1. GGF Fall 2004 Brussels, Belgium September 20th, 2004 James Marsteller Pittsburgh Supercomptuing Center Jam@psc.edu

2. TeraGrid Security WorkGroup WG Charter Submitted To Executive Council Dec ‘03 Weekly Meetings Initial SecWG Efforts: –TG / E-Science SC03 Demo (Foreign Certificate Authority Acceptance Policy) –SSH Implementation (Version & Password Recommendations) –Site Security Points Of Contact Security Officers & Incident Response Contacts

3. TeraGrid Security WorkGroup Jan 9th 2004 - First TG Security Event –TG Node was compromised –Focus of the TG Security WG is Response –Security Point Of Contact List Was First Step –NOT TG CENTRIC! So What Did We Do????

4. Responding & Communicating Events Established Security “hotline” Response “Playbook” Developed Incident Mailing List Encrypted Communications Coordinated Evidence Gathering Weekly “Response” Calls

5. Identifying, Responding & Communicating Events Established Security “hotline” –24/7 Reservation less Conference # –Any Site Can Initiate –Only Known To Response Personnel –800 Number & International Access

6. Identifying, Responding & Communicating Events Response Playbook –Who/How To Contact Methodology Initial Responders Secondary Responders Help Desk Staff –How to Respond to Event –PR Guidelines –800 Number & International Access

7. Identifying, Responding & Communicating Events Incident Reporting Guidelines Example: How much time (in person-hours) did staff at your site spend dealing with the incident? How were you notified? What steps did you take to investigate at your site to determine if there was a compromised account or system? What did you determine? If there was a compromise: What damage was done? What steps did you take to respond/recover?

8. Identifying, Responding & Communicating Events Incident Mailing List –Used To Alert TG Staff Of Incident –Subscribed Response Staff –Triggers Help Desk/Pagers/Cell Phones

9. Encrypted Communications PGP Key Signing Shared Password for Email Communications (Changes Frequently) Encrypted Website To Archive Critical Information Encrypted Communications Are VERY IMPORTANT!

10. Coordinated Evidence Gathering Playbook Outlines Requirements: –Protecting “Chain Of Custody” –Proper Logging –Reliable Copies Of Process Accounting –Established Communication Channel with FBI –Level Of Effort Responding Staff Hours & Capitol

11. Weekly Response Calls ‘Closed’ Participant List Share Latest Attack Vectors Honeypots, Non-TG News Update On Current Investigations

12. Lessons Learned: What Did We Learn?

13. Lessons Learned A Quick, Secure, Coordinated Response is Critical! –Shared Users Accounts & Passwords –Shared Authentication = Quick Propagation –Separation Of Users and Admin Accounts

14. Lessons Learned Need A TG Security Baseline –Different Organizations, Different Goals Government, Higher Ed, Research Service Requirement, Public Relations, Privacy Reqs, Acceptable Use How To Handle Non-TG Customers? Different OS’s, Software and Hardware

15. Lessons Learned How To Achieve A Security Baseline –Security Memorandum Of Understanding (M.O.U.) What is expected of each site Communication of Events/Incidents Confidentiality of others Response Expectations Site & TG Risk Assessment (FRAP)

16. Lessons Learned How To Achieve A Security Baseline –Security Baseline Requirements Host Network Testing Patching Change Mgmt - Certification Process Response Physical Security Incident Detection Auditing

17. Future Actions/Challenges Ensuring A Security Baseline Uniform Compliance Auditing & Reporting Security Resources –Personnel –Software/Hardware Maintaining Security In A Dynamic Distributed Environment

18. Useful Resources Stanford Release: http://securecomputing.stanford.edu/ale rts/multiple-unix-6apr2004.html http://securecomputing.stanford.edu/ale rts/multiple-unix-6apr2004.html Research and Education Networking ISAC: http://www.ren-isac.nethttp://www.ren-isac.net My Email: jam@psc.edu