Overview of TeraGrid Security Working Group Activities

1. Overview of TeraGridSecurity Working Group Activities James Marsteller CISSP, Working Group Chair for Information Security Pittsburgh Supercomputing Center Jam@psc.edu

2. Agenda • TG Security WG Background • Policy Development • Incident Coordination and Response • Current Projects

3. TeraGrid Security WorkGroup • Formed in January 2004 • Eight Resource Providers + More • Security WG Charter: • Development of Policies and procedures and guidelines • Provide security related advice/direction on TG projects • Coordinate Teragrid Incident Response team • Lead Risk Assessments

4. TeraGrid Security WorkGroup • Security WG Policies: • Security M.O.U. • CA Acceptance • Baseline Security Guidelines • Public Info Disclosure (Draft) • User/Host/Job Names • Two Factor Auth (Draft) • Reporting Procedures (Draft) • Procedures • Incident Response Playbook/Flowchart • Compromised Account Questionnaire • Security ‘Newbie’ guide

5. Teragrid Security Coordination Rapid, Secure, Coordinated Response and Information Sharing is Critical!

6. TG Incident Response • Weekly “Response” Calls • 24 Hour Security “hotline” • Incident Mailing List • Encrypted Communications • Coordinated Evidence Gathering • Future Tasks: IR Tracking • TG NOC Ticket System, RT IR

7. TG Incident Response • Weekly IR Calls • *One of the Most Valuable Tools* • 5 to 45 minutes in length • ‘Closed’ Participant List • Share Latest Attack Vectors • Vuls, worms, scans, other:p2p • Honeypots, Non-TG News • Update On Investigations

8. TG Incident Response • TG Security “hotline” • 24/7 Reservation less Conference # • Any Site Can Initiate • Only Known To Response Personnel • 800 Number & International Access

9. TG Incident Response • Response Playbook • Who/How To Contact Methodology • Initial Responders • Secondary Responders • Help Desk Staff • How to Respond to Event • Reporting Guidelines: Press, Privacy, Funding sources (in progress)

10. TG Incident Response • Compromised Account Questionnaire • Do you use the password of the account at other TG sites or other general accounts (Hotmail, Amazon, Paypal, Ebay)? • What was the time of your last known login? Where was it from? • From what locations do you usually login (hostnames/IP)? • Which sites/machines have you used? • Which do you expect to use? • What locations (hosts) can we expect to you to login from?

11. TG Incident Response • Site Incident Response Report • How much time (in person-hours) did staff at your site spend dealing with the incident? • How were you notified? • What steps did you take to investigate at your site to determine if there was a compromised account or system? • What did you determine? • If there was a compromise: • What damage was done? • What steps did you take to respond/recover?

12. Security WG Communications • Mailing lists • Main TG Security WG List • IR Alert: Triggers Help Desk/Pagers/Cell Phones • Response: Announce weekly IR Calls/Notes • TG Security Contact List • IR, General Security, NOC, Phone, email and pagers

13. Encrypted Communications • PGP Key Signing • Shared Password for Email Communications (Changes Frequently) • Encrypted Website To Archive Critical Information • Encrypted Communications Are VERY IMPORTANT!

14. Current Projects • IGTF Efforts • TAGPMA Participation • IGTF CAs: INFN (Italy) CA, Dutch Grid and NIKHEF CA, AIST (Japan) CA • CA Auditing • Teragrid Risk Assessment • Working with Law Enforcement • IR Tracking • Support for Science Gateways/Community Accounts

15. Useful Links • TG Security Site: http://security.teragrid.org • TG User Agreement: http://www.teragrid.org/userinfo/user_responsibility.html • Passwords: http://www.us-cert.gov/cas/tips/ST04-002.html • My Email: jam@psc.edu