Download presentation
Presentation is loading. Please wait.
1
EGI Security Risk Assessment
Linda Cornwall, STFC Terena WISE Security Barcelona 20-22nd October 2015
2
Two main areas where we carry out Security Risk Assessment in EGI
Software Vulnerability Handling Assess the Risk posed to EGI by a particular vulnerability Carried out as part of the Software Vulnerability handling procedure On-going activity handling software vulnerabilities Security Threat Risk Assessment Where we consider the risk associated with various threats to the EGI infrastructure An activity we carry out every 2-3 years Highlights areas where risks are high and work needs to be done to mitigate the risk Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
3
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
This talk Summary of the Software vulnerability issue handling procedure Including the risk assessment Description of the EGI Security Threat Risk Assessment Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
4
EGI Software Vulnerability Group (SVG)
Purpose of EGI SVG: "To minimize the risk to the EGI infrastructure arising from software vulnerabilities“ Largest activity is handling Software Vulnerabilities reported which includes: Vulnerabilities announced by Software Distributors e.g. OS Vulnerabilities reported to us by those who discover them, in software in the EGI repository, or other repositories often produced by people we know, e.g. Grid Middleware and collaborating projects and institutes. Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
5
EGI SVG Risk Assessment Team (RAT)
The EGI SVG RAT is the group of people who handle software vulnerabilities for EGI RAT members mostly volunteer/invited effort Software Security experts, Grid and Cloud software experts, experienced sysadmins, plus all members of the EGI IRTF Have access to information in the EGI vulnerability handling tracker Agree by not to disclose info learnt except as part of the procedure without the agreement of SVG Activity depends on having a number of RAT members Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
6
Basic Software vulnerability handling
Anyone may report an issue by to If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG member, reporter, others) The relevance and effect in EGI are determined If relevant to EGI the risk in the EGI environment is assessed, and put in 1 of 4 categories – ‘Critical’, ‘High’, ‘Moderate’ or ‘Low’ If it has not been fixed, Target Date (TD) for resolution is set - ‘High’ 6 weeks, ‘Moderate’ 4 months, ‘Low’ 1 year Advisory is issued by SVG When the vulnerability is fixed if EGI SVG is the main handler of vulnerabilities for this software, or software is in EGI Repository regardless of the risk. If the issue is ‘Critical’ or ‘High’ in the EGI infrastructure If we think there is a good reason to issue an advisory to the sites. Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
7
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Risks We have guidelines for Risk category Critical is e.g. if there is a public exploit which allows root, or anonymous root. High typically root but info not public and hard to find Public info increases the risk 48 Potential vulnerabilities reported in the last year 4 assessed as ‘Critical’ risk (all OS related, announced by software provider) 17 assessed as ‘High’ risk Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
8
Critical Vulnerabilities
Vulnerabilities assessed as Critical are handled on a case by case basis Most are ‘announced’ by software providers, few are reported which have not been fixed Sites are monitored by CSIRT/IRTF for critical vulnerabilities. Sites exposing critical vulnerabilities, not patching, not responding to CSIRT risk suspension from the infrastructure Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
9
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Approval of procedure The procedure for handling software vulnerabilities is approved by the EGI Operations Management Board (OMB) This helps cover us in the case someone e.g. complains if a vulnerability is exploited while we are waiting for a fix. ‘Why didn’t you tell us about it?’ OMB Approval applies to many procedures and documents in EGI Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
10
EGI Security Threat Risk Assessment
In 2012 submitted deliverable D4.4 for EGI InSPIRE “Security Risk Assessment of the EGI Infrastructure” This described the aims of security, EGIs assets, the EGI security groups and activities, practices in EGI, and plans for a security threat risk assessment But doesn’t include the results of the risk assessment itself This came later (Spring 2012) And we changed the way we did it a bit compared to D4.4. Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
11
Aims of the Security Threat Risk Assessment
Consider EGI’s assets Consider the potential security threats to these assets Assess the security risk for these threats Report and arrange the mitigation of the threats having highest risk value Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
12
Establish Security Assessment Team
First we needed a team to carry out the assessment Team consisted of 18 members (2 were observers) so 16 were active in carrying out this work I was chair/leader/co-ordinator of this activity These people were from the various security teams in EGI, some from the NGIs This work is very much a group effort Doing this depends on a number of team members Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
13
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
