diff --git a/main.adoc b/main.adoc new file mode 100644 index 0000000..2c5c3c4 --- /dev/null +++ b/main.adoc @@ -0,0 +1,461 @@ +//// +Copyright © 2018 Internet2 + +Apache License +============== + +_Version 2.0, January 2004_ +_<>_ + +### Terms and Conditions for use, reproduction, and distribution + +#### 1. Definitions + +“License” shall mean the terms and conditions for use, reproduction, and +distribution as defined by Sections 1 through 9 of this document. + +“Licensor” shall mean the copyright owner or entity authorized by the copyright +owner that is granting the License. + +“Legal Entity” shall mean the union of the acting entity and all other entities +that control, are controlled by, or are under common control with that entity. +For the purposes of this definition, “control” means **(i)** the power, direct or +indirect, to cause the direction or management of such entity, whether by +contract or otherwise, or **(ii)** ownership of fifty percent (50%) or more of the +outstanding shares, or **(iii)** beneficial ownership of such entity. + +“You” (or “Your”) shall mean an individual or Legal Entity exercising +permissions granted by this License. + +“Source” form shall mean the preferred form for making modifications, including +but not limited to software source code, documentation source, and configuration +files. + +“Object” form shall mean any form resulting from mechanical transformation or +translation of a Source form, including but not limited to compiled object code, +generated documentation, and conversions to other media types. + +“Work” shall mean the work of authorship, whether in Source or Object form, made +available under the License, as indicated by a copyright notice that is included +in or attached to the work (an example is provided in the Appendix below). + +“Derivative Works” shall mean any work, whether in Source or Object form, that +is based on (or derived from) the Work and for which the editorial revisions, +annotations, elaborations, or other modifications represent, as a whole, an +original work of authorship. For the purposes of this License, Derivative Works +shall not include works that remain separable from, or merely link (or bind by +name) to the interfaces of, the Work and Derivative Works thereof. + +“Contribution” shall mean any work of authorship, including the original version +of the Work and any modifications or additions to that Work or Derivative Works +thereof, that is intentionally submitted to Licensor for inclusion in the Work +by the copyright owner or by an individual or Legal Entity authorized to submit +on behalf of the copyright owner. For the purposes of this definition, +“submitted” means any form of electronic, verbal, or written communication sent +to the Licensor or its representatives, including but not limited to +communication on electronic mailing lists, source code control systems, and +issue tracking systems that are managed by, or on behalf of, the Licensor for +the purpose of discussing and improving the Work, but excluding communication +that is conspicuously marked or otherwise designated in writing by the copyright +owner as “Not a Contribution.” + +“Contributor” shall mean Licensor and any individual or Legal Entity on behalf +of whom a Contribution has been received by Licensor and subsequently +incorporated within the Work. + +#### 2. Grant of Copyright License + +Subject to the terms and conditions of this License, each Contributor hereby +grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, +irrevocable copyright license to reproduce, prepare Derivative Works of, +publicly display, publicly perform, sublicense, and distribute the Work and such +Derivative Works in Source or Object form. + +#### 3. Grant of Patent License + +Subject to the terms and conditions of this License, each Contributor hereby +grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, +irrevocable (except as stated in this section) patent license to make, have +made, use, offer to sell, sell, import, and otherwise transfer the Work, where +such license applies only to those patent claims licensable by such Contributor +that are necessarily infringed by their Contribution(s) alone or by combination +of their Contribution(s) with the Work to which such Contribution(s) was +submitted. If You institute patent litigation against any entity (including a +cross-claim or counterclaim in a lawsuit) alleging that the Work or a +Contribution incorporated within the Work constitutes direct or contributory +patent infringement, then any patent licenses granted to You under this License +for that Work shall terminate as of the date such litigation is filed. + +#### 4. Redistribution + +You may reproduce and distribute copies of the Work or Derivative Works thereof +in any medium, with or without modifications, and in Source or Object form, +provided