TGQR 2010Q4 Report.pdf - Teragridforum.org
TGQR 2010Q4 Report.pdf - Teragridforum.org
TGQR 2010Q4 Report.pdf - Teragridforum.org
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.8 RP Operations: Security<br />
During this quarter, TG RPs provided expert staff in support of local and TG-wide collaborative<br />
security. TG RP local security operations include intrusion detection, examining log data,<br />
investigating unusual use patterns, and incident response for all hardware and networks on a 24-<br />
hour on-call basis. All TG RP partners are required to participate in the TG-wide Security<br />
Working Group which coordinates security operations and incident response across the project.<br />
During this quarter there was an incident of a user losing control of his access credentials. This is<br />
not too unusual. The security working group and incident response teams respond to handful of<br />
these each year. However, during this quarter it just happened that TGCDB access was not<br />
available when this incident surfaced. It was noted that the absence of TGCDB access made<br />
connecting this user with his/her local username on each TeraGrid resource more difficult and<br />
consequently took more time. This did not create a serious problem for TeraGrid as this was a<br />
single user compromise and exploitation to TeraGrid hosts was not aggressive, it did highlight<br />
that a TGCDB outage does have some impact on security incident handling capabilities for<br />
TeraGrid.<br />
8.8.1<br />
NCAR<br />
NCAR was not directly involved in the multiple-account compromise security incidents in this<br />
quarter. Accounts for the affected users either had not been requested on NCAR resources or had<br />
been closed due to inactivity well before the incidents occurred. The prompt detection and<br />
response at other RPs prevented adversaries from compromising additional accounts that were<br />
active at NCAR. The ability of other RPs to share network connection details from adversary<br />
activity was crucial to ensure that other accounts at NCAR were not also compromised.<br />
NCAR’s network monitoring system is operating at full capacity with bro and argus.<br />
8.8.2<br />
The NCSA security team responded to five different incidents involving TeraGrid users or<br />
resources in the fourth quarter of 2010. All five of these incidents involved remotely<br />
compromised user accounts and one of the five resulted in the intruders escalating to root<br />
privileges on a TeraGrid resource. Two of the compromised accounts were reported from remote<br />
sites and actions were taken to disable the accounts and no malicious activity was discovered for<br />
those accounts. The other three incidents were detected with the current security monitoring done<br />
within NCSA and then we notified other TeraGrid sites who were able to take proactive<br />
mitigation steps. The downtime for the compromised machine was less than a day. NCSA<br />
worked with users in each incident to get their remote systems cleaned and access to NCSA reenabled.<br />
8.8.3<br />
NCSA<br />
ORNL<br />
During the fourth quarter of calendar 2010, there were no root compromises on the NSTG nodes.<br />
There were no users who lost control of their credentials from activities on NSTG machines.<br />
Accounts of TeraGrid users who were the victims of stolen credentials at other TeraGrid sites did<br />
not log on to NSTG machines during suspect periods. NSTG staff took timely action to identify<br />
and insure deactivation of accounts of users whose credentials were stolen and users whose<br />
credentials may have been exposed during a known incident.<br />
During this period, the ORNL RP, along with all of the TeraGrid RP’s continued to participate in<br />
TeraGrid-wide security activities including the security working group meetings and the weekly<br />
incident reporting calls.<br />
84