How we worked Most work carried out by , on-line/telecon meetings, plus a F2F at a conference Most of the work carried out in a spreadsheet Discussed and came to a consensus on methods we used Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
14
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Threat categories Defined 20 threat categories, examples Threats due to software vulnerabilities Physical Security Threats to the infrastructure Scientific and User data reliability Illegal and general misuse Threats to external parties Security Threats from installation of new software and technologies Allocated one or two threat categories to each team member Matched as well as we could to people’s knowledge and experience Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
15
Listing the threats and establishing the current situation/mitigation
Team members listed threats for their category, and wrote the current situation, including mitigation in place Focus largely on the EGI Grid Deployment at the time Then we discussed, to see if anything was missed We ended up with 75 threats in 20 categories Mostly high level threats Mostly technology independent Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
16
Methodology for computing the Risk
Risk is usually the product of the likelihood and impact/cost Actuarial computation of risk This is the typical method used by insurance companies based on statistics (e.g. death rates at a given age) But we have no suitable statistics So we looked for a way of providing a numerical value based on judgment Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
17
Methodology for computing the Risk (2)
We decided to ask all members to rate the ‘likelihood’ and ‘impact’ of each risk between 1 and 5. Risk = ‘Likelihood’ x ‘Impact’ That gives a max risk value of 25. Ratings based on current situation and mitigation in place We recognize that people’s ratings are always a bit subjective, so we tried to add some objectivity Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
18
‘Likelihood’ Guidelines
Unlikely to happen May happen 2-3 times every 5 years Expected to happen once a year or so Happens every few months Happens once a month or more Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
19
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
‘Impact’ Guidelines ‘Impact’ guidelines Minimal impact on EGI’s ability to deliver its services to users or on any asset Minor impact, such as some operational or financial costs, local disruption Serious localized disruption to some services for some users, for a week or more Serious Multi-national disruption Very serious disruption, damage to reputation and/or 3rd parties Based on “WLCG Computer Security Risks Assessment” Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
20
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Risk Computation Risk in each case computed by taking the product of likelihood and impact for each response Average risk computed Average impact also computed All in the spreadsheet Then each member was asked to compare the results to their own ratings Members invited to highlight any threat they wished to discuss No numbers actually changed – but highlight some threats with higher risk or higher impact as a result of the discussions Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
21
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Threats reported We reported threats having a risk value of 8 or more (out of max. of 25) - 18 found We reported threats having an impact value of 4 or more (max 5) - 3 found Plus one other highlighted as a result of discussion This is out of 75 threats identified Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
22
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Some examples New software or technology may be installed which leads to security problems History has shown that new technology or software comes with new set of problems Risk = 11.3 Security problems arising from the move to IPv6 Risk = 10.9 Insufficient staff may be available to carry out security activities Risk = 10.6 Incident spreads across the Grid Risk = 10.5 Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
23
Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
And one on the cloud The move to more use of Cloud technologies may lead to security problems Risk = 10.1 Generally, the Risk Assessment was rather Grid focussed, so now we are planning to repeat with a cloud focus Based on the current situation with the EGI Federated Cloud In fact we have been talking about it for 18 months Now is a good time, as we understand more than we did about the Fed Cloud deployment Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
24
Plans for next risk assessment
Start from the spreadsheet from the previous assessment, and add new threats Most the threats on the previous list are generic, so makes a good starting point Add some Cloud and VM related specific threats VA endorsement – EGI only at present allows VMs based on endorsed images VM Operation. AAI based - Threats from allowing AAI other than IGTF certificates Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
25
Information is not public
Not all the information is public The assessment inevitably includes a list of weaknesses within the existing infrastructure and planned mitigations; if it were public it would be a valuable source of information to potential attackers Report from last time can be made available to anyone interested If you agree not to publicise Terena WISE Security Workshop 20-22nd October 2015 – Linda Cornwall
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.