Difference between revisions of "Security Duty"

From GridPP Wiki
Jump to: navigation, search
(Security Duty tasks)
(24 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
== Purpose ==  
 
== Purpose ==  
  
This lists what the UK NGI Security team should do and what the person on UK security duty should do.
+
This provides guidance for the UK NGI Security team and what the person on UK security duty should do in the absence of the GridPP Security Officer.
  
 
UKNGI Security duty rota is at [[SD rota ]]
 
UKNGI Security duty rota is at [[SD rota ]]
  
Note that this is different from the EGI CSIRT rota duty, for which UK participation is suspended at present, until a UK person is available and up to speed.
+
Note that this is different from the EGI CSIRT rota duty.
  
 
== EGI meetings ==
 
== EGI meetings ==
  
NGI security team members are not currently expected to attend EGI security meetings as part of their team duties.
+
The GridPP Security Officer attends the EGI CSIRT and IRTF meetings. Other NGI security team members are not currently expected to attend EGI security meetings as part of their team duties.
  
 
== Security Duty tasks ==
 
== Security Duty tasks ==
  
* Respond to any e-mails to UKNGI-Security list which require a response.  If a UK site needs help which you do not have the knowledge to give ask the other UKNGI-Security members or CSIRT. Be particularly prepared to ask if sites need help dealing with incidents, Critical vulnerabilities, interpreting information from CSIRT sent to site security contacts.  
+
* Respond to any e-mails to UKNGI-Security list which require a response.  If a UK site needs help which you do not have the knowledge to give, ask the other UKNGI-Security members or CSIRT. Be particularly prepared to ask if sites need help dealing with incidents, critical vulnerabilities, or interpreting information sent from CSIRT to site security contacts.  
  
* Respond if a security incident is reported in the UKNGI. If this happens you will probably have a busy week!
+
* Respond if a security incident is reported in the UK NGI. If this happens you will probably have a busy week! See more information [https://www.gridpp.ac.uk/wiki/Report_Security_Incident here] about procedures for reporting and handling incidents.
  
* Take care to take note of anything that is going on in CSIRT, especially incidents that may affect UKNGI
+
* Take care to take note of anything that is going on in CSIRT, especially incidents that may affect UK NGI
 +
 
 +
* Report to Tuesday sites & operations meeting on Tuesday morning https://indico.cern.ch/category/4592/
 +
 
 +
* and update the live minutes for that meeting.
 +
 
 +
* Be aware of any interesting meetings or other information relevant to the UKNGI security team, and briefly inform the team.
  
 
== Dashboard checking ==
 
== Dashboard checking ==
  
When on duty check the [https://operations-portal.egi.eu/csiDashboard security dashboard]
+
When on duty check the [https://operations-portal.egi.eu/ROD#csi Security Dashboard]. This is now a separate panel on the same page as the ROD dashboard
  
At present (from May 2014), the above link is out of service, though expected to be replaced.  Other sources of monitoring information to check include:
+
Other sources of monitoring information to check include:
* [https://operations-portal.egi.eu/rodDashboard/ngi/NGI_UK/tab/sites/filter/operators/page/sites ROD Dashboard]
+
* [https://operations-portal.egi.eu/ROD ROD Dashboard]
 
* [https://pakiti.egi.eu/ EGI Pakiti]
 
* [https://pakiti.egi.eu/ EGI Pakiti]
  
Any Critical Vulnerabilities from Pakiti are handled by EGI CSIRT duty person, not the UK duty.  
+
Critical Vulnerabilities from Pakiti are handled by EGI CSIRT duty person, and are not the UK duty responsibility. However, a polite "heads-up" to the site can sometimes be useful in avoiding a ticket (but check [https://www.gridpp.ac.uk/w/index.php?title=Security_Duty&action=submit#More_notes More Notes] below on timings).
 +
 
 +
Note that the [https://operations-portal.egi.eu/ROD#csi Security Dashboard] results are built by combining [https://pakiti.egi.eu/ EGI Pakiti] with additional, targeted EGI Nagios tests for in-place mitigation. The Security Dashboard actually fetches its results from EGI Nagios, not directly from the EGI Pakiti server. This means that machines reported as vulnerable by Pakiti may not appear on the Security Dashboard. The result is that the Security Dashboard is generally the authoritative source.
  
