Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Published byOwen Gilmore Modified over 9 years ago

Similar presentations

Presentation on theme: "Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005"— Presentation transcript:

1 Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005 L.A.Cornwall@rl.ac.uk

2 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN2 Introduction Current grids Logging and tackling specific issues The vulnerability group Process Current state Questions? Project approval?

3 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN3 Current grids Grid Middleware has been written during the previous few years and other software has been used in various innovative ways to enable functional grids to be deployed Emphasis has been on functionality A lot has been achieved Grids are not perfect, there are problems that could be exploited (mostly by people with credentials) Up to now we have had a very friendly co- operative environment, hackers have not been very aware of us

4 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN4 Logging and tackling specific issues This is a sensitive issue –There has been a reluctance to write anything down because sysadmins will rightly want info, some want the info to be made available publicly, and then may not want to install the software We can’t fix everything quickly, we know that We want to tackle the problem as a collaboration between all parties, including developers, system administrators and management We want to ensure grids become more secure and keep them deployed We do not want any incidents

5 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN5 Vulnerability Group We have formed a vulnerability Group to tackle specific vulnerability issues This group is a collaboration between members of the project with useful knowledge or experience – including both system administrators and developers who want to see improvements in Grid Security Grid Vulnerability Savannah is set up Mailing list is available

6 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN6 Aim of Vulnerability group The aim of the group is to improve the quality of our software and deployment and protect our sites Inform developers (and their managers!) of vulnerabilities as they are identified, and encourage them to produce fixes or reduce their impact Inform security contacts as appropriate Aim is to keep grids deployed, keep appropriate people informed, not inform potential hackers, and fix problems This is not for incidents – if a vulnerability has been exploited it is handled by incident response Can be seen as incident prevention

7 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN7 Vulnerability organisation (1) Vulnerability group –Members have read and write access to the Savannah grid vulnerability project –Members log any problems they become aware of in the Grid Vulnerability Savannah logged as bugs as that is what Savannah does, but should really be considered to be vulnerability issues not bugs –Non members may submit bugs, and they should receive feedback, but they may not read the database –Members may be members of the Grid vulnerability mailing list – which means they may write to the list. (It is not archived publicly) –Problems or potential problems may be discussed on the mailing list

8 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN8 Vulnerability Organisation (2) Vulnerability Core –Manage membership of the vulnerability group –Ensure that appropriate people take responsibility for dealing with vulnerabilities Developers Deployment people (at present security contacts list) Appropriate people to carry out risk assessments

9 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN9 Vulnerability group members Ask to join Sysadmins and developers in LCG, EGEE, GridPP are entitled to join –Others at discretion of the core group Are known (first or second hand) to a member of the vulnerability core or their affiliation can be checked (e.g. on the GOC database) At present 35 members

10 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN10 Process Someone enters a vulnerability –If it has been exploited escalate immediately to incident response –Should not really be entered in the vulnerability base If urgent action is needed –e.g. an urgent change in the configuration, or to turn a system off –Inform security contacts (OSCT will define who is best to contact later)

11 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN11 Process (2) Initial assessment –If there is an EGEE software problem Assign bug to appropriate member of group Define a target time for fixing the problem Enter a reference bug in jra1 savannah with no details –If there is a problem with an external package inform as appropriate for that package –If an action is needed (e.g. configuration change) If urgent – inform security contacts Otherwise deal with as part of the EGEE deployment procedures

12 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN12 Process (3) If a solution is available –Handle through EGEE deployment procedures If solution unlikely to be available by target time –Carry out a detailed risk assessment If target time is reached and no solution is available –Pass on description and risk assessment to security contacts –This will be passed on to sysadmins –No publication by ourselves on a public web page –We have internal knowledge of EGEE middleware, we cannot take the same approach as e.g. CERT/CC and make knowledge public when target time has passed –JRA1/EGEE can make it public if they think it is appropriate

13 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN13 Progress web page We plan to have a web page accessible with a certificate and possibly VO membership For each vulnerability bug –Some sort of title indicating what package is involved (but no details) –Which group is responsible –Due date –When fixed –When not fixed by due date This flags progress This flags groups that are not fixing bugs

14 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN14 Current status Mailing list is available Grid vulnerability Savannah is set up (42 ‘bugs’) –Reminder - ‘bugs’ should be read as ‘vulnerabilities’ – only called bugs because that is what Savannah does Not much happened with so many on holiday in August Not yet set target times, done much analysis, entered ‘mirror’ entries in JRA1 savannah Need some effort –Especially for risk analysis

15 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN15 Current entries Of the 42 ‘vulnerabilities’, from initial look 20 are only exploitable by an authorized user 3 Authenticated user 2 people with access to grid machines 12 less well defined e.g. –vary from needing to install a rogue CE –warnings of consequences if certain machines hacked –Ability to set short password 5 No credentials (2 considered major) –1 in general to take steps against DOS –1 can be made much less of problem by a configuration change

16 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN16 Project agreement Approach agreed at the EGEE conference in Athens. –agreed that we will form this group and take this approach –Developers and deployment people present Also supported by the JRA1 meeting in Brno We are seeking formal management approval LCG, EGEE, GridPP –To cover ourselves (concerns about liability) –To ensure fixing the vulnerability bugs gets sufficient priority

17 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN17 Notes This is best efforts work We need management to give this priority –EGEE developers to fix problems –Appropriate people to carry out risk analysis –Otherwise nothing will happen We are not doing Security operations –OSCT should decide who to pass info onto if an urgent change is needed We will probably improve the process later –Try it out, and improve with time

18 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN18 To Join e-mail myself to join the e-mail list –L.A.Cornwall@rl.ac.uk Request membership of the Grid Vulnerability Savannah by logging onto Savannah –https://savannah.cern.ch/projects/grid-vul/https://savannah.cern.ch/projects/grid-vul/

19 7th Sept 2005Vulnerability group - Linda Cornwall - GDB - CERN19 Discussion Any questions? Is the Grid Deployment Board able to approve our policy and approach?

Download ppt "Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,
Last update 01/06/2014 03:23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures https://edms.cern.ch/document/503198/

Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.

EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.
Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
INFSO-RI-508833 Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes

INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688

The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Dr.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Dr.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks What GGUS can do for you JRA1 All hands.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks What GGUS can do for you JRA1 All hands.
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

Similar presentations

Ads by Google