Wednesday, April 11, 2018

Trusted CI Webinar April 23rd at 11am ET: Toward Security-Managed Virtual Science Networks

Duke University's Jeff Chase and RENCI's Paul Ruth are presenting the talk, "Toward Security-Managed Virtual Science Networks" on April 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Data-intensive science collaborations increasingly provision dedicated network circuits to share and exchange datasets securely at high speed, leveraging national-footprint research fabrics such as ESnet or I2/AL2S.   This talk first gives an overview of new features to automate circuit interconnection of science resources across campuses and in network cloud testbeds, such as GENI (e.g., ExoGENI) and NSFCloud (e.g., Chameleon).    Taken together, these tools can enable science teams to deploy secure bandwidth-provisioned virtual science networks that link multiple campuses and/or virtual testbed slices, with integrated in-network processing on virtual cloud servers.

Next, we outline a software framework to address security issues arising in these virtual science networks.   We show how to deploy virtual science networks with integrated security management programmatically, using software-defined networking and network function virtualization (SDN/NFV).   As an example, we describe a prototype virtual Network Service Provider that implements SDX-like functionality for policy-based interconnection of its customers, and incorporates out-of-band monitoring of permitted flows using Bro intrusion detection instances hosted on cloud VMs.  We also describe how to use a new logical trust system called SAFE to express and enforce access policies for edge peering and permitted flows, and to validate IP prefix ownership and routing authority (modeling RPKI and BGPSEC protocols) in virtual science networks.

This material is based upon work supported by the National Science Foundation under Grants No. (ACI-1642140, ACI-1642142, CNS-1330659, CNS-1243315) and through the Global Environment for Network Innovations (GENI) program.  Any opinions, findings, and conclusions or recommendations do not necessarily reflect the views of NSF.
Jeffrey S. Chase is a Professor of Computer Science at Duke University.  He joined Duke in 1995 after receiving his PhD in Computer Science from the University of Washington (Seattle).    He was an early leader in automated management for cluster services, cloud hosting systems, and server energy management.   He served as an architect in NSF’s GENI project and is a principal of ExoGENI, a multi-campus networked cloud testbed.

Paul Ruth is a Senior Research Scientist at RENCI-UNC Chapel Hill.  He received his PhD in Computer Science from Purdue University in 2007.  He has been a primary contributor to the ExoGENI testbed since 2011 and is currently the networking lead for the NSF Chameleon testbed.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, April 9, 2018

Cyberinfrastructure Vulnerabilities 2018 Q1 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.

Some of the sources we monitor for possible threats to CI include:


In 1Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 3 vulnerability alerts to 91 subscribers:


If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available through https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Tuesday, April 3, 2018

Single vs multiple users on a cluster node?

Trusted CI recently received the following query from Chester Langin and are sharing his question and our answer with his permission:
As a security person, can you tell me the advantages and disadvantages of allowing more than one than one user on a cluster node at a time?  I ask because we just moved from Rocks/SGE to OpenHPC/SLURM.  Our old cluster allowed multiple users per node so, with 20 cores as an example, users with jobs running 8, 8, and 4 cores could all be running on the same compute node.  This provides high efficiency.  Our new cluster apparently restricts this so if the first user runs a job with, say 8 cores, nobody else can use that same node and 12 cores are not being used.  So, our users will be noticing that jobs will be backing up in queue.
Should we configure SLURM to allow multiple users per node?  Do you have a recommendation?  Can you give me pros and cons?
This is a classic example of a risk/reward trade-off. As you note in your question, allowing only a single user per node has the down side of lower efficiency. So what do you gain? 

There are risks with allowing multiple users per node in that user accounts are not as strong a guarantee of isolating users from each other as is having them on separate nodes. Bugs in the underlying system  (and hypervisor if we’re talking virtual machines), misconfigurations of the operating system, and errors in setting file permissions can allow information, potentially sensitive information and credentials, to leak between users on the same node. Some examples include CVE-15566, CVE-2017-5715, CVE-2017-4924. Additionally we've seen two recent cases in our software assessments where we found file system permissions were set too permissive allowing users to see each other data.