that You meet the following conditions: + +* **(a)** You must give any other recipients of the Work or Derivative Works a copy of +this License; and +* **(b)** You must cause any modified files to carry prominent notices stating that You +changed the files; and +* **(c)** You must retain, in the Source form of any Derivative Works that You distribute, +all copyright, patent, trademark, and attribution notices from the Source form +of the Work, excluding those notices that do not pertain to any part of the +Derivative Works; and +* **(d)** If the Work includes a “NOTICE” text file as part of its distribution, then any +Derivative Works that You distribute must include a readable copy of the +attribution notices contained within such NOTICE file, excluding those notices +that do not pertain to any part of the Derivative Works, in at least one of the +following places: within a NOTICE text file distributed as part of the +Derivative Works; within the Source form or documentation, if provided along +with the Derivative Works; or, within a display generated by the Derivative +Works, if and wherever such third-party notices normally appear. The contents of +the NOTICE file are for informational purposes only and do not modify the +License. You may add Your own attribution notices within Derivative Works that +You distribute, alongside or as an addendum to the NOTICE text from the Work, +provided that such additional attribution notices cannot be construed as +modifying the License. + +You may add Your own copyright statement to Your modifications and may provide +additional or different license terms and conditions for use, reproduction, or +distribution of Your modifications, or for any such Derivative Works as a whole, +provided Your use, reproduction, and distribution of the Work otherwise complies +with the conditions stated in this License. + +#### 5. Submission of Contributions + +Unless You explicitly state otherwise, any Contribution intentionally submitted +for inclusion in the Work by You to the Licensor shall be under the terms and +conditions of this License, without any additional terms or conditions. +Notwithstanding the above, nothing herein shall supersede or modify the terms of +any separate license agreement you may have executed with Licensor regarding +such Contributions. + +#### 6. Trademarks + +This License does not grant permission to use the trade names, trademarks, +service marks, or product names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the NOTICE file. + +#### 7. Disclaimer of Warranty + +Unless required by applicable law or agreed to in writing, Licensor provides the +Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, +including, without limitation, any warranties or conditions of TITLE, +NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are +solely responsible for determining the appropriateness of using or +redistributing the Work and assume any risks associated with Your exercise of +permissions under this License. + +#### 8. Limitation of Liability + +In no event and under no legal theory, whether in tort (including negligence), +contract, or otherwise, unless required by applicable law (such as deliberate +and grossly negligent acts) or agreed to in writing, shall any Contributor be +liable to You for damages, including any direct, indirect, special, incidental, +or consequential damages of any character arising as a result of this License or +out of the use or inability to use the Work (including but not limited to +damages for loss of goodwill, work stoppage, computer failure or malfunction, or +any and all other commercial damages or losses), even if such Contributor has +been advised of the possibility of such damages. + +#### 9. Accepting Warranty or Additional Liability + +While redistributing the Work or Derivative Works thereof, You may choose to +offer, and charge a fee for, acceptance of support, warranty, indemnity, or +other liability obligations and/or rights consistent with this License. However, +in accepting such obligations, You may act only on Your own behalf and on Your +sole responsibility, not on behalf of any other Contributor, and only if You +agree to indemnify, defend, and hold each Contributor harmless for any liability +incurred by, or claims asserted against, such Contributor by reason of your +accepting any such warranty or additional liability. + +_END OF TERMS AND CONDITIONS_ + +### APPENDIX: How to apply the Apache License to your work + +To apply the Apache License to your work, attach the following boilerplate +notice, with the fields enclosed by brackets `[]` replaced with your own +identifying information. (Don't include the brackets!) The text should be +enclosed in the appropriate comment syntax for the file format. We also +recommend that a file or class name and description of purpose be included on +the