22
CyberSecurity Summit 2005 Teragrid Incident Response Overview December 13th, 2005 James Marsteller CISSP Information Security Officer Pittsburgh Supercomputing Center [email protected]

CyberSecurity Summit 2005 Teragrid Incident Response Overview

Embed Size (px)

DESCRIPTION

CyberSecurity Summit 2005 Teragrid Incident Response Overview. December 13th, 2005. James Marsteller CISSP Information Security Officer Pittsburgh Supercomputing Center [email protected]. What is the Teragrid?. - PowerPoint PPT Presentation

Citation preview

Page 1: CyberSecurity Summit 2005 Teragrid Incident Response Overview

CyberSecurity Summit 2005

Teragrid Incident Response Overview

December 13th, 2005

James Marsteller CISSPInformation Security Officer

Pittsburgh Supercomputing [email protected]

Page 2: CyberSecurity Summit 2005 Teragrid Incident Response Overview

What is the Teragrid?

“The TeraGrid is an NSF funded open scientific discovery infrastructure combining leadership class resources at eight partner sites to create an integrated, persistent computational resource”

Page 3: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Teragrid Facts

Launched August 200140 Teraflops of computing power

2 Petabyes of storage10-30 Gig Interconnects (Dedicated Network)

Specializes in data analysis and visualization resources

Page 4: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Teragrid Partners

National Science Foundation Indiana UniversityNCSAORNLPSCPurdue UniversitySDSCUniversity of TexasUC/ANL

Page 5: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Teragrid Backbone

Page 6: CyberSecurity Summit 2005 Teragrid Incident Response Overview

The Challenge…

Developing a security baseline that satisfies a broad range of organizations including: Major Universities and Government Research Facilities.

Need A TG Security BaselineDifferent Organizations, Different Goals

Government, Higher Ed, Research Service Requirement, Public Relations, Privacy Reqs, Acceptable Use

How To Handle Non-TG Customers?

Page 7: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Building a Teragrid Security Team

ANL: Ti Leggett, JP Navarro, Gene Rackow SDSC: Abe Singer, Bill Link, Victor Hazelwood NCSA: Jim Barlow, Jeff Rosendale, Tim Brooks, Aashish

Sharma PSC: Jim Marsteller (Chair), Derek Simmel, Bryan Webb ORNL: James Rome, Greg Pike CalTech: Mark Bartelt UTexas: Bill Jones Purdue: David Seidl, Anna Squicciarini, Greg Hedrick IU: Dave Hancock, Doug Pearson

Page 8: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Building a Teragrid Security Team

First Steps:Drafted a Security Memorandum of Understanding (M.O.U)

Incident Response Contact ListSecurity “Hotline”

Page 9: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Security M.O.U.

Goal: A communications tool to define security expectations among EFT Sites. Not intended to replace existing site policy. Establish Policy - Not Implementation

Focus Areas: Security BaselinesIncident ResponseChange/Patch ManagementAwarenessAccountability/Privacy

Page 10: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Incident Response Framework

…a “crash” course IR Team Creation IR Procedures

Playbook and IR Flowchart Secure Communications

Encrypted Email 24/7 Security “Hotline” Information Repository Encrypted IM

Page 11: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Identifying, Responding & Communicating Events

Response Playbook Who To Contact Methodology

Initial Responders Secondary Responders Help Desk Staff

How to Respond to Event PR Guidelines 800 Number & International Access

Page 12: CyberSecurity Summit 2005 Teragrid Incident Response Overview
Page 13: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Identifying, Responding & Communicating Events

Security “hotline” 24/7 Reservation less Conference # Any Site Can Initiate Only Known To Response Personnel All participants are announced and challenged

800 Number & International Access Only transmitted encrypted to protect eavesdropping

Page 14: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Identifying, Responding & Communicating Events

Mailing Lists“General” List: Used to announce weekly IR calls, new vulnerabilities, share IR related information.

Emergency List Used to alert TG Staff of an incident Response Staff Subscription Can be tied to Trigger (Pagers, Phones, NOC)

Page 15: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Encrypted Communications

Encrypted Communications Are VERY IMPORTANT!

PGP/GPG encrypted email

Shared Password for Email Communications (Changes Frequently)

Encrypted Website To Archive Critical Information

Site Based Encrypted Instant Messaging (JABBER)

Page 16: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Coordinated Evidence Gathering

Playbook Outlines Requirements:Protecting “Chain Of Custody”Proper LoggingReliable Copies Of Process Accounting

Level Of Effort Responding Staff Hours & Capitol

Page 17: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Weekly Response Calls

‘Closed’ only to TG IR Personnel

Forum for Detailed Description of Security Events and Q&A

Share Latest Attack VectorsNon-TG NewsUpdate On Current Investigations

Page 18: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Current Teragrid IR Challenges:

Customer Service Coordination Single point of contact for user

User services and Security Getting useful information from the user Managing accounts across TG Resource Providers

Which sites have disabled? What needs to be done to reactivate? User Service insight to all of this information

IR Sharing/Reporting Today all email based w static webpages IR Trouble Ticket System

Action taken site by site Action/information needed

NSF Notification procedure/threshold Expansion of the Teragrid and beyond

Page 19: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Customer Service Coordination

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Page 20: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Customer Service Coordination

User Questions for a Compromised Account:

1.Do you use the password of the compromised account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)?

2.What was the time of your last known login? Where was it from?’

3.From what locations do you usually login (hostnames/IP)?4.Which sites/machines have you used?5.What locations (hosts) can we expect to you to login from?6.Can accounts at other TG sites be closed down, or do you expect to use them in the future? If so, which sites are not needed: (PSC, SDSC, NCSA, ANL, Purdue, Indiana, ORNL, Texas, etc.)

7.Do you have any idea how someone may have gotten your login info (login/password)? what machines may possibly be compromised? your desktop? some other machine you used?

Page 21: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Expanding beyond the Teragrid

What is the criteria for notifying funding sources?Every Account/Host compromise?

How to maintain as TG grows?Newbie Guide & Security M.O.U.How to effectively engage other organizations? Other Grid Communities, Research communities and International organizations

Page 22: CyberSecurity Summit 2005 Teragrid Incident Response Overview

Useful Resources

security.teragrid.orghttp://www.first.org/Research and Education Networking ISAC: http://www.ren-isac.net

My Email: [email protected]