EGI CSIRT team monthly meeting

Thursday 17 Mar 2011, 14:00 → 15:30 Europe/Amsterdam

EVO - EGI CSIRT meeting

Mingchao Ma (STFC - RAL)

A monthly team meeting to discuss team activities and issues It will be on EVO (http://evo.caltech.edu/evoGate/). Meeting can be found in EGI community, please search EVO meeting with keyword "EGI CSIRT" Access information can be found at: https://wiki.egi.eu/csirt/index.php/EGI_CSIRT_monthly_meeting EVO Phone Bridge Telephone Numbers: --------------- - USA (Caltech, Pasadena, CA) +1 626 395 2112 - Switzerland (CERN, Geneva) +41 22 76 71400 - Slovakia (UPJS, Kosice) +421 55 234 2420 - Italy (INFN, several cities) http://server10.infn.it/video/index.php?page=telephone_numbers Enter '4000' to access the EVO bridge - Germany (DESY, Hamburg) +49 40 8998 1340 - USA (BNL, Upton, NY) +1 631 344 6100 - United Kingdom (University of Manchester) +44 161 306 6802 - Australia (ARCS) +61 Adelaide 08 8463 1011 Brisbane 07 3139 0705 Canberra 02 6112 8742 Hobart 03 623 70281 Melbourne 03 8685 8362 Perth 08 6461 6718 Sydney 02 8212 4591 - Netherlands (Nikhef, Amsterdam) +31 20 7165293 Dial '2' at the prompt - Canada (TRIUMF, Vancouver) +1 604 222 7700 - Czech Republic (CESNET, Prague) +420 95 007 2386 - USA (MIT, Cambridge, MA) +1 617 715 4691 - France (RAP, Paris) +33 144 27 81 50

14:00 → 14:05 Minutes Review

Last meeting minutes: https://wiki.egi.eu/csirt/index.php/Monthly_Meeting_Minutes_17-02-2011 - Any question/comment on the minutes? - Minutes taker - DC of the week or the backup Minutes template was updated to include action items https://wiki.egi.eu/csirt/index.php/Minutes_Template Please upload minutes to: https://wiki.egi.eu/csirt/index.php/EGI_CSIRT_monthly_meeting#Monthly_Meeting_Minutes

14:05 → 14:20 Procedures Update

EGI CSIRT ToR: https://documents.egi.eu/document/385 Ready for approval 1. EGI-CSIRT Critical Vulnerability Handling Procedure is approved by OMB https://documents.egi.eu/secure/ShowDocument?docid=283 It will be on EGI operation wiki as well https://wiki.egi.eu/wiki/Operational_Procedures (not online yet) -- EGI CSIRT will suspend site instead of COD -- Suspended site will inform ROD when back to production infrastructure, CSIRT will be informed by ROD as well -- GOCDB developer will implement a solution to grant suspension permission and also log any change being made (who, when and which site etc.) -- 3 CSIRT members should be granted such permission Discussion: How to automate above procedure with RTIR? 2) Critical Vulnerability Handling Procedure (Joint CSIRT/SVG) (Word Doc) Joint SVG and CSIRT process to handle critical vulnerabilities. https://documents.egi.eu/secure/ShowDocument?docid=282 Primary author: Linda Primary reviewer: Leif Any comment since last team meeting? 3) On CSIRT (only CSIRT can read) Wiki - Handling Critical Vulnerabilities. This includes more details on use of CSIRT RT etc. Decision on 2&3?