 
For UK NGI Vulnerabilities which are 'High' inform sites if they remain for a day. (These should show in Pakiti)
 
For UK NGI Vulnerabilities which are 'High' inform sites if they remain for a day. (These should show in Pakiti)
  
Similarly for Nagios. Note that Nagios errors reporting 'Critical' e.g. CRL, file permission etc are handled by us. These are not what are meant by critical vulnerabilities.   
+
Similarly for Nagios. Note that Nagios errors reporting 'Critical' e.g. CRL, file permission etc are handled by us. These are not what are meant by Critical Vulnerabilities.   
  
 
Find the CSIRT contact for the site in the [https://goc.egi.eu/ GOCDB], send e-mail to them, CC UKNGI-security
 
Find the CSIRT contact for the site in the [https://goc.egi.eu/ GOCDB], send e-mail to them, CC UKNGI-security
  
 
[[Security_Duty_Templates | Security Duty Templates]] may help you draft appropriate mails.
 
[[Security_Duty_Templates | Security Duty Templates]] may help you draft appropriate mails.
 
This Security checking may be carried out by the ops team at a later date. (For now its by us.)
 
 
[[Security_Dashboard_Notes | Security Dashboard Notes ]] may be used to help is track what we are doing.
 
  
 
== Handover report ==
 
== Handover report ==
  
On Friday, just before you go home, please provide a brief report on what has happened during your duty week to ukngi-security at cern.ch. Provide this report anyway, even if 'nothing to report'.
+
On Friday, just before you go home, please provide a brief report on what has happened during your duty week to ukngi-security at cern.ch. This will assist the GridPP Security Officer and/or the follow-on rota duty person in understanding what is going on. Provide this report anyway, even if 'nothing to report'.
 +
 
 +
Be prepared to give a brief summary of relevant information at the [https://indico.cern.ch/category/4806/ UK Security Team meetings] if appropriate.
  
 
== More notes ==
 
== More notes ==
  
Most information and e-mail forwarding to CSIRT addresses should be sent well within office hours, many of the csirt lists set off alarms to on-call site security people.
+
Emails to CSIRT lists may set off alarms to on-call site security teams so communications should be sent well within office hours unless it is urgent and should not be left until the next working day.
  
Examples of what may be sent at any time:
+
Examples of what may be sent at any time and should not be left until the next working day (but always keep EGI CSIRT informed):
* Information on incidents which the site may be involved in
+
* Updates to ongoing incidents which the site may be involved in.
* Advisories on Critical vulnerabilities
+
* Advisories on Critical vulnerabilities which are known to be being aggressively exploited.
* Anything that can't wait until next working day
+
  
 
Examples of what should be sent during office hours
 
Examples of what should be sent during office hours
 
* Advisories less than 'Critical'
 
* Advisories less than 'Critical'
 
* Information on ongoing incidents which don't require immediate response.
 
* Information on ongoing incidents which don't require immediate response.
* reports on incidents
 
* Everything if possible
 
  
Responses to individuals may obviously be sent as you wish.  
+
Emails to individuals may obviously be sent as you wish.  
  
CC anything appropriate to UKNGI-Security. Include at the top who or what lists anything is forwarded too, as Jiscmail hides this information and it is not possible to configure a jiscmail list to show this.  
+
Always CC anything appropriate to UKNGI-Security.  
  
 
Common sense is an appropriate tool!
 