Hence you gain some risk reduction. We assume you can estimate the value of the efficient reduction in terms of lost CPU time, but how to you estimate the benefits of the risk reduction so you can compare these two things?

Unfortunately, quantifying this trade-off isn’t trivial - it’s a judgement call. Some questions to ask to determine which path makes sense for your system involved gauging the consequences of the security risks:
  • How big and diverse is your user community? If your users are all from a collaborating community or within the same institution, the consequences of data leakage could be lower. But if you have users who are competing research groups or companies, the stakes could be higher
  • What type of data does your system handle? Is it regulated data or other sensitive data that would increase the impact of the risks in question?
  • How you handle an incident can greatly impact its consequences. How poised are you to handle a incident if it occurs? Do you have a incident response plan in place that you regularly exercise? 
  • What is the risk tolerance of your stakeholders? Are you expected to squeeze every ounce of performance out of the system or is reputation considered more important? Is there any recent history related to security incidents that may impact this?

Monday, March 26, 2018

Upcoming events featuring Trusted CI

Interested in the latest from Trusted CI? Want a chance to chat in person with us? Members of Trusted CI will be participating in a number of upcoming events over the next few months.

EDUCAUSE Security Professional Conference 2018 (April 10-12) in Baltimore, MD. EDUCAUSE brings higher education security professionals together to network and discuss current trends in the industry. Trusted CI's Mark Krenz and Warren Raquel are presenting training sessions on Incident Response and Security Log Analysis. Also, Trusted CI's Von Welch and Jim Basney are co-presenting with IU CACR's Anurag Shankar on Cybersecurity for Research on Campus.

KINBERCON (April 23-25) in Harrisburg-Hershey, PA. KINBERCON's focus is on next generation networks and technology, and brings together leaders in education, healthcare, libraries, and government. The format of KINBERCON includes panels and technical workshops. There are many opportunities for collaborative discussions with speakers and attendees. Trusted CI's Von Welch will be presenting on the project and the intersection of campus IT, info sec, and research.

The 2018 NSF SI2 PI Meeting (April 30-May 1) in Washington, D.C. The SI2 PI workshop brings together PIs to present their projects to fellow PIs through posters, lightening talks, and brief presentations. Trusted CI's Von Welch is presenting "Software Security: Selecting engineering and security practices to enable robust CI and trustworthy science."

Internet2 Global Summit (May 6-9) in San Diego, CA. The summit focuses on advanced and trusted infrastructure, identity, federation and access management, and solutions for researchers with the goal of benefiting the entire research and education ecosystem. Trusted CI's Jim Basney will be co-presenting CACR's Anurag Shankar on "Cybersecurity for Research on Campus: Not Just HIPAA & FISMA."

PEARC 18 (July 22-26) in Pittsburgh, PA. PEARC is an all-inclusive event for scientists, engineers, scholars, artists, and educators who depend on efficient, secure, and reliable digital infrastructure. This year's theme is seamless creativity. Presentation abstracts are still under review. Trusted CI intends to attend and present at this year's conference and will update the community as more information is available.

The 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure (August 21- 23) in Alexandria, VA. The Summit is hosted by Trusted CI and welcomes cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI Community, as well as key stakeholders and thought leaders from the broader scientific and information security communities. The Summit includes training sessions, plenary session, and opportunities to network and socialize with peers. Be on the lookout for our call for proposals.

Whether you are an operational security pro, high speed networking researcher, NSF PI, or identity management specialist; the coming months present some interesting opportunities to network and collaborate. We look forward to seeing you at these events.

Thursday, March 22, 2018

New name, same mission

Dear friends of CTSC,

We're writing to announce that the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is becoming Trusted CI, the NSF Cybersecurity Center of Excellence.

Why are we making this change? While it clearly conveyed our mission, our initial name was a mouthful -- and, with the added CCoE designation, we found that people struggled to remember it. Trusted CI will build better name recognition, through consistent branding across our website (trustedci.org) and social media (@TrustedCI). 

The new name still emphasizes what we're about: Achieving the NSF goal of creating high-quality, trusted cyberinfrastructure (CI) that supports high-quality, trusted science. It will also make it easier for you to remember how to get help for your NSF CI projects: Email ask@trustedci.org (be sure to identify which NSF project your query relates to). 
 
