Presentation is loading. Please wait.

Presentation is loading. Please wait.

Directory/Inventory – info sharing for security people

Similar presentations


Presentation on theme: "Directory/Inventory – info sharing for security people"— Presentation transcript:

1 Directory/Inventory – info sharing for security people
Linda Cornwall, SIG-ISM 23rd Feb 2017

2 Main points Some information is public (e.g. already available on public web page) Some information is private We define level 1 information as information which is public We cannot tell people what they want to make public We define level 2 information as information which we share between ourselves We define level 3 as information which is more sensitive

3 Who do we share with? I reckon security people within NREN/Projects/Institutes Not just security officers? I’m not a security officer There are many security functions

4 Level 1, what to include Suggest 1 top level table containing
Name of NREN/ Institute /Project 1 sentence description Location of NREN/Institute/Project table (in SIG-ISM) Location of public web page belonging to the NREN/Institute/Project

5 Then table per NREN/Institute/Project
Name Link to homepage Description ISM description Link if public Policy docs (public/not public) - Link if public Software Vulnerability handling – Link to procedure, advisories Other Incident Prevention Incident Response Contact information (what is public)

6 Top level table EGI geant wiki page/table within SIG-ISM,
Name and local link NREN/Institute/Project Local Public geant Wiki link What is it? Public web EGI Distributed computing Project for research FIC-NREN Fictional NREN …… EGI geant wiki page/table within SIG-ISM,

7 Then for e.g. for EGI Distributed Computing Infrastructure for Research incorporating over 300 datacentres EGI EGI Intranet (public) EGI Wiki – much technical documentation Security Policy Documentation Incident prevention – Software Vulnerability Group Report a vulnerability Report-vulnerability at egi.eu Incident prevention - Security Monitoring Sites monitored for critical vulnerabilities, not public CSIRT – report a security incident Abuse at egi.eu Security Incident handling procedure Security Officer Not public .

8 FIC-NREN Fictional NREN just to demonstrate FIC-NREN
Security Policy Documentation Not public Incident prevention

9 Alternative – 1 big table
NREN/ Project/ Institute Description Public home Page Security Contact or officer Policy Docs Vulnerability Handling Incident Handling Report Incident Other EGI Distributed Infrastructure Not public Abuse at egi.eu FIC-NREN NREN I tend to prefer the ‘page’ per NREN/ Project/ Institute Decided don’t like this. But a table could work too as this would illustrate which NRENs are making what public

10 What do I think should be public?
Policy documentation Procedure for handling vulnerabilities Procedure for handling incidents Most documentation such as TOR or procedures - which doesn’t identify specific security risks, problems. addresses for reporting problems Generic, not an individual With anti-spam – e.g. a ‘picture’ or security at nren But it is up to projects/NRENs/institutes to decide

11 Sharing level 2 info This needs to be controlled
Can this be a ‘Private’ wiki? Who can have access? 2 options

12 Level 2 – Option 1 - Known to us
To register, a group of us need to know the people, i.e. a group of (say) of us This we can register people we know Then people we know can recommend 1 other person No further away than that We know someone we trust, we trust them to recommend someone, but no more than ‘1 away’ In addition need institute ?

13 Level 2 – Option 2 - institute e-mail
If people have an institute – is this enough? We register people on request, provided they have an institute , and provided they agree to not make info public. This is simpler, and probably enough E.g. for EGI SVG “we ask for you to agree not to reveal information you learn about specific vulnerabilities which is not public except as part of the procedure without the agreement of the group.”

14 What should we share at level 2?
Whatever people wish Table of NREN/Institute/Project – link to wiki page (within SIG-ISM) for that institute People put on that non-public page what they wish Recommend name and security officers, who to contact for non-public documents etc.

15 Who edits? If wiki page level 1 and level 2 per project/institute/NREN – can give member of that project access rights. People edit their own page. GEANT sig-ism wiki probably has the authz in place.

16 Other Each NREN/Project defines what roles there are
Different people organise things differently NREN/Project responsible for keeping up to date Check every 6 months is up to date Confirm Who do we allow who don’t we allow What vetting mechanism?

17 Who can join in? Limited to education and research Start in Europe
Later maybe go global.

18 Level 3 info More sensitive More controlled Probably a longer term aim
Bart Bosmia ed SCIRT – SURFnet Cooperating Incident Response Teams – good starting point Need a group where people ‘volunteer’ To join group all members need to have the opportunity to O.K. or object Further in the future. Start with level 1 and level 2.

19 Other ideas to include Public key – X509?
Info for secure communication?

20 How secure is the wiki? Whatever we put, the security level of the wiki itself must be good enough for the info. FOTIS in charge??

21 Getting started 1st page – table of NRENs
Points to page per NREN with public info. Start with level 1 and level 2 Have some templates for minimum info required. I’ll details to Sigita what is needed, action on me. Later think also about ‘virtual water cooler’, other virtual meetings. Groups within this.

22 Summary Set up a wiki for level 1 public info
Up to people what they share Set up a wiki for level 2 info Prefer a wiki page within SIG-ISM in each case which individual NREN/Institute/Project can edit Restrict to Education and Research Level 3, other facilities – later


Download ppt "Directory/Inventory – info sharing for security people"

Similar presentations


Ads by Google