cybersecurity summit 2004: conclusions and recommendations tom bettge and ginger caldwell scientific...

Supercomputing • Communications • Data

NCAR Scientific Computing Division

Cybersecurity Summit 2004:Conclusions and

Recommendations

Tom Bettge and Ginger CaldwellTom Bettge and Ginger Caldwell

Scientific Computing DivisionScientific Computing Division

National Center for Atmospheric ResearchNational Center for Atmospheric Research

Boulder, CO USABoulder, CO USA

23 March 2005


NCAR Scientific Computing Division23 March 2005

OverviewOverview

Motivation for Cybersecurity Summit 2004 (CSS 2004)– Unauthorized and unprecedented intrusion into numerous Unauthorized and unprecedented intrusion into numerous

university and federally funded research computer university and federally funded research computer systemssystems

– FBI Case 216FBI Case 216– NSF’s concern about cybersecurity for projects and NSF’s concern about cybersecurity for projects and

facilitiesfacilities By invitation onlyBy invitation only

– 120 participants120 participants– Systems and security professionalsSystems and security professionals– Center ManagementCenter Management– End UsersEnd Users

…..in a confidential setting.



Goals of CSS 2004Goals of CSS 2004

Share information on Case 216Share information on Case 216 Explore needs of maintaining open, collaborative Explore needs of maintaining open, collaborative

research environment while protecting the integrity of research environment while protecting the integrity of computing assetscomputing assets

Develop and/or enhance communication via trust Develop and/or enhance communication via trust relationsrelations

Develop secure computing environments while Develop secure computing environments while evaluating the impact on researchers, the computers, evaluating the impact on researchers, the computers, and the networkand the network

Discuss different needs/requirements between centersDiscuss different needs/requirements between centers



Program CommitteeProgram Committee

Tom Bettge, ChairTom Bettge, Chair NCARNCAR RuthAnne BevierRuthAnne Bevier California Institute of Technology California Institute of Technology Ginger Caldwell Ginger Caldwell NCARNCAR Walter Dykas Walter Dykas Oak Ridge National Laboratory Oak Ridge National Laboratory Victor Hazlewood Victor Hazlewood SDSCSDSC Chris Hempel Chris Hempel Texas Advanced Computer Center Texas Advanced Computer Center Jim Marsteller Jim Marsteller PSCPSC Marla Meehl Marla Meehl NCARNCAR George Strawn George Strawn NSFNSF John Towns John Towns NCSANCSA Howard Walter Howard Walter National Energy Research National Energy Research

Scientific Scientific Computer Center Computer Center



Attendance by Agency/Job DutyAttendance by Agency/Job Duty

Figure 1. Attendee Distribution by Agency

University/NSF

DOE

Military

NASA

Other

Figure 2. Attendee Distribution by Position/Duty

Systems Admin

Management

End Users



Attendance from Geographic RegionAttendance from Geographic Region



CSS 2004 Breakout Group TopicsCSS 2004 Breakout Group Topics

User Policies/Education System Admin Policies/Education Network Based Intrusion Detection Host Based Intrusion Detection Grid Security



CSS 2004 Common Themes CSS 2004 Common Themes

Incident Response Training and Education Security Planning Future Meetings



Incident Response Incident Response ConclusionsConclusions

Widespread nature caused by collaborative Widespread nature caused by collaborative relationships, yet communication between labs was relationships, yet communication between labs was deficientdeficient

Trust relationships between labs/centers was weakTrust relationships between labs/centers was weak– Timely response was inhibited by easily determined, Timely response was inhibited by easily determined,

trusted contactstrusted contacts Responses to intrusion events must be coordinatedResponses to intrusion events must be coordinated



Incident Response Incident Response RecommendationsRecommendations

For incident reporting and tracking, a contact model is For incident reporting and tracking, a contact model is needed to bring multi-agency security teams togetherneeded to bring multi-agency security teams together

Site:Site: Security starts at homeSecurity starts at home…….local sites need to …….local sites need to establish incident response link on web for incident establish incident response link on web for incident reportingreporting

Site:Site: Create incident response plan as part of Create incident response plan as part of comprehensive security policy:comprehensive security policy:– Procedure to notify users/customersProcedure to notify users/customers– Procedure for notifying peer sitesProcedure for notifying peer sites– Define protocol to alerting legal authoritiesDefine protocol to alerting legal authorities– Instructions on public relations issuesInstructions on public relations issues



Training and Education Training and Education ConclusionsConclusions

UsersUsers– passwords are weakpasswords are weak– understanding of risks and protection is poorunderstanding of risks and protection is poor

