Wednesday, February 22, 2017

CCoE and OSG kick off engagement to assess HTCondor-CE


The Open Science Grid (OSG) facilitates access to distributed high throughput computing for research across the US, delivering more than 1.2 billion CPU hours to researchers across a wide variety of projects over the last 12 months. The OSG and CTSC are collaborating to assess the security of HTCondor-CE (Compute Element). The HTCondor-CE is the next-generation gateway software for the Open Science Grid (OSG) and is responsible for providing a network service which authorizes remote users and provides a resource provisioning service. Based on the HTCondor software, this CE is a highly-specialized configuration of HTCondor and relies on less-common components, e.g., blahp, the focus of this engagement. HTCondor-CE was developed and adopted to provide the OSG with a more flexible, scalable, and easier-to-manage gateway software.

The primary goal of the CTSC-OSG engagement is to review blahp (pronounced “blop”), part of HTCondor-CE, and to help ensure its design and implementation are secure - that is, it is free of design errors and will function as intended in the face of malicious entities attempting to coerce it to do otherwise.

Monday, February 13, 2017

CCoE Webinar Feb. 27th 11am EST: Practical Cybersecurity Program for (Smaller) Science Programs

Members of the CTSC team are presenting the talk "Practical Cybersecurity Program for (Smaller) Science Programs," on February 27th at 11am (EDT). Our presenters are Susan Sons, Craig Jackson, and Bob Cowles (speaker info).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
Based on CTSC’s cybersecurity program development guide (see trustedci.org/guide), this webinar addresses practical information security tasks for small and medium science projects. The NSF CCoE’s work spans the full range of NSF-funded projects and facilities, and cybersecurity is certainly *not* a one-size-fits-all endeavor.

Some of the topics covered include:
  • Cybersecurity’s relevance to science projects.
  • The complexity and scope of cybersecurity, and how cybersecurity programs can help you cope with that complexity (and protect your science).
  • A handful of “must-do” (and doable!) action items.
This session is appropriate for principal investigators, program officers, IT professionals in research and higher education, research facility managers, and security professionals interested in information security approaches tailored to particular communities. It is not a detailed technical training. There will be significant opportunities for Q&A.
More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

Science Node article on Open Science Cyber Risk Profile

Last week, Science Node published an article on the Open Science Cyber Risk Profile: "Mind the gap: Speaking like a cybersecurity pro."  Dr. Karen Stocks, director of the Geological Data Center at the Scripps Institution of Oceanography at the University of California San Diego, is quoted in the article:
“It is critical that our scientific infrastructure be reliable and trusted,” says Stocks. “The OSCRP provides the most accessible, focused, and practical guidance I know of for a scientist needing to evaluate and assess their cybersecurity.”
Please see the article for more from Dr. Stocks, as well as others involved in the profile.

Thursday, February 2, 2017

The Report of the 2016 NSF Cybersecurity Summit and Request to Select Dates for the 2017 NSF Cybersecurity Summit!


CTSC is pleased to present the report of the 2016 NSF Cybersecurity Summit to the community. The report outlines progress the community has made based on recommendations from the previous year, attendee details and survey results for both the plenary and training portions of the Summit. The report in its entirety can be reviewed here: http://hdl.handle.net/2022/21161

Additionally, we are currently preparing to kick off planning for the 2017 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure. One of our first steps will be selecting a date for this year’s summit, and we would like to hear from you, the community regarding the best dates to meet. The summit will be held in Arlington, VA again this year, at the Westin Arlington Gateway. Please follow the below link to the survey containing the dates we have identified as being available and not conflicting with other conferences in the industry, and enter your choices no later than Friday February 10, 2017: https://www.surveymonkey.com/r/FZBH2H7

Friday, January 27, 2017

Apply for an Engagement with the NSF Cybersecurity Center of Excellence (applications due March 17)

Conducting one-on-one engagements with NSF projects and facilities is one of CTSC’s core activities. To complete the application form and learn more about the process visit our site: https://trustedci.org/application/
In its first 4 years, we have conducted more than 20 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions. We support a variety of engagement types including: assistance in developing, improving, or evaluating your information security program; software assurance-focused efforts; technology or architectural evaluation; training for staff; and more. Applications for engagements to be executed in July - December 2017 are due March 17, 2017. (Slots are limited, so this is a hard deadline!) As the NSF Cybersecurity Center of Excellence, CTSC’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

Wednesday, January 11, 2017

2016 Security Awareness Retrospective

As we enter the new year it’s a good time to reflect on what has happened in the last year and the lessons we should be learning from them. The general goal of our situational awareness mission is to inform on threats to the cyberinfrastructure (CI) of research and education centers. With most alerts it can sometimes be hard to identify overall threats not only to CI but also to you as an individual. We try our best to provide information to help you identify where these vulnerabilities may affect your infrastructure. We translate the issue into a more understandable format so you can make better assessments for how it may affect you, how you can detect it and how it can be resolved.


