Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Accomplishments and Work Plans OSG Security Team July 11, 2012.

Similar presentations


Presentation on theme: "Key Accomplishments and Work Plans OSG Security Team July 11, 2012."— Presentation transcript:

1 Key Accomplishments and Work Plans OSG Security Team July 11, 2012

2 Security Drill of Tier3s Security Drill of Tier3s. – The first time we drilled Tier3s. Sites did better than expected. Sent a test job to Tier3s and asked them to treat as a malicious job. Find the originator IP, search the osg logs, ban the user, understand what job was doing, do network analysis Provided extensive instructions before and during the drill. Sites could find the IP, read log files, banned the user with help The remaining tasks were challenging.

3 Security Drill of Tier3s Comm.Found IP Found Log Files Ban User Found Cron Found temp files StringsEmailsWget/sta tus Bellarmine -Atlas-t3 ✓ X ✓✓ Hint ✓ XXX WISC-Atlas ✓✓✓✓ Hint ✓ XX ✓ SMU-HPC ✓✓✓✓✓✓✓✓✓ Hampton- Atlas-CE ✓✓✓ XHint ✓ XXX NWICG Notre_D ame ✓✓✓✓✓✓✓ XX Renci- Blueberry ✓✓✓✓ Hint ✓ XXX UTD_HEP ✓✓✓✓✓✓✓✓✓ ContainmentJob AnalysisNetwork Analy Comm.

4 Security Drill of Tier3s Banning via GUMS still complicated. Needed help during the drill. A much simpler GUMS interface, with a simple Ban button is desired. Many sites were weak on network analysis. Since our grid logs do not record this information many of the site admins found it problematic to find this information. if OSG could provide them with some basic tools or documentation on to gather network traffic information it would be useful. Provide some targeted tools and documentation that can conduct some initial forensics analysis to help inexperienced site admins. These tools can be used to do front line forensic analysis so that important details can be preserved. Conducting this drill was useful based on the responses from the sites, some of them were able to gain new technical knowledge while others had the process of how to respond to an incident clarified. Overall we intend to hold periodic drills and/or training session with all Ter3s.

5 Risk Assessment Most likely attack vector: – Operating System security – Passwords, ssh keys, unpatched machines Three big attacks this past year & 27 vulnerability announcement – TTU root attack– insecure ssh. Site admins reported and cooperated diligently. – EGI DDOS attack – attacker sed EGI resources to launch a DDOS attack. Mistake: allowed remote ping requests. Simple attack – CMS Hypernews: Unpatched server. Attacker got the password file. Reporting did not work well. OSG learned about it by chance. CMS lacked proper incident response processes. Overall, did not affect operations. Working with CMS to establish incident response processes. Help OSG sites maintain basic OS level security. Help discover basic security problems, help patching.

6 Updated Risk Assessment If an attacker targets OSG, – VDT subversion would be the most opportune target. – GOC web-facing services. Less concerned about it. IU campus Intrusion detection, patching mechanisms. – Access to VDT and GOC servers via password and ssh keys. Restricted by local networks. Would be better if we can use Kerberos or certs Want to perform a security drill with VO submission nodes. Will VO be able to perform incident response if one of the VO jobs deem malicious.

7 Operational Accomplishments Security announcements. Good feedback from the community. Non-OSG people signed up; shows value to scientific community CA bundle releases. – 2 major projects completed: – Changed CA bundle layout to make it compatible with openssl 1.0. Completed, tested, and released to production. – Reconciled the CA release process among VDT, Ops, and Sec teams. We had two separate processes for releasing CA bundles : one for releasing to Koji/VDT Other for releasing pacman packages via GOC.

8 Operational Accomplishments DOEGrids CA certificate renewal – CA cert expired and needed to be replaced with a new one. – Good collaboration with DOEGrids CA. Successful negotiation over the release date of the new certificate. OSG made a list of requests to make the transition easier for its users. All but one accepted and put into operations in 3 weeks. OSG had great turn around in ITB and released the new cert into production DOEGrids CA Outage – Lost ability to renew user certificates and obtain service certificates – OSG Sec team quickly found workarounds to issue certificates. – Very prompt response from DOEGrids CA, worked around the clock to fix it. Lasted for 30 hours. – No impact on operations. – OSG found silent errors in the comm. channels between GOC and ESNet NOC. Corrected the problem.

9 Operational Accomplishments Since Feb 2012, 27 vulnerabilities are assessed and announced via blogs or emails. 3 major incidents: – EGI: attacker used grid resources to launch DDos attack – TTU: One root-level compromise at TTU – Hypernews incident:

10 Key Accomplishments The Sec team helped OSG PKI Pilot project (Digicert) ITB tests complete on time. Had BNL and FNAL Sec teams agree to use CIlogon Basic CA certs for authentication.

11 Plans for this year Strengthen basic site security – Identify and provide consulting with existing security tools. Package them in VDT if it makes sense – First project is Pakiti. Package it in VDT, enable sites install and run their local Pakiti server. – Comm with sites is key. We have an idea about what tools they are missing, but we need to make sure whether they can utilize these tools effectively. Trying to find a structured way to accomplish this. – Drill all Tier3 sites this year. This is more of an online education class than a pass/fail incident drill

12 Plans for this year Get 10% of non-LHC OSG users use CILogon certificates to access OSG resources – Biggest obstacle: OSG sites do not understand the risks of using CILogon certs. Stigma attached to lack of IGTF accreditation. – Started work with bigger sites thinking if they accept they can influence smaller sites. – FNAL and BNL security teams agreed that using Cilogon cert does not add any more risks and agreed to use it under some conditions. – Next steps are to work with Universities; met with Indiana Univ security officer. Find a pilot VO to give them CILogon certificates and have them access pilot sites with their CILogon certs.

13 Plans for this year Provide the service architecture and operational changes needed for integrating with campus identities – How to integrate Cilogon with existing infrastructure – Any changes to VO registration/management process to mitigate risks of using CILogon Basic CA – How can we at least use university identities to access web based resources? How can we get rid of certificates for web access. WLCG Identity Federation Prototype – Invite a few sites and Identity Providers. Understand risk definition from both sides. – Have a working prototype service. Technical work is less challenging than risk assessment and consensus.

14 Plans for this year Push IGTF to have an accreditation profile for university identity providers. – Likely to happen; WLCG also supports this. WLCG project on centralized banning. Blueprint discussion. Projects that OSG Sec Team provides effort to: – PKI transition. Test, training, contingency planning. – SHA-2 transition. We must get ready by 2013. Provide consulting/support to software team – Campus Infrastructure. Help with identity management architecture and services.


Download ppt "Key Accomplishments and Work Plans OSG Security Team July 11, 2012."

Similar presentations


Ads by Google