Common sense is an appropriate tool!
Line 75: Line 78:
  
  
{{KeyDocs|responsible=Rob Harper|reviewdate=2014-06-10|accuratedate=2014-06-10|percentage=100}}
+
{{KeyDocs|responsible=David Crooks|reviewdate=2018-01-16|accuratedate=2018-01-16|percentage=90}}

Revision as of 09:32, 6 October 2020

Purpose

This provides guidance for the UK NGI Security team and what the person on UK security duty should do in the absence of the GridPP Security Officer.

UKNGI Security duty rota is at SD rota

Note that this is different from the EGI CSIRT rota duty.

EGI meetings

The GridPP Security Officer attends the EGI CSIRT and IRTF meetings. Other NGI security team members are not currently expected to attend EGI security meetings as part of their team duties.

Security Duty tasks

  • Respond to any e-mails to UKNGI-Security list which require a response. If a UK site needs help which you do not have the knowledge to give, ask the other UKNGI-Security members or CSIRT. Be particularly prepared to ask if sites need help dealing with incidents, critical vulnerabilities, or interpreting information sent from CSIRT to site security contacts.
  • Respond if a security incident is reported in the UK NGI. If this happens you will probably have a busy week! See more information here about procedures for reporting and handling incidents.
  • Take care to take note of anything that is going on in CSIRT, especially incidents that may affect UK NGI
  • and update the live minutes for that meeting.
  • Be aware of any interesting meetings or other information relevant to the UKNGI security team, and briefly inform the team.

Dashboard checking

When on duty check the Security Dashboard. This is now a separate panel on the same page as the ROD dashboard

Other sources of monitoring information to check include:

Critical Vulnerabilities from Pakiti are handled by EGI CSIRT duty person, and are not the UK duty responsibility. However, a polite "heads-up" to the site can sometimes be useful in avoiding a ticket (but check More Notes below on timings).

Note that the Security Dashboard results are built by combining EGI Pakiti with additional, targeted EGI Nagios tests for in-place mitigation. The Security Dashboard actually fetches its results from EGI Nagios, not directly from the EGI Pakiti server. This means that machines reported as vulnerable by Pakiti may not appear on the Security Dashboard. The result is that the Security Dashboard is generally the authoritative source.

For UK NGI Vulnerabilities which are 'High' inform sites if they remain for a day. (These should show in Pakiti)

Similarly for Nagios. Note that Nagios errors reporting 'Critical' e.g. CRL, file permission etc are handled by us. These are not what are meant by Critical Vulnerabilities.

Find the CSIRT contact for the site in the GOCDB, send e-mail to them, CC UKNGI-security

Security Duty Templates may help you draft appropriate mails.

Handover report

On Friday, just before you go home, please provide a brief report on what has happened during your duty week to ukngi-security at cern.ch. This will assist the GridPP Security Officer and/or the follow-on rota duty person in understanding what is going on. Provide this report anyway, even if 'nothing to report'.

Be prepared to give a brief summary of relevant information at the UK Security Team meetings if appropriate.

More notes

Emails to CSIRT lists may set off alarms to on-call site security teams so communications should be sent well within office hours unless it is urgent and should not be left until the next working day.

Examples of what may be sent at any time and should not be left until the next working day (but always keep EGI CSIRT informed):

  • Updates to ongoing incidents which the site may be involved in.
  • Advisories on Critical vulnerabilities which are known to be being aggressively exploited.

Examples of what should be sent during office hours

  • Advisories less than 'Critical'
  • Information on ongoing incidents which don't require immediate response.

Emails to individuals may obviously be sent as you wish.

Always CC anything appropriate to UKNGI-Security.

Common sense is an appropriate tool!

Useful links

EGI csirt public wiki CSIRT Public Wiki

EGI CSIRT private wiki CSIRT Private Wiki

GridPP Wiki Security Information


This page is a Key Document, and is the responsibility of David Crooks. It was last reviewed on 2018-01-16 when it was considered to be 90% complete. It was last judged to be accurate on 2018-01-16.