Systems Administrators only slightly better than user Systems Administrators only slightly better than user understanding of securityunderstanding of security

Intrusion events usually exploit Intrusion events usually exploit knownknown and and patchablepatchable vulnerabilities, and could be preventedvulnerabilities, and could be prevented

Education needed by systems administrators, users, Education needed by systems administrators, users, and center managementand center management



Training and Education Training and Education RecommendationsRecommendations

Case 216 can/should be used to heighten awareness Case 216 can/should be used to heighten awareness and foster acceptance of need for educationand foster acceptance of need for education

NSF should explore, in conjunction with its community, NSF should explore, in conjunction with its community, methods to provide security training in an methods to provide security training in an efficient and efficient and cost effectivecost effective manner. manner.

Site:Site: Develop a comprehensive security plan: Develop a comprehensive security plan:– security educationsecurity education– strong security policies and enforcement mechanisms strong security policies and enforcement mechanisms

that sufficiently gain the attention of all personnelthat sufficiently gain the attention of all personnel– develop plan in collaboration with peer centersdevelop plan in collaboration with peer centers



Security Planning Security Planning ConclusionsConclusions

Current security activities are primarily Current security activities are primarily reactivereactive Planning should begin at system design and Planning should begin at system design and

installationinstallation Case 216 revealed need for better intrusion monitoring Case 216 revealed need for better intrusion monitoring

and loggingand logging– need effective and efficient forensic analysisneed effective and efficient forensic analysis– automated!automated!

Grid Grid amplifiesamplifies existing security issues, rather than existing security issues, rather than creating new onescreating new ones– e.g., local sites likely to strengthen firewalls e.g., local sites likely to strengthen firewalls



Security Planning Security Planning RecommendationsRecommendations

NSF should impose security requirements on grant NSF should impose security requirements on grant awardsawards– include a security plan and a security budgetinclude a security plan and a security budget

NSF should fund study to investigate replacements for NSF should fund study to investigate replacements for passwords which are user friendlypasswords which are user friendly– careful about One Time Passwords (OTP)careful about One Time Passwords (OTP)

NSF should increase support (find balance?) for NSF should increase support (find balance?) for security tool developmentsecurity tool development– automated automated security tool developmentsecurity tool development

Community should build cooperation relations with Community should build cooperation relations with firewall/router vendors to address common needs firewall/router vendors to address common needs



Future MeetingsFuture Meetings

Face-to-face meetings of security professionals, users, Face-to-face meetings of security professionals, users, management, and agency program managers are management, and agency program managers are valuable and should continue.valuable and should continue.– ……not incident based!not incident based!

NSF and other agencies should sponsor an annual NSF and other agencies should sponsor an annual event to provide forum for establishing and event to provide forum for establishing and maintaining trust infrastructure. maintaining trust infrastructure.

……but avoid duplication with existing forums!but avoid duplication with existing forums!



From a CSS ParticipantFrom a CSS Participant

Near the end of the second day in DC, it occurred to me that, hey, here's a room full of security-minded people, so I bet we're batting close to (if not at) 100% in the non-sniffability game. So I fired up a copy of tcpdump just to check ...

There were numerous unencrypted connections to pop and imap and smtp servers…..perhaps they were using PGP-encryption…….even so, I've got {hostname, username, password} information that quite a few people used to identify themselves to their mail servers.



..and it gets worse…....and it gets worse…..

But wait, it gets a lot worse. There were three telnet sessions active; one was to a host at a supercomputing center, and one of the others was to a machine in the army.mil domain!

If we, individuals with an expressed interest in computer security, can't get it right -- 100% right -- how can we possibly expect Joe User to?



Final CommentsFinal Comments

User Awareness / Education– security of wirelesssecurity of wireless– basic connection to VPNbasic connection to VPN

Security Enterprise Service– simplify techno-jargonsimplify techno-jargon– simplify the proceduressimplify the procedures

The problem of secure computing in an open The problem of secure computing in an open environment with many users is unsolved, and it environment with many users is unsolved, and it appears to be quite hard. The best we can hope appears to be quite hard. The best we can hope for is gradual mitigation, converging on a safer for is gradual mitigation, converging on a safer world.world.

Bill CheswickBill Cheswick



EndEnd

cybersecurity summit 2004: conclusions and recommendations tom bettge and ginger caldwell scientific...

Documents

grid security slide

center management slide

incident response conclusions

incident response plan

incident response link

agencyjob duty slide

incident reporting

security planning