14:20 → 14:50 Group activities update, plans and objectives for 2011

IRTF ==== Ongoing security incident *Grid-Sec 001 update 19 *EGI-20110301-01 Incident Detected at AUVERGRID Toby updated EGI IR Site Checklist Leif updated EGI IR flowchar down, thank Leif Wiki page update: https://wiki.egi.eu/wiki/EGI_CSIRT:Incident_reporting operational procedure development --https://wiki.egi.eu/csirt/index.php/Security_Officer_on_Duty_tasks Quote from David "As someone working in the WET/WEST timezone (like the UK and Portugal) I find the Monday morning 09:30 CET/CEST deadline for publishing the agenda for the IRTF meeting to be tricky, as I often don't get to the office until after 10:00 CET/CEST. The alternative is to publish something on Friday before leaving for the weekend" -- https://wiki.egi.eu/csirt/index.php/Handling_critical_vulnerabilities, probably broken? Example: https://rt.egi.eu/rt/Ticket/ShowEmailRecord.html?id=1479&Transaction=53095&Attachment=14227 vs. https://rt.egi.eu/rt/Ticket/ShowEmailRecord.html?id=1389&Transaction=50840&Attachment=13364 RTIR in operation? Security monitoring =================== Update: Security dashboard and integration Pakit and Nagios development Security drill ============== progress of SSC4 development work preparation for SSC4 NGI run - Spanish NGI, when to start? progress of SSC cross NGIs Other development work? Security training & dissemination ================================= = internal wiki Good progress have been made, any comment? header on each page? Latests news of the wiki are at: https://wiki.egi.eu/csirt/index.php/Main_Page This month news: 16th march 2011: - Site IR checklist available. See Incident reporting or Policies page on the public wiki. 10th march 2011: - New NGI security contact added: David Durvaux from Belnet. see Team members and internal procedures . 9th march 2011: - Creation of a page which provide a list of Security Officer on Duty tasks. - Update of Handling critical vulnerabilities procedure. 7th march 2011: - F2F april 2011 at Karlsruhe: registration and information page is now online. See EGI-CSIRT Face 2 Face Meeting April 2011. - Next IRTF DC rota ( from 28/03/2011 to 13/06/2011), creation of the related Avaibility for DC role page. 4th march 2011: - Informations about past security incidents are now online. See updates from Incident Response TF. 21st february 2011: - Update of the procedure for handling critical vulnerabilities. See Handling critical vulnerabilities. = public wiki Any comment/suggestion since last meeting? === security training of the EGI TF Proposal for an agenda: * A 2 sessions security tutorial: operational procedures and middleware. * operational security procedures session: - incident workflow and forensic tools. - advanced pakiti tutorial: What configuration if you want to monitor all hosts of the site? - dealing with scalability issues. - using the security challenge framework. Are task leader for irtf, monitoring, sec drills happy to find trainers for these talks ? * middleware security session: - EMI security architecture - advanced security tutorial for cream ce. - setting up argus server - ?

14:50 → 15:00 RTIR update - Carlos

Current status? RTIR for EGI CSIRT, ready for test? - Progress of integrating monitoring tool? - Progress of developing templates for communication? RTIR for SSC - Progress of developing interface between ticket-status and ssc-monitor? - Progress of automated user-management monitoring (user ban status)? - Progress of reworking the malware (stability, reporting, functionality) this is not necessarily needed for the NGI-Run but for Concerted run? - Complete date? - Any issue or problem? - RTIR training at f2f meeting, any special need?

15:00 → 15:25 Next face to face meeting 6-7 April 2011 at KIT Germany

https://egi-csirt.scc.kit.edu/ List of participants: https://egi-csirt.scc.kit.edu/58.php Please register as soon as possible! Arrive at 9:00 and start at 9:30 on 6th April and will finish no later than 15:30 on 7th April * Trust building dinner 6th April, at the cost of individual, about 30 Euro per person, feel free to express your interest when register the preliminary agenda ====================== - Risk assessment and discussion - Procedure development * MS412 Operational Security Procedures * CSIRT ToR * Critical Vulnerability Handling procedure - CSIRT best practices - Trusted Introducer status update (https://www.trusted-introducer.org/teams/teams-e.html#EGEE-OSCT) - RTIR hands on training (2 hours) - Review and discuss 2011-EGI-sa1-roadmap https://documents.egi.eu/public/RetrieveFile?docid=344&version=1&filename=2011-EGI-sa1-roadmap-v1.0.pdf Group activities update and forward planning (1.5 hour per group) • Achievement, issue and ongoing work • Plan for the coming 6 months • Discussion - IRTF - Security Drill - Security Monitoring - Security Training Suggestions? Other might be interested and should be invitated?

15:25 → 15:30 AOB

Next monthly meeting: Face to Face meeting at KIT Germany 6-7 April 2011 21-25 March, ISGC2011 conference at Taiwan