cybersecurity summit 2004: conclusions and recommendations tom bettge and ginger caldwell scientific...
TRANSCRIPT
Supercomputing • Communications • Data
NCAR Scientific Computing Division
Cybersecurity Summit 2004:Conclusions and
Recommendations
Tom Bettge and Ginger CaldwellTom Bettge and Ginger Caldwell
Scientific Computing DivisionScientific Computing Division
National Center for Atmospheric ResearchNational Center for Atmospheric Research
Boulder, CO USABoulder, CO USA
23 March 2005
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
OverviewOverview
Motivation for Cybersecurity Summit 2004 (CSS 2004)– Unauthorized and unprecedented intrusion into numerous Unauthorized and unprecedented intrusion into numerous
university and federally funded research computer university and federally funded research computer systemssystems
– FBI Case 216FBI Case 216– NSF’s concern about cybersecurity for projects and NSF’s concern about cybersecurity for projects and
facilitiesfacilities By invitation onlyBy invitation only
– 120 participants120 participants– Systems and security professionalsSystems and security professionals– Center ManagementCenter Management– End UsersEnd Users
…..in a confidential setting.
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Goals of CSS 2004Goals of CSS 2004
Share information on Case 216Share information on Case 216 Explore needs of maintaining open, collaborative Explore needs of maintaining open, collaborative
research environment while protecting the integrity of research environment while protecting the integrity of computing assetscomputing assets
Develop and/or enhance communication via trust Develop and/or enhance communication via trust relationsrelations
Develop secure computing environments while Develop secure computing environments while evaluating the impact on researchers, the computers, evaluating the impact on researchers, the computers, and the networkand the network
Discuss different needs/requirements between centersDiscuss different needs/requirements between centers
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Program CommitteeProgram Committee
Tom Bettge, ChairTom Bettge, Chair NCARNCAR RuthAnne BevierRuthAnne Bevier California Institute of Technology California Institute of Technology Ginger Caldwell Ginger Caldwell NCARNCAR Walter Dykas Walter Dykas Oak Ridge National Laboratory Oak Ridge National Laboratory Victor Hazlewood Victor Hazlewood SDSCSDSC Chris Hempel Chris Hempel Texas Advanced Computer Center Texas Advanced Computer Center Jim Marsteller Jim Marsteller PSCPSC Marla Meehl Marla Meehl NCARNCAR George Strawn George Strawn NSFNSF John Towns John Towns NCSANCSA Howard Walter Howard Walter National Energy Research National Energy Research
Scientific Scientific Computer Center Computer Center
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Attendance by Agency/Job DutyAttendance by Agency/Job Duty
Figure 1. Attendee Distribution by Agency
University/NSF
DOE
Military
NASA
Other
Figure 2. Attendee Distribution by Position/Duty
Systems Admin
Management
End Users
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Attendance from Geographic RegionAttendance from Geographic Region
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
CSS 2004 Breakout Group TopicsCSS 2004 Breakout Group Topics
User Policies/Education System Admin Policies/Education Network Based Intrusion Detection Host Based Intrusion Detection Grid Security
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
CSS 2004 Common Themes CSS 2004 Common Themes
Incident Response Training and Education Security Planning Future Meetings
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Incident Response Incident Response ConclusionsConclusions
Widespread nature caused by collaborative Widespread nature caused by collaborative relationships, yet communication between labs was relationships, yet communication between labs was deficientdeficient
Trust relationships between labs/centers was weakTrust relationships between labs/centers was weak– Timely response was inhibited by easily determined, Timely response was inhibited by easily determined,
trusted contactstrusted contacts Responses to intrusion events must be coordinatedResponses to intrusion events must be coordinated
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Incident Response Incident Response RecommendationsRecommendations
For incident reporting and tracking, a contact model is For incident reporting and tracking, a contact model is needed to bring multi-agency security teams togetherneeded to bring multi-agency security teams together
Site:Site: Security starts at homeSecurity starts at home…….local sites need to …….local sites need to establish incident response link on web for incident establish incident response link on web for incident reportingreporting
Site:Site: Create incident response plan as part of Create incident response plan as part of comprehensive security policy:comprehensive security policy:– Procedure to notify users/customersProcedure to notify users/customers– Procedure for notifying peer sitesProcedure for notifying peer sites– Define protocol to alerting legal authoritiesDefine protocol to alerting legal authorities– Instructions on public relations issuesInstructions on public relations issues
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Training and Education Training and Education ConclusionsConclusions
UsersUsers– passwords are weakpasswords are weak– understanding of risks and protection is poorunderstanding of risks and protection is poor
Systems Administrators only slightly better than user Systems Administrators only slightly better than user understanding of securityunderstanding of security
Intrusion events usually exploit Intrusion events usually exploit knownknown and and patchablepatchable vulnerabilities, and could be preventedvulnerabilities, and could be prevented
Education needed by systems administrators, users, Education needed by systems administrators, users, and center managementand center management
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Training and Education Training and Education RecommendationsRecommendations
Case 216 can/should be used to heighten awareness Case 216 can/should be used to heighten awareness and foster acceptance of need for educationand foster acceptance of need for education
NSF should explore, in conjunction with its community, NSF should explore, in conjunction with its community, methods to provide security training in an methods to provide security training in an efficient and efficient and cost effectivecost effective manner. manner.