same “printed page” as the copyright notice for easier identification within +third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +//// +:opening-bracket: [ +:closing-bracket: ] +== InCommon Federation Security Incident Handling Framework + +*Prepared by:* Nicholas Roy, Director of Technology and Strategy, InCommon + +*Version:* 1.2 + +*Date:* February 27, 2017 + + + +*Document Title: InCommon Security Incident Handling Framework* + +*Repository ID: TI.100.1* + +*DOI: 10.26869/TI.100.1* + +*Persistent URL: http://doi.org/10.26869/TI.100.1* + +*Authors: Nick Roy* + +*Publication Date: January 30, 2017* + +*Sponsor: InCommon Steering Committee* + +*Superseded documents: None* + +*Proposed future review date: March 1, 2019* + +*Subject tags: federation, trust, incommon* + +*© 2018 Internet2* + +*This work is licensed under a https://creativecommons.org/licenses/by/4.0/[Creative Commons Attribution 4.0 International License.]* + +=== Change Log + +|=== +|Status|Change|Date|Version|Approved by + +|Draft|First version to InCommon Steering|October 21, 2016|0.6|Nicholas Roy +|Draft|Added example of “upstream provider” in Scope section|October 26, 2016|0.7|Nicholas Roy +|Draft|Added information about vulnerability disclosure to scope and contact sections, acknowledged TIER Security and Audit Working Group input|November 2, 2016|0.8|Nicholas Roy +|Draft|Added contact information|January 11, 2017|0.9|Nicholas Roy +|Prepublication|Added governing language reference|January 19, 2017|1.0|Nicholas Roy +|Publication|Revisions from Internet2 General Counsel|January 30, 2017|1.1|Nicholas Roy +|Publication|Revisions to fix typos and add document repository information|February 27, 2018|1.2|Nicholas Roy +|=== + +<<< +=== THIS PAGE INTENTIONALLY LEFT BLANK +<<< + +=== Table of Contents + + +InCommon Federation Security Incident Handling Framework + +Table of Contents + +Governing Language + +Mission Statement of InCommon CSIRT + +Definition of “Security Incident” + +Initial Contact/Notification and Triage + +Generalized Procedure for When Action Is Required + +Roles + +Assessment of an Incident + +Scope + +Nature + +Criticality + +Communications + +Traffic Light Protocol for Exchange of Information + +Incident Handling Actions Matrix + +Appendix A: Foundational Documents + +Appendix B: Acknowledgements + + +=== Governing Language + +The InCommon Federation Operating Policies and Practices [1] document states, as of July, 2016: + +10.3.1 - Suspension for reasons of security + +_A Participant may request the suspension of any Federation services in the case of Administrator credential compromise, participant key compromise, or other security compromise within the Participant's systems. This request may be made via e-mail or telephone from the Executive or Administrator and will be verified by InCommon using trusted communication channels. Suspension may include processes such as revoking credentials, or removing or modifying Metadata._ + +_If InCommon suspects any compromise or negligence on the part of a Participant, it will make reasonable efforts to contact Participant to resolve the issue. In the case of a significant security incident that poses an unacceptable risk to InCommon or other federation participants, InCommon may take immediate remediation actions commensurate with the impact of the incident._ + +=== Mission Statement of InCommon CSIRT + +InCommon’s Computer Security Incident Response Team (CSIRT) is a group of identified individuals working at Internet2 and in the community, assigned specific roles, and chartered to respond to security incidents related to InCommon’s trust, identity and security-related services so that they may be relied upon by InCommon participants for mission-critical and security-sensitive operations on an ongoing basis. To that end, the InCommon CSIRT will: + +* Receive information about security-related threats to InCommon infrastructure +* Receive information about security-related threats to InCommon participants’ federating systems +* Assess the risk of such threats +* Develop response and remediation plans where appropriate to address these threats +* Execute, with the possible addition of needed external resources, incident response according to a documented incident handling framework +* Report out to stakeholder communities on the nature of incidents responded to, status of response, and to communicate as needed with affected parties + +=== Definition of “Security Incident” + +A computer security Incident is: A violation or imminent threat of violation of computer security policies, applicable laws and regulations, acceptable use policies, or standard security practices. A security incident may involve either electronic or paper data. [5] + +=== Initial Contact/Notification and Triage + +Any party may make InCommon’s CSIRT aware of a relevant security incident