Thursday, September 21, 2017

Ask CTSC: Questions for leadership to ask when considering handling regulated data.

We at CTSC field questions from the community about cybersecurity, either send directly to the team or via the ask@trustedci.org email address. To better help a broader portion of the community, we're going to start posting our responses here on the blog so they are available. (Don't worry, if your question is sensitive in some way we'll either answer it privately or work with you to sanitize it). This represents the first of such answers. -Von


Yesterday we received the following question from a member of the community:
What are the key questions that research computing leadership or a VP/VC/Dean of research should be asking themselves if they are considering taking on regulated data?
The question came with "I need this by Friday" plea, so here's our admittedly quick answer. Please chime in with a comment if you have suggestions.

Questions for leadership to ask when considering handling regulated data.
  • How can you best be involved at the contract negotiation phase? A number of folks have success negotiating out regulated data terms from contracts.
  • How do you track demand and judge when is it time to take the compliance plunge? Sometimes it will be one large project that will justify the cost, other times it will be an aggregation of smaller requests and expectation of future need.
  • How do you track the actual need of the researchers? While we tend to think of compliance for infrastructure or projects, the real issue is around the workflows of the researchers from end-to-end. In general you want to implement your compliance infrastructure to satisfy as many workflows, hence projects, as possible.
  • When does outsourcing compliance make sense? At the 2017 NSF Cybersecurity Summit, we heard from three major cloud vendors with compliance solutions and it was clear that while they handle key parts of compliance, it is at most a partnership and responsibility still resides with the institution.
  • What formal processes and mechanisms will you need to institute to manage regulated data contracts?  Ideally, one would have the PI contact the Office of Research Administration, which will then work with the CISO/central IT/research computing/compliance to evaluate needs and provide resources and a security budget for the PI to include in the contract, and help PIs with reporting to the agency (e.g. for FISMA).



  • How will you develop regulatory expertise/training?  Many campuses with medical schools have HIPAA expertise, but other regulations which contracts will likely include going forward, e.g. CUI/NIST 800-171 and FISMA, have not been a concern in academia.

  • How will you manage third parties (e.g. business associates for HIPAA)?   This will require assessments of due diligence and possibly additional costs for services.



  • How will you handle breach notification?

Added based on follow-up questions since the original post:
  • How will you get buy-in from all the impacted parties? This will impact a number of groups on across campus. Some schools have used an initial task force composed of stakeholder to plan.
  • How will you resource ongoing effort? Expect ongoing leadership to take a significant fraction of a person, with additional contributions by many others. As it ramps up, a full-time leader is not uncommon.
Thank you to Anurag Shankar of IU CACR for contributing to this post.

Monday, September 11, 2017

DesignSafe-CI and CTSC Engage for Cyber-checkup


CTSC has initiated an engagement with DesignSafe-CI (DesignSafe) (NSF-1520817, NSF-1612144, NSF-1612843), a component of the Natural Hazards Engineering Research Infrastructure (NHERI) and funded by the NSF under a Cooperative Agreement through the Division Of Civil, Mechanical, & Manufacturing Innovation (CMMI) (NSF-1520817). The scope of the engagement is to perform a cyber-checkup -- a high-level review of the project’s cybersecurity program. The process tailored to DesignSafe’s needs will constitute a fact-finding exercise that delves into DesignSafe’s security processes, policies and protocols. Due to the maturity of DesignSafe’s existing security program, CTSC anticipates the engagement will be completed by November 2017.

CCoE Webinar Sept. 25th 11am ET: Demystifying Threat Intelligence

CERN's Romain Wartel is presenting the talk "Demystifying Threat Intelligence" on September 25th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

Threat intelligence has become a very popular keyword among security professionals in the recent years. What is this all about? Is this a service for sale or rather an intangible asset resulting from a trust relationship? Every organization is seeking relevant and target intelligence, ideally at little to no cost and yielding no false-positives. What are the myths and realities? Is threat intelligence a worthy investment? Is it more suitable to favor local or global sources? Are there services or tools that can facilitate threat intelligence management. Beyond obtaining information, an often overlooked aspect are the challenges linked with building the ability to take promptly and effectively action based on specific intelligence. Making good use of threat intelligence is what makes its value, but this requires time and efforts. Yet, a well-designed threat intelligence management and flow may in fact be the only realistic and affordable strategy for our community to mitigate sophisticated threats or well-funded attackers on a daily basis.

