Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGI Security Risk Assessment

Published byEugene Houston Modified over 6 years ago

Similar presentations

Presentation on theme: "EGI Security Risk Assessment"— Presentation transcript:

1 EGI Security Risk Assessment
Linda Cornwall, STFC Terena WISE Security Barcelona 20-22nd October 2015

2 Two main areas where we carry out Security Risk Assessment in EGI
Software Vulnerability Handling Assess the Risk posed to EGI by a particular vulnerability Carried out as part of the Software Vulnerability handling procedure On-going activity handling software vulnerabilities Security Threat Risk Assessment Where we consider the risk associated with various threats to the EGI infrastructure An activity we carry out every 2-3 years Highlights areas where risks are high and work needs to be done to mitigate the risk Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

3 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
This talk Summary of the Software vulnerability issue handling procedure Including the risk assessment Description of the EGI Security Threat Risk Assessment Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

4 EGI Software Vulnerability Group (SVG)
Purpose of EGI SVG: "To minimize the risk to the EGI infrastructure arising from software vulnerabilities“ Largest activity is handling Software Vulnerabilities reported which includes: Vulnerabilities announced by Software Distributors e.g. OS Vulnerabilities reported to us by those who discover them, in software in the EGI repository, or other repositories often produced by people we know, e.g. Grid Middleware and collaborating projects and institutes. Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

5 EGI SVG Risk Assessment Team (RAT)
The EGI SVG RAT is the group of people who handle software vulnerabilities for EGI RAT members mostly volunteer/invited effort Software Security experts, Grid and Cloud software experts, experienced sysadmins, plus all members of the EGI IRTF Have access to information in the EGI vulnerability handling tracker Agree by not to disclose info learnt except as part of the procedure without the agreement of SVG Activity depends on having a number of RAT members Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

6 Basic Software vulnerability handling
Anyone may report an issue by to If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG member, reporter, others) The relevance and effect in EGI are determined If relevant to EGI the risk in the EGI environment is assessed, and put in 1 of 4 categories – ‘Critical’, ‘High’, ‘Moderate’ or ‘Low’ If it has not been fixed, Target Date (TD) for resolution is set - ‘High’ 6 weeks, ‘Moderate’ 4 months, ‘Low’ 1 year Advisory is issued by SVG When the vulnerability is fixed if EGI SVG is the main handler of vulnerabilities for this software, or software is in EGI Repository regardless of the risk. If the issue is ‘Critical’ or ‘High’ in the EGI infrastructure If we think there is a good reason to issue an advisory to the sites. Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

7 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Risks We have guidelines for Risk category Critical is e.g. if there is a public exploit which allows root, or anonymous root. High typically root but info not public and hard to find Public info increases the risk 48 Potential vulnerabilities reported in the last year 4 assessed as ‘Critical’ risk (all OS related, announced by software provider) 17 assessed as ‘High’ risk Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

8 Critical Vulnerabilities
Vulnerabilities assessed as Critical are handled on a case by case basis Most are ‘announced’ by software providers, few are reported which have not been fixed Sites are monitored by CSIRT/IRTF for critical vulnerabilities. Sites exposing critical vulnerabilities, not patching, not responding to CSIRT risk suspension from the infrastructure Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

9 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Approval of procedure The procedure for handling software vulnerabilities is approved by the EGI Operations Management Board (OMB) This helps cover us in the case someone e.g. complains if a vulnerability is exploited while we are waiting for a fix. ‘Why didn’t you tell us about it?’ OMB Approval applies to many procedures and documents in EGI Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

10 EGI Security Threat Risk Assessment
In 2012 submitted deliverable D4.4 for EGI InSPIRE “Security Risk Assessment of the EGI Infrastructure” This described the aims of security, EGIs assets, the EGI security groups and activities, practices in EGI, and plans for a security threat risk assessment But doesn’t include the results of the risk assessment itself This came later (Spring 2012) And we changed the way we did it a bit compared to D4.4. Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

11 Aims of the Security Threat Risk Assessment
Consider EGI’s assets Consider the potential security threats to these assets Assess the security risk for these threats Report and arrange the mitigation of the threats having highest risk value Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

12 Establish Security Assessment Team
First we needed a team to carry out the assessment Team consisted of 18 members (2 were observers) so 16 were active in carrying out this work I was chair/leader/co-ordinator of this activity These people were from the various security teams in EGI, some from the NGIs This work is very much a group effort Doing this depends on a number of team members Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

