1. CyberSecurity Summit 2005 Teragrid Incident Response Overview December 13th, 2005 James Marsteller CISSP Information Security Officer Pittsburgh Supercomputing Center Jam@psc.edu

2. What is the Teragrid? “The TeraGrid is an NSF funded open scientific discovery infrastructure combining leadership class resources at eight partner sites to create an integrated, persistent computational resource”

3. Teragrid Facts  Launched August 2001  40 Teraflops of computing power  2 Petabyes of storage  10-30 Gig Interconnects (Dedicated Network)  Specializes in data analysis and visualization resources

4. Teragrid Partners  National Science Foundation  Indiana University  NCSA  ORNL  PSC  Purdue University  SDSC  University of Texas  UC/ANL

5. Teragrid Backbone

6. The Challenge… Developing a security baseline that satisfies a broad range of organizations including: Major Universities and Government Research Facilities.  Need A TG Security Baseline  Different Organizations, Different Goals  Government, Higher Ed, Research  Service Requirement, Public Relations, Privacy Reqs, Acceptable Use  How To Handle Non-TG Customers?

7. Building a Teragrid Security Team  ANL: Ti Leggett, JP Navarro, Gene Rackow  SDSC: Abe Singer, Bill Link, Victor Hazelwood  NCSA: Jim Barlow, Jeff Rosendale, Tim Brooks, Aashish Sharma  PSC: Jim Marsteller (Chair), Derek Simmel, Bryan Webb  ORNL: James Rome, Greg Pike  CalTech: Mark Bartelt  UTexas: Bill Jones  Purdue: David Seidl, Anna Squicciarini, Greg Hedrick  IU: Dave Hancock, Doug Pearson

8. Building a Teragrid Security Team  First Steps:  Drafted a Security Memorandum of Understanding (M.O.U)  Incident Response Contact List  Security “Hotline”

9. Security M.O.U.  Goal: A communications tool to define security expectations among EFT Sites. Not intended to replace existing site policy. Establish Policy - Not Implementation  Focus Areas:  Security Baselines  Incident Response  Change/Patch Management  Awareness  Accountability/Privacy

10. Incident Response Framework …a “crash” course  IR Team Creation  IR Procedures  Playbook and IR Flowchart  Secure Communications  Encrypted Email  24/7 Security “Hotline”  Information Repository  Encrypted IM

11. Identifying, Responding & Communicating Events  Response Playbook  Who To Contact Methodology  Initial Responders  Secondary Responders  Help Desk Staff  How to Respond to Event  PR Guidelines  800 Number & International Access

13. Identifying, Responding & Communicating Events  Security “hotline”  24/7 Reservation less Conference #  Any Site Can Initiate  Only Known To Response Personnel  All participants are announced and challenged  800 Number & International Access  Only transmitted encrypted to protect eavesdropping

14. Identifying, Responding & Communicating Events  Mailing Lists  “General” List: Used to announce weekly IR calls, new vulnerabilities, share IR related information.  Emergency List  Used to alert TG Staff of an incident  Response Staff Subscription  Can be tied to Trigger (Pagers, Phones, NOC)

15. Encrypted Communications  Encrypted Communications Are VERY IMPORTANT!  PGP/GPG encrypted email  Shared Password for Email Communications (Changes Frequently)  Encrypted Website To Archive Critical Information  Site Based Encrypted Instant Messaging (JABBER)

16. Coordinated Evidence Gathering  Playbook Outlines Requirements:  Protecting “Chain Of Custody”  Proper Logging  Reliable Copies Of Process Accounting  Level Of Effort Responding  Staff Hours & Capitol

17. Weekly Response Calls  ‘Closed’ only to TG IR Personnel  Forum for Detailed Description of Security Events and Q&A  Share Latest Attack Vectors  Non-TG News  Update On Current Investigations

18. Current Teragrid IR Challenges:  Customer Service Coordination  Single point of contact for user  User services and Security  Getting useful information from the user  Managing accounts across TG Resource Providers  Which sites have disabled?  What needs to be done to reactivate?  User Service insight to all of this information  IR Sharing/Reporting  Today all email based w static webpages  IR Trouble Ticket System  Action taken site by site  Action/information needed  NSF Notification procedure/threshold  Expansion of the Teragrid and beyond

19. Customer Service Coordination

20. User Questions for a Compromised Account: 1.Do you use the password of the compromised account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)? 2.What was the time of your last known login? Where was it from?’ 3.From what locations do you usually login (hostnames/IP)? 4.Which sites/machines have you used? 5.What locations (hosts) can we expect to you to login from? 6.Can accounts at other TG sites be closed down, or do you expect to use them in the future? If so, which sites are not needed: (PSC, SDSC, NCSA, ANL, Purdue, Indiana, ORNL, Texas, etc.) 7.Do you have any idea how someone may have gotten your login info (login/password)? what machines may possibly be compromised? your desktop? some other machine you used?

21. Expanding beyond the Teragrid  What is the criteria for notifying funding sources?  Every Account/Host compromise?  How to maintain as TG grows?  Newbie Guide & Security M.O.U.  How to effectively engage other organizations?  Other Grid Communities, Research communities and International organizations

22. Useful Resources  security.teragrid.org  http://www.first.org/  Research and Education Networking ISAC: http://www.ren-isac.nethttp://www.ren-isac.net  My Email: jam@psc.edu