Site:Site: Develop a comprehensive security plan: Develop a comprehensive security plan:– security educationsecurity education– strong security policies and enforcement mechanisms strong security policies and enforcement mechanisms
that sufficiently gain the attention of all personnelthat sufficiently gain the attention of all personnel– develop plan in collaboration with peer centersdevelop plan in collaboration with peer centers
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Security Planning Security Planning ConclusionsConclusions
Current security activities are primarily Current security activities are primarily reactivereactive Planning should begin at system design and Planning should begin at system design and
installationinstallation Case 216 revealed need for better intrusion monitoring Case 216 revealed need for better intrusion monitoring
and loggingand logging– need effective and efficient forensic analysisneed effective and efficient forensic analysis– automated!automated!
Grid Grid amplifiesamplifies existing security issues, rather than existing security issues, rather than creating new onescreating new ones– e.g., local sites likely to strengthen firewalls e.g., local sites likely to strengthen firewalls
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Security Planning Security Planning RecommendationsRecommendations
NSF should impose security requirements on grant NSF should impose security requirements on grant awardsawards– include a security plan and a security budgetinclude a security plan and a security budget
NSF should fund study to investigate replacements for NSF should fund study to investigate replacements for passwords which are user friendlypasswords which are user friendly– careful about One Time Passwords (OTP)careful about One Time Passwords (OTP)
NSF should increase support (find balance?) for NSF should increase support (find balance?) for security tool developmentsecurity tool development– automated automated security tool developmentsecurity tool development
Community should build cooperation relations with Community should build cooperation relations with firewall/router vendors to address common needs firewall/router vendors to address common needs
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Future MeetingsFuture Meetings
Face-to-face meetings of security professionals, users, Face-to-face meetings of security professionals, users, management, and agency program managers are management, and agency program managers are valuable and should continue.valuable and should continue.– ……not incident based!not incident based!
NSF and other agencies should sponsor an annual NSF and other agencies should sponsor an annual event to provide forum for establishing and event to provide forum for establishing and maintaining trust infrastructure. maintaining trust infrastructure.
……but avoid duplication with existing forums!but avoid duplication with existing forums!
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
From a CSS ParticipantFrom a CSS Participant
Near the end of the second day in DC, it occurred to me that, hey, here's a room full of security-minded people, so I bet we're batting close to (if not at) 100% in the non-sniffability game. So I fired up a copy of tcpdump just to check ...
There were numerous unencrypted connections to pop and imap and smtp servers…..perhaps they were using PGP-encryption…….even so, I've got {hostname, username, password} information that quite a few people used to identify themselves to their mail servers.
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
..and it gets worse…....and it gets worse…..
But wait, it gets a lot worse. There were three telnet sessions active; one was to a host at a supercomputing center, and one of the others was to a machine in the army.mil domain!
If we, individuals with an expressed interest in computer security, can't get it right -- 100% right -- how can we possibly expect Joe User to?
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
Final CommentsFinal Comments
User Awareness / Education– security of wirelesssecurity of wireless– basic connection to VPNbasic connection to VPN
Security Enterprise Service– simplify techno-jargonsimplify techno-jargon– simplify the proceduressimplify the procedures
The problem of secure computing in an open The problem of secure computing in an open environment with many users is unsolved, and it environment with many users is unsolved, and it appears to be quite hard. The best we can hope appears to be quite hard. The best we can hope for is gradual mitigation, converging on a safer for is gradual mitigation, converging on a safer world.world.
Bill CheswickBill Cheswick
Supercomputing • Communications • Data
NCAR Scientific Computing Division23 March 2005
EndEnd