Salsa-CSI2 call - January 31, 2008

Salsa-CSI2 Conference Call
January 31, 2008

**Attending**
Chris Misra, University of Massachusetts (Chair)
Paul Asadoorian, OSHEAN
Joel Rosenblatt, Columba University
Dan Adinolfi, Cornell University
Phil Denault, Worcester Polytechnic Institute
Doug Pearson, Indiana University/REN-ISAC
Brian Smith-Sweeney, New York University
Elliot Kendall, Brandeis University
Joe St. Sauver, University of Oregon/Internet2
Renee Frost, Internet2
Steve Olshansky, Internet2
Dean Woodbeck, Internet2 (scribe)

Please note: time change on future calls: 2 p.m. rather than 2:30. Dates (every other Thursday) remain the same.

**Action Items**

{ALL} Post rules/code on wiki and comment on APHIDS.
{ALL} Review Brian’s outline for the Shifting Landscape presentation and provide comments.

**APHIDS**
The APHIDS (Advanced Parallel Hypertext Intrusion Detection System – formerly known as “Google Hacking”) discussion centered on categorization of items and setting rules. It was agreed that the goal is to have a low number of false positives.

Elliot mentioned that the rule set he developed has a low number of false positives. The set is available if people want to develop their own tools. Brian has some old reports from some code he wrote previously, but that code generated a lot of alerts. He will pare that down to reduce the number of false positives.

Anyone who has a set of rules or code is encouraged to post it to the CSI2 wiki.

[AI] {ALL} Post rules/code on wiki and comment on APHIDS.

**RENOIR**
No update.

**Security Metrics**
Joel reported that the security metrics group is working on a defined set of metrics in the three areas, led by a subgroup. The topics are:

Develop at least three operational metrics that can be useful to technologists
Develop at least three incident-related metrics that can be used to communicate from one institution to another
Develop at least 3 metrics the IT organization can use to demonstrate compliance to institutional administrative leadership.

Each subgroup is developing a list of defined metrics for their sub-area – discussing what to measure and what not to. As this work is completed, Joel will pass the results along to the CSI2 list.

**Spider**
The move of Spider from Cornell to Internet2 is still waiting on documentation. Dan reported that Cornell has been considering hosting Spider training for those interested in using the program and implementing it in the enterprise. If a program is held, it will be streamed to maximize participation.

In addition, a Cornell staff person has been developing Spider Helper that runs with Spider and makes it easier to use. Brandeis is also building a Spider wrap-around. It would be helpful to have these posted, or links posted, on the CSI2 wiki.

**Shifting landscape**
Brian reported that the Shifting Landscape presentation was accepted for NERCOMP and for the Security Professionals Conference. The SPC seminar will be a half-day pre-conference session conducted by Brian and Phil. Brian sent email to the CSI2 list with a project outline, looking for feedback. The focus now is on getting a presentation and, perhaps, a white paper together.

[AI]{ALL} The working group’s action item is to review Brian’s outline and provide comments.

**Security Standards**
Chris, Dan and Brian will participate in a panel discussion at NERCOMP on the subject of security standards. Panel members will discuss how they are approaching security standards and data classification standards. The Cornell requirements are available here:
http://www.cit.cornell.edu/security/requirements/

Others are welcome to join in the panel. Contact Chris if you are interested.

**Upcoming meetings**
March 10-12: NERCOMP in Providence, Rhode Island.

April 21-23: Internet2 Member Meeting in Arlington, Virginia.
There is a need for more security sessions at the Member Meeting. Contact Renee Frost and Chris Misra with any ideas/suggestions.

May 4-6: Security Professionals Conference (SPC) in Arlington, VA.

**Periscope**
OSHEAN is working on developing Periscope – a rewrite of IP Audit. Paul has some students working on the project; currently working on the GUI and hopes to begin testing in early February. This will be open source software and Paul is looking for people to do some testing and provide feedback. Brian volunteered NYU as a test site.

Future calls will begin at 2:00 p.m. (ET) rather than 2:30

The February 14 call is canceled – conflict with CAMP.

**Next call February 28, 2008, 2:00 p.m. (EST)**