EGI CSIRT team monthly meeting
Thursday, 17 March 2011 -
14:00
Monday, 14 March 2011
Tuesday, 15 March 2011
Wednesday, 16 March 2011
Thursday, 17 March 2011
14:00
Minutes Review
Minutes Review
14:00 - 14:05
Last meeting minutes: https://wiki.egi.eu/csirt/index.php/Monthly_Meeting_Minutes_17-02-2011 - Any question/comment on the minutes? - Minutes taker - DC of the week or the backup Minutes template was updated to include action items https://wiki.egi.eu/csirt/index.php/Minutes_Template Please upload minutes to: https://wiki.egi.eu/csirt/index.php/EGI_CSIRT_monthly_meeting#Monthly_Meeting_Minutes
14:05
Procedures Update
Procedures Update
14:05 - 14:20
EGI CSIRT ToR: https://documents.egi.eu/document/385 Ready for approval 1. EGI-CSIRT Critical Vulnerability Handling Procedure is approved by OMB https://documents.egi.eu/secure/ShowDocument?docid=283 It will be on EGI operation wiki as well https://wiki.egi.eu/wiki/Operational_Procedures (not online yet) -- EGI CSIRT will suspend site instead of COD -- Suspended site will inform ROD when back to production infrastructure, CSIRT will be informed by ROD as well -- GOCDB developer will implement a solution to grant suspension permission and also log any change being made (who, when and which site etc.) -- 3 CSIRT members should be granted such permission Discussion: How to automate above procedure with RTIR? 2) Critical Vulnerability Handling Procedure (Joint CSIRT/SVG) (Word Doc) Joint SVG and CSIRT process to handle critical vulnerabilities. https://documents.egi.eu/secure/ShowDocument?docid=282 Primary author: Linda Primary reviewer: Leif Any comment since last team meeting? 3) On CSIRT (only CSIRT can read) Wiki - Handling Critical Vulnerabilities. This includes more details on use of CSIRT RT etc. Decision on 2&3?
14:20
Group activities update, plans and objectives for 2011
Group activities update, plans and objectives for 2011
14:20 - 14:50
IRTF ==== Ongoing security incident *Grid-Sec 001 update 19 *EGI-20110301-01 Incident Detected at AUVERGRID Toby updated EGI IR Site Checklist Leif updated EGI IR flowchar down, thank Leif Wiki page update: https://wiki.egi.eu/wiki/EGI_CSIRT:Incident_reporting operational procedure development --https://wiki.egi.eu/csirt/index.php/Security_Officer_on_Duty_tasks Quote from David "As someone working in the WET/WEST timezone (like the UK and Portugal) I find the Monday morning 09:30 CET/CEST deadline for publishing the agenda for the IRTF meeting to be tricky, as I often don't get to the office until after 10:00 CET/CEST. The alternative is to publish something on Friday before leaving for the weekend" -- https://wiki.egi.eu/csirt/index.php/Handling_critical_vulnerabilities, probably broken? Example: https://rt.egi.eu/rt/Ticket/ShowEmailRecord.html?id=1479&Transaction=53095&Attachment=14227 vs. https://rt.egi.eu/rt/Ticket/ShowEmailRecord.html?id=1389&Transaction=50840&Attachment=13364 RTIR in operation? Security monitoring =================== Update: Security dashboard and integration Pakit and Nagios development Security drill ============== progress of SSC4 development work preparation for SSC4 NGI run - Spanish NGI, when to start? progress of SSC cross NGIs Other development work? Security training & dissemination ================================= = internal wiki Good progress have been made, any comment? header on each page? Latests news of the wiki are at: https://wiki.egi.eu/csirt/index.php/Main_Page This month news: 16th march 2011: - Site IR checklist available. See Incident reporting or Policies page on the public wiki. 10th march 2011: - New NGI security contact added: David Durvaux from Belnet. see Team members and internal procedures . 9th march 2011: - Creation of a page which provide a list of Security Officer on Duty tasks. - Update of Handling critical vulnerabilities procedure. 7th march 2011: - F2F april 2011 at Karlsruhe: registration and information page is now online. See EGI-CSIRT Face 2 Face Meeting April 2011. - Next IRTF DC rota ( from 28/03/2011 to 13/06/2011), creation of the related Avaibility for DC role page. 4th march 2011: - Informations about past security incidents are now online. See updates from Incident Response TF. 21st february 2011: - Update of the procedure for handling critical vulnerabilities. See Handling critical vulnerabilities. = public wiki Any comment/suggestion since last meeting? === security training of the EGI TF Proposal for an agenda: * A 2 sessions security tutorial: operational procedures and middleware. * operational security procedures session: - incident workflow and forensic tools. - advanced pakiti tutorial: What configuration if you want to monitor all hosts of the site? - dealing with scalability issues. - using the security challenge framework. Are task leader for irtf, monitoring, sec drills happy to find trainers for these talks ? * middleware security session: - EMI security architecture - advanced security tutorial for cream ce. - setting up argus server - ?
14:50
RTIR update - Carlos
RTIR update - Carlos
14:50 - 15:00
Current status? RTIR for EGI CSIRT, ready for test? - Progress of integrating monitoring tool? - Progress of developing templates for communication? RTIR for SSC - Progress of developing interface between ticket-status and ssc-monitor? - Progress of automated user-management monitoring (user ban status)? - Progress of reworking the malware (stability, reporting, functionality) this is not necessarily needed for the NGI-Run but for Concerted run? - Complete date? - Any issue or problem? - RTIR training at f2f meeting, any special need?
15:00
Next face to face meeting 6-7 April 2011 at KIT Germany
Next face to face meeting 6-7 April 2011 at KIT Germany
15:00 - 15:25
https://egi-csirt.scc.kit.edu/ List of participants: https://egi-csirt.scc.kit.edu/58.php Please register as soon as possible! Arrive at 9:00 and start at 9:30 on 6th April and will finish no later than 15:30 on 7th April * Trust building dinner 6th April, at the cost of individual, about 30 Euro per person, feel free to express your interest when register the preliminary agenda ====================== - Risk assessment and discussion - Procedure development * MS412 Operational Security Procedures * CSIRT ToR * Critical Vulnerability Handling procedure - CSIRT best practices - Trusted Introducer status update (https://www.trusted-introducer.org/teams/teams-e.html#EGEE-OSCT) - RTIR hands on training (2 hours) - Review and discuss 2011-EGI-sa1-roadmap https://documents.egi.eu/public/RetrieveFile?docid=344&version=1&filename=2011-EGI-sa1-roadmap-v1.0.pdf Group activities update and forward planning (1.5 hour per group) • Achievement, issue and ongoing work • Plan for the coming 6 months • Discussion - IRTF - Security Drill - Security Monitoring - Security Training Suggestions? Other might be interested and should be invitated?
15:25
AOB
AOB
15:25 - 15:30
Next monthly meeting: Face to Face meeting at KIT Germany 6-7 April 2011 21-25 March, ISGC2011 conference at Taiwan