 www.egi.eu EGI-InSPIRE RI-261323 Criteria examples Examples of when central security emergency suspension may be carried by EGI CSIRT on user or robot certificate System containing proxies or private keys compromised This is a type of incident Normal User certificate private key shared with others Usable private key or proxy copied to location readable by others, e.g. web page Private keys should always be password protected User e-mailed proxy to mailing list with world readable archive Device stolen containing unprotected private keys, or potentially usable private keys 6/5/2016 8

9 www.egi.eu EGI-InSPIRE RI-261323 More info Emergency suspension must be at CSIRT discretion, cannot think of all possible criteria. Use common sense. Central Security Emergency suspension does NOT stop jobs which are already running belonging to that DN, sites will need to stop them Carried out in conjunction with the EGI Security incident handling procedure

10 www.egi.eu EGI-InSPIRE RI-261323 NOT a ‘blacklist’ of users Central Security Emergency suspension does NOT imply fault on the certificate owner’s part A system may have been compromised containing the certificate A proxy may have been exposed by a vulnerability and used by a malicious user 6/5/2016 10

11 www.egi.eu EGI-InSPIRE RI-261323 User Certificate compromise Most cases of compromise are likely to be a User certificate EGI CSIRT decides what action to take No action e.g. If a misconfiguration/vulnerability is not explored to steal credentials, certificates probably not treated as compromised User should revoke and re-apply Emergency suspension and full procedure 6/5/2016 11

12 www.egi.eu EGI-InSPIRE RI-261323 Procedures Detailed procedures in the document Main procedures are for ‘User’ certificates Procedure if simply ‘revoke and re-apply’ Procedure including central security emergency suspension Applies if this full procedure considered necessary for compromised user certificates Applies if certificate used for pilot job submission Applies to Robot certificates 6/5/2016 12

13 www.egi.eu EGI-InSPIRE RI-261323 Full Procedure including security emergency suspension 13 steps – in conjunction with security incident response Most communication as defined in incident handling procedure 1.Carry out central security emergency suspension of the DN 2.Inform sites and NGIs This allows sites to stop any jobs already running

14 www.egi.eu EGI-InSPIRE RI-261323 Full procedure (contd) 3.Inform VOs as appropriate 4.Inform CA(s) as appropriate 5.Certificate(s) should be revoked if appropriate e.g. NOT 24 hour proxies CA may revoke certs on EGI CSIRT request if root compromise of system containing private keys 6.Complete incident response

15 www.egi.eu EGI-InSPIRE RI-261323 Remove security emergency suspension of user 7.When appropriate, various criteria considered including When any proxy which has been exposed has expired Investigations complete, or progressed sufficiently for the user’s access to be restored

16 www.egi.eu EGI-InSPIRE RI-261323 Full procedure …contd 8.Inform sites and NGIs that emergency suspension is removed 9.Inform CA(s) that emergency suspension is removed 10.Inform VO(s) that emergency suspension is removed 11.Report to OMB (part of incident response) 12.User requests new certificate 13.User may re-join VOs

17 www.egi.eu EGI-InSPIRE RI-261323 Procedures (2) Procedure for host or service certificates also provided Does not include security emergency suspension Cannot be used to submit jobs Compromised CA Procedure also included How to report suspected CA compromise Otherwise handled by CA Implications of various situations noted

18 www.egi.eu EGI-InSPIRE RI-261323 Comments, questions…. ?? 6/5/2016 18

19 www.egi.eu EGI-InSPIRE RI-261323 Notes. 6/5/2016 19

Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Private Key Protection. Whats it about Without the private key, the certificate is useless One of two main purposes of cert: –Prove possession of private.

Private Key Protection. Whats it about Without the private key, the certificate is useless One of two main purposes of cert: –Prove possession of private.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:

Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group Summary EGI TF David Kelsey 6/28/2015 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

Similar presentations

Ads by Google