Tuesday, May 23, 2017

CTSC’s Situational Awareness Expanding Collaborations

In an attempt to improve on the security alert service CTSC offers, the Situational Awareness (SA) group within CTSC has recently expanded its monitoring streams and collaborations to include Open Science Grid (OSG) and the European Grid Infrastructure’s Software Vulnerability Group (EGI: SVG). These entities join CTSC’s current collaborations with REN-ISAC and XSEDE in mutually sharing advisories. The immediate benefit of this effort is that CTSC and its collaborators have increased their monitoring channels, enabling a larger window to survey for potential threats to science cyberinfrastructure. This improvement in shared knowledge will better position us, as well as our new partners, to pass on the important alerts to our communities.

To register for CTSC SA advisories, see https://trustedci.org/situational-awareness.

If you're a member of a trust community that would like to share alerts with CTSC, please contact us at alerts@trustedci.org.

Monday, May 8, 2017

CCoE Webinar May 22nd 11am ET: Cybersecurity Research: Transition To Practice (TTP)

Emily Nichols and Dr. Alec Yasinsac are presenting the two-part talk "Cybersecurity Research: Transition To Practice (TTP)," on May 22nd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
The U.S. National Science Foundation Transition To Practice (TTP) program is critical to the successful deployment and realization of value for NSF-funded cybersecurity research. Transition to Practice has been named a priority by the National Science and Technology Council’s subcommittee on Network and Information Technology Research Development (NITRD), since 2011, as the participating agencies recognize the need to see funded research adopted by the operational community and ultimately make a positive impact on society. Currently, a chasm exists between the output of the academic cybersecurity research community, and the operational Information Technology (IT) community, which acquires system prototypes that often result from later stage academic research components and implements them in operational environments as either proofs of concept or in operations. The goal of the NSF TTP program is to enable NSF-funded cybersecurity research to cross this chasm and become an operationalized asset to add value in our nation’s cybersecurity efforts.
Internet2 Collaborative Innovation Community (CINC UP): Cybersecurity Research Transition to Practice Acceleration Opportunities (Emily Nichols)
Internet2 is leading an NSF funded EAGER project to benefit members as together we develop a comprehensive TTP program with the goal of enabling as many NSF cybersecurity grants as possible to transition to practice in an accelerated fashion. 
Please join us to discuss how together the Internet2 community of NSF funded cybersecurity researchers, IT operations, and institutions including universities, labs, industry members and affiliates can work together to enable the application of cybersecurity research. 
NSF's SATC TTP Ecosystem (Dr. Alec Yasinsac)
NSF is offering substantial resources to support TTP efforts, including TTP training for PIs, match-making services, mentoring services, a best-practices repository, and software development resources. 
A key resource is the SaTC (Secure and Trustworthy Cyberspace) TTP designation. PIs that have mature research results can apply for three year awards up to $500k or four year projects up to $1.2m exclusively to conduct TTP activities. 
In this presentation, we will present the case for TTP, identify the unique aspects of the TTP Designation in the SaTC Solicitation, and will describe elements of the anticipated TTP ecosystem. This talk is relevant for academics of all rank, to research scientists in government and academic laboratories, and industry members that are interested in harvesting NSF-funded cybersecurity research
More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

Monday, May 1, 2017

2016 NSF Community Cybersecurity Benchmarking Survey Report

The 2016 NSF Community Cybersecurity Benchmarking Survey Report is now available:  

https://hdl.handle.net/2022/21355

Benchmarking information is frequently used to develop a common understanding of cybersecurity’s status and norms within a community. The purpose of this survey project was to collect, analyze, and publish useful baseline benchmarking information about the NSF science community’s cybersecurity programs, practices, challenges, and concerns. We received 27 responses to the survey including 16 responses from respondents with annual budgets greater than $1M (including 9 responses from the ~25 NSF Large Facilities).

We hope the results and analysis provide some benchmarking insight and inspire discussion.

Thursday, April 27, 2017

OSiRIS Engagement Summary

OSiRIS (Open Storage Research Infrastructure, NSF award #1541335) is a multi-institutional project aimed a providing a distributed storage infrastructure that allows researchers to manage and share data from their home computing facilities with other partner locations. The University of Michigan, Michigan State, Wayne State, and Indiana University are working together to develop the transparent, high-performance storage infrastructure which will be available to connected locations on participating campuses. The project will provide data sharing, archiving, security, and life-cycle management, all implemented and managed with a single distributed service.

In October 2016, CTSC began an analysis of the new OSiRIS Access Assertions (OAA) design. CTSC and OSiRIS staff worked together via a series of weekly phone calls to review the design of the authentication and authorization framework for OSiRIS. As OSiRIS is an open-source project, all design documentation and related code for OAA is available on GitHub.

Since the OAA design was at an early stage, CTSC asked OSiRIS staff to document the various use-case scenarios which would be addressed by OAA. This resulted in a set of requirements needed by scientists (end-users), system administrators, and network administrators.

Next, CTSC began the review of the core OAA system. It was discovered that OAA borrows concepts from OAuth 2.0 (RFC 6749), including JSON Web Tokens (RFC 7519) and the practice of issuing short-lived access tokens and long-lived refresh tokens. The resemblance of OAA to OAuth 2.0 inspired the team to use the OAuth 2.0 Threat Model and Security Considerations (RFC 6819) as an evaluation framework for the OAA system. Over the course of several weeks, the OSiRIS team used recommendations from the OAuth 2.0 Threat Model to make modifications to the evolving OAA design, as noted in the final engagement report.

