EGI-CSIRT Face2Face meeting in Prague

27 Jan 2016, 13:00 → 29 Jan 2016, 15:25 Europe/Amsterdam

Prague

For logistics and video information see the EGI CSIRT private wiki. Timings and even the order of topics may change.

Wednesday, 27 January

Procedures: Intro

Agenda

1 Intro / Agenda

Speaker: Dr Sven Gabriel (NIKHEF)

Procedures: Risk-Assessment

Agenda

Convener: Linda Cornwall (STFC)

2 EGI Security Threat Risk Assessment

Security requirements and risk assessment for new services, technology, and deployments The new developments and evolving usage scenarios in EGI-Engage will involve trust models different from the core infrastructure used in EGI-InSPIRE. The task will ensure that the security requirements and the trust model are defined. Any security problems will be addressed and risk assessment associated with new deployments will be developed, to drive operational security in the evolved environment, to keep services secure and available and to mitigate the serious risks

Speaker: Linda Cornwall (STFC)

15:00 Coffee

Procedures: IPv6 Security

Agenda

Convener: David Kelsey (STFC)

3 IPv6 Security

Speaker: David Kelsey (STFC)

Slides Kelsey22jan16.pptx

Procedures: Policies/Procedures

Agenda

Conveners: David Kelsey (STFC), Vincent Brillault (CERN)

4 Security Policy update and issues

Develop a new trust framework and develop new policies In collaboration with other infrastructures, we will define new additions to a new policy framework to handle the new deployment and usage scenarios as they evolve in EGI-Engage.

Speaker: David Kelsey (STFC)

document EGI-SPG-Privacy-V1_15.pdf

Slides 201601GDB_DataProcessing_01.pptx Kelsey13jan16.pptx

5 Security procedures updates

The evolution of operational security procedures, including forensics Refine and extend the current security procedures and tools for incident response and forensics, for example: to take into account new kinds of players (e.g. cloud resource providers), or to extend the emergency suspension mechanism to cover new kinds of services. The security procedures related to other EGI operational procedures will also be modified as required.

Speaker: Vincent Brillault (CERN)

17:30 More Coffee

AAI

In collaboration with JRA1.1 the task will validate the architecture assumptions through testing in partnership with user communities under realistic production conditions and provide support on AAI security issues in close coordination with the EGI CSIRT and SVG. The task will provide recommendations on how best to sustain this important activity beyond the end of EGI-Engage.

presentation approx 30 min
Evolution of the Trust Fabric
CI Logon pilot

Convener: David Groep (NIKHEF)

Procedures: development towards Fedcloud

Agenda

Convener: Vincent Brillault (CERN)

Thursday, 28 January

CESNET guests: RTIR

Convener: Michal Stava (CESNET)

6 RT-IR Status

Speaker: Michal Stava (CESNET)

Slides RT-presentation.pdf

7 Masstickets

How to go about this? Possible goal: be able to grab a list of all EGI-Critical vuln hosts out of Pakiti, drop it into a script, and presto, the script creates a ticket per site. Reasonable? There would be some prereqs: * As reference, there must be a unified URL format, ideally something like https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/CVE-XXXX-YYYY. (I'd actually like to have the ability to find a given advisory by CVE number anyway.) * A sensible general ticket template must be defined. * The massmail script needs to be pimped a bit.

Speaker: Mr Tobias Dussa (KIT-CERT)

8 RT-IR in IRTF, useage

RT-IR usage in IRTF, Discussion with Maintainer, what do we want to do with rt-ir, hww can this be done with rt-ir, what is needed / who does it

Speaker: Vincent Brillault (CERN)

10:30 coffee

CESNET guests: EGI Fedcloud & security

Convener: Boris Parak (CESNET)

9 User/VM Management in FedCloud

Speaker: Boris Parak (CESNET)

Slides egi_fc_sec_status.pdf

10 Integration to IRTF

Speaker: Vincent Brillault (CERN)

11 VM Management/SSC

Needed bits fur SSC-FC VM Management: Start/Stop/Contextualisation How to get the SSC Payload into the VMs What would be needed to control it from SSC-Monitor

Speaker: Dr Sven Gabriel (NIKHEF)

12:30 Lunch

SSC-FC: FedCloud SSC

Develop the security challenge framework
Page 39 of 64Experience from EGI-InSPIRE has shown that performing security service challenges on the operational infrastructure
is useful confirm that there is sufficient audit information for traceability of any incident, that procedures and tools are
sufficient and that participants are trained and aware of the need to participate in incident response. The framework for
these security challenges will be modified and extended to meet the evolving scenarios.
Develop the software vulnerability handling process to adapt to new technology and deployments
Software vulnerability issues in the EGI core infrastructure have been handled through a close relationship with
the technology providers, many of whom supply members of the Software Vulnerability Group (SVG). The general
principles will remain, including the assessment of risks and the issuing of advisories. In the evolving scenarios of EGI-
Engage there are, however, likely to be different types of relationship with the technology providers, especially when
this does not involve membership of SVG. The procedures and methods for handling vulnerabilities in EGI-Engage
will evolve accordingly.

 FedCloud SSC
    presentation Status 15 min.
    discussion

expected outcome:

next steps
wps (who does what)
timeline


Communication channel SSCs (who coordinates this?)
    NGI RT-IR: We should use bulk ticket creation for that
        Presentation: Status tools / how we did this in the past / summary earlier results 
    Site-Security Telephone numbers check Per NGI
        Preparation: compile checklist / like where do we end up, does the person picking up the phone know what we are talking about

expected outcome:

status report of the quality our communication channels (mail/phone)
present at OMB?

Convener: Dr Sven Gabriel (NIKHEF)

Sec-Mon: Secuirty Monitoring

Status/Plans for Security Monitoring/Dashboard

Convener: Daniel Kouril (CESNET)

slides security-monitoring.pptx

16:00 More Coffee

IRTF

VB Long term future for IRTF
[edit] VB Site/NGI self re-assessment: what to do ?

Keeping in line with WLCG ? see https://indico.cern.ch/event/394776/contribution/5/attachments/1210829/1766015/201601_Wartel_GDB.pdf Main ideas:

Officially assume forensics (provided with logs & image) for sites that can't do it
Work with Operations (e.g. give them most of the Pakiti vuln tracking: our expertise is not really needed here)

VB Wiki cleaning

Split areas and make actions points to clean pages or at least list outdated pages
To be checked:
    https://wiki.egi.eu/csirt/index.php/Pending_actions

Convener: Vincent Brillault (CERN)

Friday, 29 January

RolePlayTraining: Distribute work

Status? presentation (SG)
Overview: What exists (enisa/TRANSITS)
Example Scenarios
Identify scenarios for particular events (Taipei/EGI Tech Forum/? /?)
Identify Coordinators for the scenarios

REM: Coordinator Task: Make sure all materials (scenerio/docu) is available, this could be something like: incident-handling-during-an-attack-on-critical-information-infrastructure

Convener: Dr Sven Gabriel (NIKHEF)

09:00 Coffee

10:30 Coffee

SA1-2: Planning

• Next meeting (April A'Dam ?, colocated with EGI Event 6/7 April, see below )
• Tiziana asks feedback on what we can/want provide for:
  https://docs.google.com/spreadsheets/d/1Jbf-MsuiHjy5EK0Z-ncspMvZjyTzAIQR_tenksEmRNI/edit#gid=1816686725
• we can provide presentations (first Day)
• Trainings before the meeting
• only little options for parallel sessions
• F2F meeting on 4/5?

Convener: David Kelsey (STFC)