This page is obsolete!

For up to dated information about EGI CSIRT please check EGI CSIRT wiki page at: https://wiki.egi.eu/wiki/EGI_CSIRT:Main_Page

The EGI Computer Security and Incident Response Team - EGI CSIRT

[quoted from section TSA1.2: A Secure Infrastructure of EGI-InSPIRE proposal]

The EGI CSIRT covers all aspects of operational security aimed at achieving a 'secure infrastructure' within EGI and relies on site and NGI security contact information maintained in the GOCDB by each NGI. The EGI CSIRT ensures both the coordination with peer grids and with the NGIs and NREN CSIRTs. The EGI CSIRT acts as a forum to combine efforts and resources from the NGIs in different areas, including Grid security monitoring, Security training and dissemination, and improvements in responses to incidents (e.g. security drills). Each NGI will appoint an NGI Security Officer in order to provide the NGI CSIRT function. The resulting group of NGI Security Officers collaborate as part of the EGI CSIRT.

The EGI CSIRT is led and coordinated by the EGI Security Officer, whose role and mission are defined by security policies approved by EGI and the NGIs.

Requested Effort (as specified in EGI-InSPIRE proposal): 335 PM (person/month) over 4 years period (83.75PM/year)

EGI-CSIRT Groups

The following working groups were proposed to be formed before the start of EGI project. Each group is coordinated by a group coordinator and consists of NGI security officers. A NGI security officer (as well as the other members of the NGI's security team) can join more than one group. A NGI security officer can also take one (but only one) group coordinator role. More groups will be formed when needed.

• Incident Response Task Force
• Security Monitoring Group
• Security Drills Group
• Training and dissemination group

As discussed at the face to face meeting on 22nd/23rd March 2010, a list of tasks were identified within each group. It is NOT a complete list and input/suggestion are highly appreciated. The to be appointed group coordinators might update or ammend the list of tasks when applicable.

Basic requirement of a group coordinator

A coordinator with sufficient experience will be appointed in each group to coordinate the work within the group.The coordinator should be able to:

• maintain and develop good working relationship with both group members, other CSIRT members and external colleagues;
• set clear and measurable objectives, tasks and milestones;
• coordinate all activities within the group to make sure that agreed objectives, tasks and milestones can be achieved;
• perform additional assignments and responsibilities as agreed with the EGI CSIRT security officer or the project management;

EGI CSIRT members (aka NGI security officers) are encouraged to take either a coordinator role or to participate into work of these groups.

NOTE: in order to get the team ready before 1st May, the deadline of group coordinator application (express your interest in the role) is Friday 16th April.

Incident Response Task Force (IRTF)

Objective: Handle day to day operational security issues and coordinate Computer-Security-Incident-Response across the EGI infrastructure.

Tasks:

• Replace OSCT-DC
• Swift response to any reported computer security incident affecting EGI infrastruture
• Security Incident Management
  • Existing communication channel (mail list/security wiki) migration
  • New communication channel (if needed) setup
  • Incident response tools development, evaluation and adaptation
  • Incident handling procedures update/maintainence
• Adapt the current EGEE computer security incident response procedures to EGI framework.
• Establish addtional operational and/or escalation procedures when required
  • a procedure to suspend a site from the EGI infrastructure
  • a procedure and agreed criteria to ban (blacklist) a user, a group of users and/or a VO
• vulnerability assessment
  • Regularly monitor vulnerability databases
  • Assess impact of vulnerabilities on the EGI infrastructure
  • Advise the project mitigation solutions

Additional requirement to the Coordinator: Ideally, the coordinator should have track record of coordinating computer security incident response across multiple Grids/countries.

Coordinator: TBC

Volunteers:

Vulnerability assessment (part of incident response task force)

Security Drills Group (SDG)

Objective: Provide an overview of the various CSIRTs readiness' to react to an computer security incident and challenge the inter CSIRT communcation channels.

Tasks:

• Design and set-up realistic simmulations of computer security incident scenarios.
  • Address various grid middleware components (ex: VO Job submission framework (SSC4))
  • Assess the capabilities/suitability of fabric management tools for operational security.
  • Assess security related software (managability) ex: glexec, central banning.
  • New tools for IRTF could first be tested here.
• Run/evaluate/disseminate the security drills on the project level.
• Collect the sites feedback, ex. which tools are needed to improve the response.
• Provide a framwork so that NGIs can run a particular security drill at some or all of their sites.
• Set up a "Sites-Readiness" web page were the results of the security drills are collected. Access restricted to EGI-CSIRT, IRTF, EGI/NGI Management.

Role of the coordinator: Coordinate the project wide runs with the various involved (VO) CSIRTs. Coordinate with the NGI Security Officers local runs in order to have a optimal coverage of the challenged sites and by this getting a map of the sites readiness to respond to an computer security incident.

Cooridiantor: TBC

Volunteers:

Security Monitoring Group (SMG)

Objective: Develop, deploy and maintain security monitoring tools.

Tasks:

• Pakiti:
  • Further development
  • Monitor the result of central Pakiti server and raise alarm if necessary
  • Support NGIs in setting up a national Pakiti instance.
  • Improve support for non rpm based distributions.
• Tools to trace user activity.
• Nagios:
  • Further development
  • Security probes development and maintances
  • Deploy security probes within the existing Nagios framework
  • Support NGIs to intergate security probes into their local NGI Nagios framework
• Explore the possibility of using APEL data for security monitoring and security incident handling purpose
• Explore the possibility of creating a security monitoring dashboard to aggreate, consolidate and visualize monitoring results

Coordinator: TBC

Volunteers

Training and Dissemination Group (TDG)

Objective: Raise security awareness and improve security for system administrators by providing security training and best practice

Tasks:

• Plan and organize training events
• Collect and archive training materials used in past events.
• Support NGIs setting up local training events.
• Develop training material
• Setup and maintain EGI CSIRT public and interal website and wiki

Coordinator: TBC

Volunteers:

-- MingchaoMa - 07-Apr-2010