As we roll out the new branding this spring, we'd like to extend an active invitation to engage our services. From quick questions to collaborative engagements lasting months, Trusted CI tackles challenges of all sizes. 

We're happy to assist with anything related to cybersecurity for NSF CI projects, and we're focused on tailored solutions that impact your work as little as possible. And now all you have to remember is Trusted CI!

Monday, March 12, 2018

Trusted CI Webinar Mar. 26th at 11am ET: Data Quality and Security Evaluation Framework

Rochester Institute of Technology's Leon Reznik and Igor Khokhlov are presenting the talk "Data quality and security evaluation framework development" on March 26th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
In this talk, we are presenting our work on building a data quality and security (DQS) framework, which integrates cybersecurity with other diverse metrics, such as accuracy, reliability, timeliness, and safety into a single methodological and technological framework. This innovation has a high potential to enable a significant improvement in a wide spectrum of science and technology applications as it will create new opportunities for optimizing data structures, data processing and fusion procedures based on a new quality and security information application. While the developed evaluation techniques may cover a wide range of data sources, the current framework’s implementation concentrates on using an ordinary user’s owned mobile devices and Android-based smartphones in particular.  
After discussing a motivation and general concepts of data quality evaluation, we will present preliminary results. As the framework integrates various metrics from accuracy to security and privacy, we will show examples of cyberinfrastructure elements from those areas developed so far. The security evaluation aspect of the framework is introduced with the Android applications that evaluate a smartphone security, gives a comprehensive score, and advises how the smartphone security can be improved. Two applications that are already available on Google Play will be presented and discussed. In addition, we will show some examples of the framework’s user interface designed for data quality metrics assignment and demonstrate its visualization capabilities. 
The data privacy evaluation is presented with the investigation of the colluded application vulnerability in Android OS devices. We will discuss and analyze the results achieved in this domain.
We believe that DQS evaluation framework will stimulate further improvement of the quality of the whole cyberinfrastructure and, in particular, cybersecurity. We will discuss possible further developments and seek the feedback and advice on the further DQS evaluation research directions. In particular, we are looking for a collaboration in the development of our framework applications in various science and technology domains.

Leon Reznik is a Professor of Computer Science (primary affiliation) and Computing Security (secondary affiliation) at the Rochester Institute of Technology. His current research concentrates on data quality and security evaluation and assurance; cognitive sensor networks and systems; intelligent intrusion detection and big data analytics.

Igor Khokhlov is a Ph.D. candidate at the Rochester Institute of Technology. He conducts research on data quality and value evaluation for sensor-originated data. Igor’s fields of interest include Android OS, cyber-security, and AI.
Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, March 2, 2018

NRAO and Trusted CI Launch Engagement

Trusted CI is pleased to announce the start of an engagement with the National Radio Astronomy Observatory (NRAO), an NSF Large Facility supported in part by NSF Award # 1647378. This engagement is expected to continue through the end of June. Our shared goal for this engagement is to assess and facilitate the continued maturation of NRAO’s information security program, as well as to positively impact its adaptiveness and longevity. We will accomplish this by evaluating their existing policies, practices, and documentation, and providing recommendations for opportunities to strengthen these within the overarching framework of the four pillars of cybersecurity: mission, governance, resources, and controls.

Initially established in 1956, the National Radio Astronomy Observatory is operated under cooperative agreement by Associated Universities, Inc. (AUI). NRAO provides state-of-the-art radio telescope facilities for use by the international scientific community, open to all astronomers regardless of institutional or national affiliation. NRAO also provides both formal and informal programs in education and public outreach for teachers, students, the general public, and the media. Their instruments include the Jansky Very Large Array in New Mexico and the North American component of the Atacama Large Millimeter/submillimeter Array in Chile.

With its latest renewal, NRAO’s mandate is to improve not only the accessibility of its scientific instruments, but also the accessibility of its multi-petabytes of archived observational data for re-processing and re-use beyond the initial intent and audience. NRAO’s revised mission seeks to extend beyond the traditional radio astronomy community into the fields of general scientific endeavor looking at complex molecules in space, real-time events, and the explanation of origins of life, planets, solar systems, galaxies, and the universe.