CyberSecurity Summit 2005 Teragrid Incident Response Overview

CyberSecurity Summit 2005

Teragrid Incident Response Overview

December 13th, 2005

James Marsteller CISSPInformation Security Officer

Pittsburgh Supercomputing CenterJam@psc.edu

What is the Teragrid?

“The TeraGrid is an NSF funded open scientific discovery infrastructure combining leadership class resources at eight partner sites to create an integrated, persistent computational resource”

Teragrid Facts

Launched August 200140 Teraflops of computing power

2 Petabyes of storage10-30 Gig Interconnects (Dedicated Network)

Specializes in data analysis and visualization resources

Teragrid Partners

National Science Foundation Indiana UniversityNCSAORNLPSCPurdue UniversitySDSCUniversity of TexasUC/ANL

Teragrid Backbone

The Challenge…

Developing a security baseline that satisfies a broad range of organizations including: Major Universities and Government Research Facilities.

Need A TG Security BaselineDifferent Organizations, Different Goals

Government, Higher Ed, Research Service Requirement, Public Relations, Privacy Reqs, Acceptable Use

How To Handle Non-TG Customers?

Building a Teragrid Security Team

ANL: Ti Leggett, JP Navarro, Gene Rackow SDSC: Abe Singer, Bill Link, Victor Hazelwood NCSA: Jim Barlow, Jeff Rosendale, Tim Brooks, Aashish

Sharma PSC: Jim Marsteller (Chair), Derek Simmel, Bryan Webb ORNL: James Rome, Greg Pike CalTech: Mark Bartelt UTexas: Bill Jones Purdue: David Seidl, Anna Squicciarini, Greg Hedrick IU: Dave Hancock, Doug Pearson

Building a Teragrid Security Team

First Steps:Drafted a Security Memorandum of Understanding (M.O.U)

Incident Response Contact ListSecurity “Hotline”

Security M.O.U.

Goal: A communications tool to define security expectations among EFT Sites. Not intended to replace existing site policy. Establish Policy - Not Implementation

Focus Areas: Security BaselinesIncident ResponseChange/Patch ManagementAwarenessAccountability/Privacy

Incident Response Framework

…a “crash” course IR Team Creation IR Procedures

Playbook and IR Flowchart Secure Communications

Encrypted Email 24/7 Security “Hotline” Information Repository Encrypted IM

Identifying, Responding & Communicating Events

Response Playbook Who To Contact Methodology

Initial Responders Secondary Responders Help Desk Staff

How to Respond to Event PR Guidelines 800 Number & International Access

Identifying, Responding & Communicating Events

Security “hotline” 24/7 Reservation less Conference # Any Site Can Initiate Only Known To Response Personnel All participants are announced and challenged

800 Number & International Access Only transmitted encrypted to protect eavesdropping

Identifying, Responding & Communicating Events

Mailing Lists“General” List: Used to announce weekly IR calls, new vulnerabilities, share IR related information.

Emergency List Used to alert TG Staff of an incident Response Staff Subscription Can be tied to Trigger (Pagers, Phones, NOC)

Encrypted Communications

Encrypted Communications Are VERY IMPORTANT!

PGP/GPG encrypted email

Shared Password for Email Communications (Changes Frequently)

Encrypted Website To Archive Critical Information

Site Based Encrypted Instant Messaging (JABBER)

Coordinated Evidence Gathering

Playbook Outlines Requirements:Protecting “Chain Of Custody”Proper LoggingReliable Copies Of Process Accounting

Level Of Effort Responding Staff Hours & Capitol

Weekly Response Calls

‘Closed’ only to TG IR Personnel

Forum for Detailed Description of Security Events and Q&A

Share Latest Attack VectorsNon-TG NewsUpdate On Current Investigations

Current Teragrid IR Challenges:

Customer Service Coordination Single point of contact for user

User services and Security Getting useful information from the user Managing accounts across TG Resource Providers

Which sites have disabled? What needs to be done to reactivate? User Service insight to all of this information

IR Sharing/Reporting Today all email based w static webpages IR Trouble Ticket System

Action taken site by site Action/information needed

NSF Notification procedure/threshold Expansion of the Teragrid and beyond

Customer Service Coordination

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Customer Service Coordination

User Questions for a Compromised Account:

1.Do you use the password of the compromised account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)?

2.What was the time of your last known login? Where was it from?’

3.From what locations do you usually login (hostnames/IP)?4.Which sites/machines have you used?5.What locations (hosts) can we expect to you to login from?6.Can accounts at other TG sites be closed down, or do you expect to use them in the future? If so, which sites are not needed: (PSC, SDSC, NCSA, ANL, Purdue, Indiana, ORNL, Texas, etc.)

7.Do you have any idea how someone may have gotten your login info (login/password)? what machines may possibly be compromised? your desktop? some other machine you used?

Expanding beyond the Teragrid

What is the criteria for notifying funding sources?Every Account/Host compromise?

How to maintain as TG grows?Newbie Guide & Security M.O.U.How to effectively engage other organizations? Other Grid Communities, Research communities and International organizations

Useful Resources

security.teragrid.orghttp://www.first.org/Research and Education Networking ISAC: http://www.ren-isac.net

My Email: jam@psc.edu