The above swim lane diagram, produced by the OSiRIS team during the engagement, helped the CTSC team understand the OSiRIS Access Assertions (OAA) design.

After the review of the core OAA design, the review shifted to the integration of OAA with other OSiRIS components including Ceph and NMAL/perfSONAR. As the integration is still in an early phase, CTSC staff reviewed the integration design for potential issues drawing on knowledge of similar analyses in the past.

OSiRIS is using COmanage Registry for managing groups and roles for researchers and administrators. CTSC staff has significant experience with COmanage, so several conference calls were of the question-and-answer variety where OSiRIS staff were able to ask detailed questions about COmanage and how to best leverage the power of the software for their particular scenarios.

CTSC's involvement early in the design and implementation phase enabled the OSiRIS developers to incorporate several security recommendations before development had proceeded to a point where change would have been painful. CTSC identified no significant weaknesses in the resulting design. CTSC encouraged OSiRIS to apply for a follow-on engagement after implementation is complete, to review design changes that may have occurred during implementation and initial deployment.

Edited to add: See also the OSiRIS blog post on our engagement.

Tuesday, April 11, 2017

Announcing: 2017 NSF Cybersecurity Summit Call for Participation and Student Program

It is our great pleasure to announce the 2017 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure. The event will take place Tuesday, August 15th through Thursday, August 17th at the Westin Arlington Gateway near the National Science Foundation Headquarters in Arlington, VA. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within  the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities.

Call for Participation (CFP) - Now Open
Program content for the summit is driven by our community. We invite proposals for presentations, breakout and training sessions as well as nominations for student scholarships. The deadline for CFP submissions is June 5th. To learn more about the CFP, please visit: http://trustedci.org/2017-nsf-cfp/

Student Program - Now Open
Each year, the summit organizers invite several students to attend the summit. Students who are interested in complex cybersecurity needs around and new, efficient, effective ways to protect information assets while supporting science will benefit most from attending. Students may self-nominate or be nominated by a mentor or a teacher. To learn more about the Student Program, please visit: http://trustedci.org/students2017/

Monday, April 10, 2017

CCoE Webinar April 24th 11am EDT: HIPAA and FISMA: Computing with Regulated Data



Susan Ramsey and Anurag Shankar are presenting the talk "HIPAA and FISMA: Computing with Regulated Data," on April 24th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
With cyberattacks and breaches rising exponentially, there is increasing pressure on federally funded scientific and academic institutions to protect regulated data, including identifiable patient data protected by the Health Insurance Portability and Accountability Act (HIPAA), and data collected or processed on behalf of the government, which is subject to the Federal Information Security Modernization Act (FISMA).  Each comes with its own set of cybersecurity requirements, including physical, administrative, technical controls, to be applied using a risk-centric approach.  FISMA specifies the risk methodology to use, namely the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), but still provides considerable latitude in how it can be deployed.  HIPAA leaves the choice entirely to the practitioner. Organizations are also allowed by both regulations to tailor implementation to fit their size, budget, risk tolerance, etc.  This provides great flexibility, but the flexibility comes at a cost. Without prescriptive checklists and tools from the government, interpreting the regulations can be a nightmare, especially for the newly initiated.  Commercial expertise comes at a premium, and may even be beyond reach due to budget. Fortunately, the news is not all bad.  Cybersecurity has seen great improvements in the scientific and academic community in recent years, with a majority of required controls in place already.  Remaining obstacles generally are policies and procedures, risk assessment, mitigation, and, most of all, documentation. While these take time and effort, the bulk is limited to initial implementation, with considerable gains in security and efficiency.  To illustrate this, this webinar will feature two institutions, the National Center for Atmospheric Research (NCAR) and Indiana University (IU).  They will share their stories of how they faced and overcame the FISMA and HIPAA challenges in their research computing environments, and benefited. The webinar will also touch upon the basics of HIPAA and FISMA, the NIST RMF, and how it can be leveraged for HIPAA and FISMA and other types of cyber compliance.
More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

CTSC helps CC*DNI awardee tune its cybersecurity practices

CTSC helps CC*DNI awardee tune its cybersecurity practices

The University of New Hampshire Research Computing Center’s (UNH RCC’s) mission is to provide information technology (IT) support for the sponsored research community at UNH and collaborate with higher education, industry, and government to create innovative technologies designed to address important social, environmental, and economic needs. UNH RCC is supported in part by CC*DNI NSF CISE Grant #1541430. CTSC and UNH RCC are conducting an engagement looking at UNH RCC’s existing cybersecurity practices in relation to UNH and the scientists it serves. The engagement has the following related objectives:
  • Produce a report within the next month assessing the current state of UNH RCC’s information security program and make specific prioritized recommendations. 
  • Plan and conduct a period of collaborative work culminating in a 2-4 day CTSC site visit at UNH in early June.  During the site visit, meetings, training sessions, and other activities will leverage the report to build momentum for UNH to implement and sustain the plan's prioritized recommendations. 
This engagement is an opportunity for CTSC to work with a program at an institutional level and positively impact the security of the cyberinfrastructure and trustworthiness of the science it supports.