More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, September 5, 2017

CTSC begins engagement with DKIST Data Center

The DKIST Data Center (NSF AST-0946422) is the operations data management and processing center for the Daniel K. Inouye Solar Telescope (DKIST), which at the time of its scheduled completion in 2019 will be the largest solar telescope in the world. The data center team has the challenge of managing the terabytes of data coming in daily from the summit in Haleakala, Maui, Hawaii to the data center facility in Boulder, Colorado. With assistance from CTSC, the DKIST Data Center team plans to develop a cybersecurity program that will help them focus appropriately on the Integrity, Availability and Confidentiality of the data and services in support of DKIST.

Tuesday, August 15, 2017

CCoE Webinar August 30th 3pm ET: An overview of CTSC Engagements and the Application Process

CTSC's Von Welch is presenting the talk "An overview of CTSC Engagements and the Application Process," on Wednesday August 30th at 3pm (Eastern). Note: The day and time for this event is not during our regular monthly series. Be sure to add it to your calendar.

Please register here. Registration includes a confirmation email with a calendar file (check your spam filters if you did not receive the email).
One of CTSC's core activities is conducting one-on-one engagements with NSF projects and facilities. CTSC has recently launched its call for applications for engagements in 2018, due October 2nd. This presentation will review the benefits and scope of CTSC engagements, as well as the application process. Webinar attendees are encouraged to attend live to ask questions about their project/application.
More information about engagements and the application can be found at: https://trustedci.org/application
More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, August 14, 2017

2017 NSF Community Cybersecurity Benchmarking Survey -- Please Respond

Please complete the 2017 NSF Community Cybersecurity Benchmarking Survey.  


The goal of the annual survey is to collect and aggregate information over time about the state of cybersecurity for NSF projects and facilities and produce a report that will help the community a richer understanding of the environment and norms, as well as track changes to the security of the scientific cyberinfrastructure. We want to ensure the survey report is of maximum utility to the NSF researchers, projects, and facilities, and encourage a high level of participation. Your responses will help us meet that goal. We have made minor changes from the 2016 survey to clarify both questions and answers. Participation in the 2017 survey is requested whether or not you responded to the 2016 survey. (See the 2016 survey report at http://hdl.handle.net/2022/21355)

Each NSF project or facility should submit only a single response. Completing the survey may require input from the PI, the IT manager, and/or the person responsible for cybersecurity (if those separate areas of responsibility exist). While answering specific questions is optional, we strongly encourage you to take the time to respond as completely and accurately as possible. If you prefer not to respond or are unable to answer a question for some reason, we ask that you make that explicit (e.g., by using “other:” inputs) and provide your reason. Please note that we minimize the amount of project-identifying information we collect and will report responses only in the aggregate and CTSC will release results that we believe provide anonymity to the individual project or facility respondents.

The response period closes November 17, 2017.

CCoE Webinar August 28th 11am ET: Stronger Security for Password Authentication

UC Irvine's Stanislaw Jarecki is presenting the talk "Stronger Security for Password Authentication," on August 28th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

Passwords are an infamous bottleneck of information security: The users choose them badly and then forget them, and the servers store (at best!) a table of password hashes which, in the all-too-common event that the server is hacked, allows the attacker to recover a large fraction of the passwords using the so-called Offline Dictionary Attack. At the same time, we seem to be stuck with passwords because they form the most user-friendly authentication mechanism we know. Our work in the CICI-sponsored project looks at the security vulnerabilities of current password authentication protocols, including Two-Factor authentication protocols, where the user's password is amended by the presence of an Auxiliary Authentication Device, e.g. a cell-phone capable of displaying a short one-time PIN which the user copies onto her terminal in order to authenticate to the server. We show that with modest changes to the authentication infrastructure, involving either the user's client, or the authentication server, or the Auxiliary Device software, we can make password authentication protocols which are as practical as currently used schemes but have much stroger security properties. Most importantly, the schemes we show eliminate the security vulnerability posed by the server storing password hashes, thus eliminating the possibility of the Offline Dictionary Attack in case of server compromise. In other properties, our schemes offer resistance to so-called phishing attacks and, more generally, failures in the Public Key Infrastructure, where the user misidentifies the public key of the authentication server and, which in current password authentication schemes leads to revealing the user's password to the adversary.
In this presentation we will present an overview of our work on strengthening password and two-factor schemes, published in NDSS'14, Asiacrypt'14, EuroSP'16, AsiaCCS'16, ACNS'17, ICDCS'17, as well as future directions.

More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."