Date: Fri, 29 Mar 2024 09:00:16 +0000 (UTC) Message-ID: <1310722033.7216.1711702816683@fra-prod-wiki02.geant.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7215_468779933.1711702816681" ------=_Part_7215_468779933.1711702816681 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Subject |
Target group |
---|---|
Laws & Regulations (privacy, data protect= ion, export) |
Management, governance, admin, users |
Secure Software development |
User, user coordinator, contractor |
System hardening |
System admin, network engineering |
System operations |
System admin, network engineering |
Monitoring and logging |
System admin, network engineering, response t= eams |
Forensics |
Response teams |
Incident respons and analysis |
Response teams |
Contigency planning and disaster recovery = |
Management, governance, admin, user coordinat= or, response team |
Organisation, roles, responsibilities (generi= c introduction) |
All |
AAI proces and procedures, FIM, SSO |
System admin, user coordinator |
Systems design |
Architect, network engineer |
IT security awareness for users |
Users, user coordinator, all |
Developing and maintaining policies and proce= dures |
Management, governance |
Applying policies and procedures |
Architect, system admin, user coodinator <= /td> |
System acquisition |
Acquistion |
Decommissioning (data leakage prevention) = |
Admins, governance, user coordinator |
Risk management |
management, governance, respons team, admin |
When setting up and operating an E-infrastructure you should know what l= aws and regulations you have to comply with. These will be different depend= ing on the kind of data that is processed and possible depending on the int= ernational partners. Management and governance need to have an overview of = what rules and regulations apply, admins need to know what these laws and r= egulations mean for systems configuration and operations. Example regulatio= n subjects are, (not limited to) dataprotection, non-proliferation, technol= ogy export, law enforcement.
Users must be informed on applicable laws and regulation and on what the= y mean for them.
Training withing this group should focus on all the aspects related to s= oftware programming from the security point of view. It should include inte= grating security practices into the software development lifecycle and veri= fying the security of internally developed applications before they are dep= loyed. This will help to mitigate risk from internal and external sources. = Security practices which should be included are: design, construction, test= ing, release, and response.
One of the important steps in secure development is integrating testing = tools and services into the software development lifecycle. The training co= uld describe or train on tools allowing developers to model an application,= scan the code, check the quality and ensure that it meets regulations. Fur= thermore, automated secure development testing tools that find and fix secu= rity issues could be elaborated.
Additionally secure development trainings could be offered certifying ex= perience in secure development.
See e.g.: http://www.sans.org/curric= ula/secure-software-development
Any system providing ressources to the outside world is on risk to be ha= cked. Often simple security tools are installed and used by default like lo= cal firewalls, virus scanner etc., but even with these security measures in= place, computers are often still vulnerable to outside access. System hard= ening, also called Operating System hardening, helps minimize these securit= y vulnerabilities.
The trainings offered should provide detailed trainning on those tasks e= liminating as many security risks as possible. The trainings should include= e.g. technics to check for non-essential software programs which can be re= moved from the system, since they could provide "back-door" access to the s= ystem. Guest accounts should be closed, alternate boot devices disabled, on= ly secure passwords allowed, no remote root access, monitoring of unauthori= zed access attempts, etc.
Training should focus on providing secure services to the user community= . This includes but is not limited to secure authentication and authorizati= on practices, recognizing breaches, scanning for vulnerabilities, change ma= nagement, patching, logging, intrusion detection, incident response, disast= er recovery, and forensic practices.
Service lifecycle and secure practices during of each stage should be co= vered in-depth. These stages include requirement gathering, technology inve= stigation, development, testing, deployment, production operation and retir= ement. It should also cover transitioning between stages.
Monitoring and logging are the essential components which allow to track= system events in their historical order. Without monitoring you are not ab= le to be aware of any events going on in your system. Having found suspicio= us system behaviour must ultimately lead to further investigations, which n= ormally are able only if extended logging has been done continuously.
The training will/should provide an overview about available monitoring = and logging tools, central system logging and techniques used to analyse th= ose combined loggings. Only centralized logging helps to combine system and= network activities and get a comprehensive look on the overall attack. &nb= sp;
Forensic analysts collect, preserve, and analyze digital evidence during= the course of an investigation. Forensics includes but is not limited to s= ystem and user behaviour, file system content, communication patterns etc. = There are a lot of techniques and tools out there, which can help to invest= igate on an suspicious activity within the system. The trainings should hel= p system and network admins to doing their day to day business with the saf= eness on board to being wapponed against threads coming from the outside wo= rld.
Any outward facing service provides a potential attack surface. Incident= s should be expected by users, administrators and response teams. Proper re= sponse and analysis is critical to reduce continued risk. All levels of an = E-Infrastructure should know exactly how to handle an incident. This starts= with what to do with the service in question to preserve important forensi= c information, who to contact in event of a breach or attack, how to limit = unfavorable consequences, and how to notify the community of the incident. = This will also include contacting collaborating E-Infrastructures to be sur= e they are not also affected by the breach or attack.
Training should focus on properly handling security events. As many proj= ects are now multi-institutional and multinational building trust and notif= ication channels with collaborating E-Infrastructures should also be covere= d. Incident processes (if/when to make public, when to close) and announcem= ent procedures (who to contact, how to contact, etc.) frameworks should be = discussed.