or disclosure via one of the following mechanisms (available 24x7x365) + +. *_Call this number: +1 734 352 7045 (PREFERRED)_* +. *_Send an email to: security@incommon.org_* + +*_NOTE: Outside of normal US business hours, it may take up to 12 hours for staff to be notified of your email. In critical emergencies, please call the phone number above, if possible._* + +*_Inquiries from any law enforcement agency regarding a security incident, including formal legal process such as subpoenas and warrants, must be directed to the General Counsel of Internet2._* + +*DO NOT* communicate any sensitive information via these channels. InCommon Federation staff will set up a secure communications channel with you, if need be, after your initial request is received + +InCommon’s CSIRT will accept, evaluate and reply (when necessary and deemed appropriate) to valid submissions as soon as possible, but in no event later than 24 hours after receipt of the notice. + +=== Generalized Procedure for When Action Is Required + +Upon receipt of information about a possible security threat to InCommon, the CSIRT will: + +. Identify an incident handling lead +. Assign the lead to perform a brief initial assessment of the situation, including initial classification of the incident or disclosure as: “Normal,” “Escalation,” or “Emergency” in nature. +. The lead will determine and execute next steps based on assessment of initial event classification, including the formation of an incident handling team as necessitated by nature, criticality and scope. Lead may call in resources for the incident handling team, and those resources are obligated to help with further analysis, remediation and other necessary incident handling steps. Normal procedures to follow are documented in the #heading=h.gm8jazx2m6qf[Incident Handling Actions Matrix] below +. All relevant details of the incident including classification, handling, communication, resolution and disposal will be documented at the request of Counsel in a shared file repository within Internet2 +. An incident is closed when the Executive Sponsor determines that the event has been handled appropriately and is no longer an active threat. In some cases, one or more reports may be issued to relevant stakeholders. + +=== Roles + +Roles 1-4 make up the standing CSIRT, with all roles under 5 filled on an as-needed basis. + +. CSIRT Executive Sponsor, typically the Internet2 Vice President for Trust and Identity Services +. Incident Lead, typically an InCommon technical director or manager +. Incident Communications Representative, typically an Internet2 marketing and communication director +. REN-ISAC liaison +. Incident Handling Team (*_specific make-up of each team subject to availability and appropriateness_* at the discretion of the Incident Lead and CSIRT Executive Sponsor) +.. Lead (a role which may be assigned to any of the team members, but should remain lead throughout the handling of an incident) +.. Executive Sponsor +.. Steering Liaison +.. Ops Advisory Liaison +.. InCommon Operations Representative +.. Internet2 Communications Representative +.. Internet2 Chief Information Security Officer Representative +.. Other relevant internal Internet2 areas +.. REN-ISAC Representative and Liaison +.. Law enforcement Representative and Liaison +.. Legal Representative + +=== Assessment of an Incident + +This section is a set of guidelines to allow the named incident handling lead to assess the classification of an incident, for use as input in determining next steps, in the next section. + +==== Scope + +To be in scope for action by InCommon’s CSIRT, mitigation of the incident must essentially depend on one or more changes to InCommon’s operations which involve InCommon’s change management processes, as determined by the CSIRT. + +An incident or disclosure which has compromised, or may lead to the compromise of, systems or services that affect one or more of: + +. InCommon Operations or its upstream or third-party providers (for example, cloud hosting providers, multifactor authentication providers, etc.) on which its operations depend. +. The systems or services of an InCommon Participant relevant to federation participation, such as Identity Provider or Service Provider software or related cryptographic materials. +. Any other operational aspect of InCommon’s trust services. + +are deemed to be in-scope for InCommon’s incident handling processes and should be assessed for nature and criticality before any further actions are taken. If an incident is not in-scope, it will be documented and handed off to the appropriate party (internal to or external to InCommon) for further assessment and handling. + +==== Nature + +Answer the question: Is the event an “Incident”? i.e.: + +. Discovery of the neglect of a system or systems by a human actor responsible for maintaining that/those