If you have been taking advantage of this service let us know how it’s been going. We would really appreciate your feedback to help us prepare for our annual report to the NSF as well as to improve the Situational Awareness program. Here is the link to the survey:




In the last year we have provided a number of different alerts for core software like OpenSSH and OpenSSL. We announced vulnerabilities for content management systems WordPress and Joomla. There have been alerts for vulnerabilities in the Linux kernel as well. We have even provided some guidance for named vulnerabilities like Badlock, DirtyCOW and HTTPoxy.


Many of these issues we’ve seen in the last year can be identified, mitigated and/or resolved quickly by taking a few extra steps. If you don’t have the time or expertise on site to manage a service, use professionally hosted services that can provide security mitigation and patching quickly. Use regularly scheduled vulnerability scanning services to identify vulnerabilities in your infrastructure such as unpatched systems or exposed services that you’re unaware of. Protect against compromised passwords by enabling multi-factor authentication. Taking these extra steps can go a long way to protect your infrastructure from pending vulnerabilities.


Back in October we posted about Ransomware and ensuring that you are backing up your data. Every year Ransomware attacks have been increasing in number and complexity. We’ve seen this increase in the last year and expect to see another increase in the next year. If you haven’t already invested in a backup solution for your data this is something you should put effort in as soon as possible.


This last year has also seen the rise of a new compromise vector in small internet devices known as the Internet of Things (IoT). These are embedded devices of everyday things that are connected to the internet. These give you the ability to turn lights on and off, adjust your thermostat, open doors, even cook your food all from your phone. These simple devices are not as complex as a desktop computer and are usually designed for ease of use and not for security. Attackers have taken advantage of this lack of security using the ‘Mirai’ malware to build up an impressively destructive botnet. Because these devices are usually not designed to be upgraded remotely it’s likely this botnet will not disappear soon. In the next year we expect to see increased activity from and growth of this botnet.


The ease at which many of these devices can be added to any network can make this a very real threat for your CI. You may also see devices that show up in offices or on your wireless network. The most likely source of IoT devices will be networks for personal living spaces like dorm networks. The introduction of these devices to your network may create unintended vectors for access to your network. In large enough numbers they can potentially cripple your network if they’re compromised and being used in a DDoS attack. This post from Internet2 has a number of options for mitigating DDoS attacks on your infrastructure.


One of the other things we’ve noticed a lot of in the last year are compromised accounts. Yahoo recently announced the compromise of over 1 billion accounts from as far back as 2013. While large public sites like Yahoo often get mentioned in the news, we do still see lists of compromised accounts for organizations like Universities and small businesses. Also we continue to see re-use of passwords across systems, where a password compromise at a commercial service like Yahoo can lead to compromise of a CI account using the same password. To counteract this many sites and organizations have started to roll out multi-factor authentication solutions to protect their users and systems. The introduction of multi-factor authentication is something we’ll likely be seeing more of in the next year and beyond.

Whatever the new year brings we hope our service will help you navigate through them. If you haven’t already signed up for our mailing lists you can find them here. Security alerts are sent to the CTSC Infrastructure Operators Announce List for issues affecting CI. Alerts that affect software development are sent to the CTSC Software Developers Announcement List. We hope this next year is a safe and secure one.

Monday, January 9, 2017

CCoE Webinar Jan. 23rd 11am EST: Open Science Cyber Risk Profile

Our first webinar for the year will be a team presentation on the Open Science Cyber Risk Profile (OSCRP), on January 23rd at 11am (EST) by Von Welch and Sean Peisert.

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file. 
The Open Science Cyber Risk Profile (OSCRP) is a joint project of the Center for Trustworthy Scientific Cyberinfrastructure, the NSF Cybersecurity Center of Excellence, and the Department of Energy’s Energy Sciences Network (ESnet). Over the course of 2016, the CTSC and ESnet organized a working group of research and education community leaders to develop a risk profile for open science. The risk profile is a categorization of scientific assets and their common risks to science to greatly expedite risk management for open science projects and improve their cybersecurity. The working group released the a draft of the OSCRP for public comment in late 2016.
More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

 

Other upcoming webinar(s) of potential interest

  • XSEDE Science Gateway webinar on January 11th at 1pm EST. 
    • Topic: An overview of SGCI services, see original post for more information
  •  NSF's WATCH webcast on August 18th at 12pm EDT
    • Topic: Mapping Interconnection Connectivity and Congestion, see event page for more information