As infrastructures grow more complex incidents and incident causes can g= row more complex and will have more impact. E-infrastructures should prepar= e for recovery after major incidents that cause the temporary or permanent = loss of critical parts of the infrastructure. As a part of the prepar= ation there should be a crisismanagement organization and (at least) high l= evel recovery plans. To be able to do a successful recovery documentation a= nd data should be available through proper backup mechanisms. All recovery = facilities including backups should be tested at regular intervals.
E-infrastructures should also look into prevention against complex incid= ents and take basic measures such as power backup, fire prevention and supp= ression systems, lightning protection and where applicable protection again= st natural disasters like earthquakes and floodings.
High level introduction to security concepts tailored to organizational = goals. This would touch on many of the aspects of other subjects by definin= g them, offering examples, and increasing awareness of organizational polic= y related to information security. This training should not attempt to cove= r technical details which are covered in other subjects, but should give th= e user a sense of the importance of information security and cover any poli= cy necessary for the user to meet organizational requirements. It should al= so prepare the trainee to deal with any security emergencies they may encou= nter and give them the background to make sound information security choice= s.
Setting up an overall authentication and authorization infrastructure is= a comprehensive task already. A lot of processes have to be defined, setup= and managed. Those processes become much more complicated when deali= ng with collaborative environments. Here several partnes with their own aut= hentication systems policies and procedures have to agree on common princip= les and procedures. Federated Identity Management (FIM) will come into the = game and since the user doesn=E2=80=99t want to authenticate several times = at different systems a global single-sign-on (SSO) solution would be prefer= able.
Trainings of different kinds could be offered starting from AAI in local= organizations up to management platforms for collaborative environments. T= he traing should investigate on those areas and provide the participant wit= h hands-on information. how to set-up those AAI infrastructures.
This training should provide insight to secure system design concepts. T= hese could include some set if not all of the following concepts as well as= including others important to the organization or stakeholders.
Reference: http://web.mit.ed= u/Saltzer/www/publications/protection/index.html
Many of the research results produced will be publicly available. But al= so sensitive and confidential information pertaining to research, partners = and employees are worked on. If these informations would become public, the= re would be significant damage. So protecting this sensitive information is= of highest priority.
IT security has to identify the threats to such sensitive IT resources a= nd determining appropriate technical and organizational measures to protect= them.
Since attackers have begun to focus on the weakest link in the security = chain: the person sitting at the keyboard have to be trained accordingly.= p>
Over 70% of successful attacks require the active cooperation of the use= r. Technical measures for IT security only work properly when employees and= management use them appropriately and do not wittingly or unwittingly circ= umvent them.
The training should describe the most important rules, tips and tricks f= or securely using IT systems by non- IT-security-affin personal and especia= lly make them aware of the risks coming up when using the world wide networ= k.
Training areas could include:
The risk an organisation will commit itself to is highly dependend= on the security policy it wants to implement. If no access from outside is= offered, only internal weak point have tob e considered.
The other way round, a very open organisation provides numerous attack p= oints to external intruders.
The training should provide an overview about different kinds of IT secu= rity policies, the risks associated with those, and the security tools avai= lable to cope with those environments. Furthermore there should be hints ho= w to maintain the installed procedures. Since it is also required to have t= he defined security level up and running all the time, hints should be give= n also how IT security awareness of staff members and users can be periodic= ly refreshed.
Every organisation has setup its own IT security policies and procedures= . All systems installed in this organisation have to apply to those policie= s. Therefore it is the task of any system administrator to implement these = policies in a way that they are compliant to the intended security level.= p>
The traing should provide an overview about default policies and procedu= res implemented out in the field and give hints how to handle those scenari= os in a comprehensive way. After participating to the training the system a= dministrator should be able to map the relevant organisational security pol= icies to the system tools available in the corresponding systems. &nb= sp;
The acquisition of a system can be structured into different areas sprea= ding from budgetarian issues (purchasing the system), needed space, cooling= , power consumtion etc. Most often the security aspects are neglected  = ;Is the system to be purchased the right one for the environment where it s= hould be used and for the tasks to be fullfilled? Where some systems provid= e very good security features out of the box, others have to be adapted wit= h a lot of effort. Some system designs are optimized for intranet usage onl= y whereas others fit excellently in distributed envoironments.
The trainings offered should give the participants an overview about sys= tem architectures fittting into the one or the other scenario making it eas= ier to decide for the best fitting architecture.
Setting up a system is straight forward, but decommissioning the system = might become much more complex. It is not just turning off power. System de= commissioning includes freeing the system of any user data by providing pro= cesses how to do those transfers and setting up a logical time schedule for= doing so. Any priviledges offered have to be withdrawn, disk drive content= has to be deleted in a professinal manner etc.
The training should give an overall overview about the tasks to be fullf= illed by system admins on the system itself as well as the tasks to put in = place for freeing organisational ressources, e.g. deleting user info in AAI= infrastructures etc.
When controlling security you need to know what risks you need to contro= l. A risk analysis and an associated risk management process will support m= aking the right choice for security measures. A risk analysis is aimed at i= dentifying and quantifying risks, the chance and the impact of risks. There= are several methods and standards that can be used to analyse and manage r= isks. Risk management can be on a broader scope for the whole system but ca= n also be used to analyse the impact of an incident in a structured way.