systems that prevents misuse or exploitation of the system(s) to harm InCommon or its participants’ networks or systems as those networks or systems function in a core or supporting role within the portfolio of Incommon trust services. +. Use of a system or network in any way that compromises InCommon or its participants’ networks or systems as those networks or systems function in a core or supporting role within the portfolio of InCommon trust services. +. Any other use or misuse of computing resources, intentional or otherwise, which would cause harm to networks or systems that have a core or supporting role within the portfolio of InCommon trust services (for more information on InCommon services, see: https://www.incommon.org/[https://www.incommon.org/]). +. Disclosure of a security vulnerability known to affect systems or services used in the operation of InCommon’s infrastructure. +If an event is determined to be an “Incident” in nature, it should be further analyzed for elements of criticality in order to determine necessary actions. If the event is not an “Incident,” it should be handed off to InCommon Operations for further analysis and handling. + +==== Criticality + +Incidents fall into three criticality categories: + +*Normal* - an event that does not affect critical production systems or the trustworthy flow of identity/trust-related data across InCommon services. + +*Escalation* - an event that affects production systems and requires change control steps be followed as part of a response. + +*Emergency* - a change to a production system impacting one or more of the following: + +. Health and safety +. Critical controls on systems which are relied upon for the trustworthy exchange of identity/trust data between InCommon participants and which utilize InCommon services for facilitation of this data exchange +. Ability of InCommon or one or more of its participants to provide services or conduct business via InCommon services +. Anything deemed an emergency by virtue of related InCommon policies or the CSIRT Executive Sponsor + +Events that are “Escalation” or “Emergency” in nature should be acted upon by the Incident Lead in coordination with the incident handling team according to the Incident Handling Actions Matrix in the next section. Events that are “Normal” will be handed off to the relevant party for further handling. + +=== Communications + +Communication of an incident is a critical step in the response plan, to be formulated in accordance with the matrix below. It is important that a communication plan be designed in a way that does not disclose information about an incident to an inappropriate audience. In many cases it is also important to let InCommon participants and other stakeholders know about an incident in a timely manner based on their need to know and need to share indicators of compromise. At a minimum, for an Escalation or Emergency-level Incident, an after-action review will be prepared at the request of Counsel. The review will include root cause analysis and remediation steps, and should be conducted by the Incident Lead, and a report should be prepared which may be shared with appropriate audiences. + +A designated communication representative should be named as part of each Escalation or Emergency-level incident. This person will provide needed input to a decisionmaking process about what information to share with which audiences, and in particular, what information may be shared outside of Internet2 and the CSIRT, when, via what channels, and in what format. The Executive Sponsor will have ultimate authority for decisionmaking about the release of information, in consultation with the Incident Lead. + +=== Traffic Light Protocol for Exchange of Information + +For the purposes of communications with the CSIRT and with external parties during the handling of an active incident (and for further information sharing with other parties after the incident), the Traffic Light Protocol [3] must be used as a way to identify, label, and ensure compliance with scoping of the information shared. The Incident Lead, Executive Sponsor and Communications Representative are primarily responsible for assigning TLP categories to information to be shared, although there are times when other members of the CSIRT and external parties will need to make an assessment about TLP categories and label information they are sharing. When there is uncertainty on the part of a party responsible for classification on the proper classification of a communication item, the party should verify with the CSIRT or incident handling team. Generally, the originator of new information will need to appropriately initially label that information. + + + + + + + +|=== +|*Color*|*When should it be used?*|*How may it be shared?* + +|[red]#*RED*#|Sources may use TLP: RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.|Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed. +|[yellow]#*AMBER*#|Sources may use TLP: AMBER when information requires support to be effectively acted upon, but carries risks to privacy, reputation, or operations if shared outside of the organizations involved.|Recipients may only share TLP: AMBER information with members of their own organization who need to know, and only as widely as necessary to act on that information. +|[green]#*GREEN*#|Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.|Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. +|*WHITE*|Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.|TLP: WHITE information may be distributed without restriction, subject to copyright controls. +|=== + +_Reference: TLP levels matrix, from US-CERT [4]_ + + +=== Incident Handling Actions Matrix + +This matrix is intended as a generalized guide for the broad steps required in the classification and handling of security-related events. The matrix below is partially derived from information available from EDUCAUSE [2] + +All information known by InCommon relating to the security incident, including, as applicable, log files and other digital evidence, will be retained by InCommon for 7 years. + +|=== +||Normal |Escalation |Emergency + +|Gather incident facts and prepare Initial Assessment of Situation and send to CSIRT|X|X|X +|Contact the Legal representative and begin preparing all material at the request of Counsel|X|X|X +|Determine whether Protected Identity Information or Protected Health Information is involved|X|X|X +|Legal Representative determine whether to notify insurance carrier|X|X|X +|Contact Executive Sponsor||X|X +|Convene CSIRT Members on established realtime communication channel||X|X +|Deliver initial assessment to CSIRT team via secure channel|X|X|X +|Re-Assess Nature, Scope and Criticality in conference||X|X +||If re-assessment leads to a demotion to “Normal” criticality, document and delegate further handling to non-CSIRT team(s).|If re-assessment supports original or higher assessed criticality execute further steps in the table.|If re-assessment supports original assessed criticality execute further steps in the table. +|Lead determine whether external help is required, if so, request Exec to engage appropriate help||X|X +|Lead determine initial remediation steps, distribute to CSIRT team via secure channel||X|X +|Executive determine whether or not to involve other needed representatives or resources||X|X +|CSIRT team conference and agree on remediation steps, timeline, dependencies, and _initial_ notification requirements. These decisions are documented by the Lead or designee.||X|X +|CSIRT team engage relevant actors using Traffic Light Protocol, to act on remediation plan, ensuring discretion on the part of needed actors||X|X +|CSIRT and action team act on plan||X|X +|CSIRT team evaluate post-action situation and develop initial report to Executive||X|X +|Executive conferences with CSIRT team and determines need for further measures, next steps, and reporting requirements, including complying with all applicable laws and regulations. These decisions are documented by the Lead or designee.||X|X +|CSIRT team and executive act on any needed next steps and reporting requirements||X|X +|CSIRT team conducts an after-action review as part of security continuous improvement process. These decisions are documented by the Lead or designee.||X|X +|=== + +=== Appendix A: Foundational Documents + +{opening-bracket}1{closing-bracket} https://www.incommon.org/docs/policies/InCommonFOPP.pdf[InCommon Federation Operating Policies and Practices] + +{opening-bracket}2{closing-bracket} West Brown, Stikvoort, Kossakowski, Killcrece, Ruefle, Zajicek. Handbook for Computer Security Incident Response Teams (CSIRTs) April, 2003. Carnegie-Mellon University Software Engineering Institute, http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6305[CMU/SEI-2003-HB-002] + +{opening-bracket}3{closing-bracket} EDUCAUSE, https://spaces.internet2.edu/display/2014infosecurityguide/Incident+Checklist[Sensitive Data Exposure Checklist v1.1] + +{opening-bracket}4{closing-bracket} US-CERT, https://www.us-cert.gov/tlp[Traffic Light Protocol] + +{opening-bracket}5 +{closing-bracket} NIST SP800-61, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf[Computer Security Incident Handling Guide] + +=== Appendix B: Acknowledgements + +Thanks to the following individuals and groups for their contributions to this document: + +Kim Milford, REN-ISAC + +Thomas Barton, The University of Chicago + +Jane Drews, The University of Iowa + +InCommon Technical Advisory Committee + +InCommon Steering Committee + +REN-ISAC + +Big Ten Academic Alliance CISOs + +EDUCAUSE + +Internet2 and InCommon Staff + +Internet2 General Counsel + +Internet2 TIER Security and Audit Working Group