13 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
How we worked Most work carried out by , on-line/telecon meetings, plus a F2F at a conference Most of the work carried out in a spreadsheet Discussed and came to a consensus on methods we used Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

14 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Threat categories Defined 20 threat categories, examples Threats due to software vulnerabilities Physical Security Threats to the infrastructure Scientific and User data reliability Illegal and general misuse Threats to external parties Security Threats from installation of new software and technologies Allocated one or two threat categories to each team member Matched as well as we could to people’s knowledge and experience Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

15 Listing the threats and establishing the current situation/mitigation
Team members listed threats for their category, and wrote the current situation, including mitigation in place Focus largely on the EGI Grid Deployment at the time Then we discussed, to see if anything was missed We ended up with 75 threats in 20 categories Mostly high level threats Mostly technology independent Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

16 Methodology for computing the Risk
Risk is usually the product of the likelihood and impact/cost Actuarial computation of risk This is the typical method used by insurance companies based on statistics (e.g. death rates at a given age) But we have no suitable statistics So we looked for a way of providing a numerical value based on judgment Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

17 Methodology for computing the Risk (2)
We decided to ask all members to rate the ‘likelihood’ and ‘impact’ of each risk between 1 and 5. Risk = ‘Likelihood’ x ‘Impact’ That gives a max risk value of 25. Ratings based on current situation and mitigation in place We recognize that people’s ratings are always a bit subjective, so we tried to add some objectivity Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

18 ‘Likelihood’ Guidelines
Unlikely to happen May happen 2-3 times every 5 years Expected to happen once a year or so Happens every few months Happens once a month or more Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

19 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
‘Impact’ Guidelines ‘Impact’ guidelines Minimal impact on EGI’s ability to deliver its services to users or on any asset Minor impact, such as some operational or financial costs, local disruption Serious localized disruption to some services for some users, for a week or more Serious Multi-national disruption Very serious disruption, damage to reputation and/or 3rd parties Based on “WLCG Computer Security Risks Assessment” Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

20 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Risk Computation Risk in each case computed by taking the product of likelihood and impact for each response Average risk computed Average impact also computed All in the spreadsheet Then each member was asked to compare the results to their own ratings Members invited to highlight any threat they wished to discuss No numbers actually changed – but highlight some threats with higher risk or higher impact as a result of the discussions Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

21 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Threats reported We reported threats having a risk value of 8 or more (out of max. of 25) - 18 found We reported threats having an impact value of 4 or more (max 5) - 3 found Plus one other highlighted as a result of discussion This is out of 75 threats identified Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

22 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Some examples New software or technology may be installed which leads to security problems History has shown that new technology or software comes with new set of problems Risk = 11.3 Security problems arising from the move to IPv6 Risk = 10.9 Insufficient staff may be available to carry out security activities Risk = 10.6 Incident spreads across the Grid Risk = 10.5 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

23 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
And one on the cloud The move to more use of Cloud technologies may lead to security problems Risk = 10.1 Generally, the Risk Assessment was rather Grid focussed, so now we are planning to repeat with a cloud focus Based on the current situation with the EGI Federated Cloud In fact we have been talking about it for 18 months Now is a good time, as we understand more than we did about the Fed Cloud deployment Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

24 Plans for next risk assessment
Start from the spreadsheet from the previous assessment, and add new threats Most the threats on the previous list are generic, so makes a good starting point Add some Cloud and VM related specific threats VA endorsement – EGI only at present allows VMs based on endorsed images VM Operation. AAI based - Threats from allowing AAI other than IGTF certificates Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

25 Information is not public
Not all the information is public The assessment inevitably includes a list of weaknesses within the existing infrastructure and planned mitigations; if it were public it would be a valuable source of information to potential attackers Report from last time can be made available to anyone interested If you agree not to publicise Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall

26

Download ppt "EGI Security Risk Assessment"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,
Copyright 2010, The World Bank Group. All Rights Reserved. Statistical Project Monitoring Section B 1.

Copyright 2010, The World Bank Group. All Rights Reserved. Statistical Project Monitoring Section B 1.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.

EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688

The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Dr.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Dr.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.
Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005
Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.
Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Similar presentations

Ads by Google