Friday, July 13, 2018

Trusted CI 5-year Vision and Strategy

The Trusted CI team is pleased to announce the publication of “The Trusted CI Vision for an NSF Cybersecurity Ecosystem”.  From the introduction:

This document establishes Trusted CI’s vision for a NSF Cybersecurity Ecosystem – a collection of people, knowledge, processes, and cyberinfrastructure – that is necessary to support cybersecurity across the diverse NSF community. Trusted CI is primarily responsible for bringing the vision of a NSF Cybersecurity Ecosystem to fruition. Hence, following Trusted CI’s vision is its mission statement and five-year strategic plan to fulfill that role.

This living document will guide our activities going forward and we welcome community feedback as to its content. As implied in the above paragraph, the vision is broader than any one project can accomplish and we will collaborate with others in the community to achieve this vision.

A full citation for the Vision document follows.  We’ll update the document with subsequent versions as required to keep abreast of progress, suggestions, and changes.

V. Welch, J. Basney, C. Jackson, J. Marsteller, and B. Miller, “The Trusted CI Vision for an NSF Cybersecurity Ecosystem And Five-year Strategic Plan (2019-2023),” Trusted CI, Apr. 2018 [Online]. Available: http://hdl.handle.net/2022/22178.

Wednesday, July 11, 2018

Trusted CI at PEARC`18


PEARC 18 (July 22-26) in Pittsburgh, PA, is just around the corner, and Trusted CI will be have a strong presence there. The conference is an all-inclusive event for scientists, engineers, scholars, artists, and educators who depend on efficient, secure, and reliable digital infrastructure. This year's theme is seamless creativity. 

Trusted CI staff will present workshops on both practical information security for science projects and guidance on building security into the development, packaging, distribution, and management of software in support of science and research. The first, entitled “Practical Cybersecurity Programs for Science Projects and Facilities,” delves into the foundational elements of a cybersecurity program necessary to provide a secure and safe environment for science, focusing on the four pillars of such a program: Alignment to Mission - identification of critical resources and processes; Resources - money, people; Governance - roles and responsibilities, risk management and acceptance, policies; Controls - selecting a good baseline control set, and will include guidance on maintaining and evaluating an established cybersecurity program. The latter, “Software Engineering Practice for Science, Research, and Scientific CI” will introduce the Software Engineering Guide which provides guidance and tools for building security into the development, packaging, distribution, and management of software in support of science and research -- participants will leave with a strategy for improving security in any performance computing or scientific CI project that uses or produces software, and a preview of new tools coming out of the NSF CCoE for software security programs.

Along with the two workshops, Trusted CI’s Von Welch will moderate a panel following Anita Nikolich’s keynote talk, Hacking Academia, that will strive to echo a “fireside question & answers” session with Ms. Nikolich, further exploring key concepts exposed in her keynote that will discuss the necessity of feedback loops between the academic community, cybersecurity operators and underground security researchers.

Finally, Trusted CI is proud to announce that this year it will be participating in PEARC’s Partner Program, and thus, will have a table in the exhibitor’s area to network. So, if you attend the conference, stop by and say hello.

Tuesday, July 10, 2018

CCoE Webinar July 23rd at 11am ET: Trustworthy Computing for Scientific Workflows

Mayank Varia and Andrei Lapets are presenting the talk "RSARC: Trustworthy Computing over Protected Datasets" on Monday July 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
There has been an unprecedented increase in the quantity of research data available in digital form. Combining these information sources within analyses that leverage cloud computing frameworks and big data analytics platforms has the potential to lead to groundbreaking innovations and scientific insights. As developers and operators of the widely used Dataverse repository and the Massachusetts Open Cloud platform, we have been working to advance this innovative revolution by colocating datasets in common platforms, curating and tagging datasets with both functional and legal access policies, offering helper services such as search and easy citation to promote sharing, and providing on-demand computational platforms to ease analytics. Unfortunately, we observe that a certain segment of our scientific user base cannot enjoy the full transformative capacity achievable within our cyberinfrastructure. Due to concerns over the privacy and confidentiality of their data sources, or the potential of commercial exploitation of their raw data sets, these researchers are isolating themselves within siloed data repositories and well-protected computational enclaves rather than sharing their datasets with fellow scientists.

This talk will describe cryptographic technological enhancements that are ready to provide scientific researchers with mechanisms to do collaborative analytics over their datasets while keeping those datasets protected and confidential. Secure multi-party computation (MPC) is a cryptographic technology that allows independent organizations to compute an analytic jointly over their data in such a manner that nobody learns anything other than the desired output. Hence, MPC empowers organizations to make their data available for collective data aggregation and analysis while still adhering to pre-existing confidentiality constraints, legal restrictions, or corporate policies governing data sharing. Our new Conclave framework can connect to many existing backend stacks where the data already live, can automatically analyze a query to identify when a computation must cross data silos, and can leverage MPC in a scalable and usable manner when it is necessary to enable the computation.

In summary, while data sharing cyberinfrastructures today are intended to allow everyone to benefit from the initial cost of having one researcher collect data, privacy concerns (and the resulting breakdown of data sharing) transform this burden into a marginal cost that every researcher who wants access to the data must pay. We will describe how a holistic integration of secure MPC into a scientific computing infrastructure addresses a growing need in research computing: enabling scientific workflows involving collaborative experiments or replication/extension of existing results when the underlying data are encumbered by privacy constraints.
Mayank Varia is a research associate professor of computer science at Boston University and the co-director of the Center on Reliable Information Systems & Cyber Security (RISCS). His research interests span theoretical and applied cryptography and their application to problems throughout and beyond computer science. He currently directs an NSF Frontier project that addresses grand challenges in cloud security, aiming to design an architecture where the security of the system as a whole can be derived in a modular, composable fashion from the security of its components (bu.edu/macs). He received a Ph.D. in mathematics from MIT for his work on program obfuscation.

Andrei Lapets is Associate Professor of the Practice in Computer Science, Director of Research Development at the Hariri Institute for Computing, and Director of the Software & Application Innovation Lab at Boston University. His research interests include cybersecurity, formal methods and domain-specific programming language design, and data science. He holds a Ph.D. from Boston University, and A.B. and S.M. degrees from Harvard University.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, July 9, 2018

Cyberinfrastructure Vulnerabilities 2018 Q2 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.Some of the sources we monitor for possible threats to CI include:

In 2Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 91 subscribers:
If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available through https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Tuesday, July 3, 2018

NSF Cybersecurity Summit lodging deadline approaching

We would like to remind everyone that the deadline for reserving a room for the 2018 NSF Cybersecurity Summit at the discounted conference rate is July 12th. The number of available rooms in our block is limited so please reserve your room as soon as possible. You can book your hotel reservation for the conference here or go to the trustedci.org website and click on the link for the 2018 NSF Cybersecurity Summit and click on the link for The Westin Alexandria.


Also, if you have not already registered for the summit, please do so here.

Friday, June 29, 2018

Trusted CI Completes Engagement with GenApp

GenApp (NSF OAC-1740097) is a tool for rapidly generating science gateways. The goal of GenApp is to provide a graphical frontend and associated server backend for command line scientific applications. Trusted CI began an engagement with GenApp in January 2018, and completed the engagement in June 2018.

The engagement focused on performing a security review of the GenApp codebase and the various web applications generated by GenApp, as well as evaluating the technologies and architectures utilized by the GenApp development framework. Trusted CI worked with the GenApp team to create architectural diagrams, ran automated tools to analyze GenApp systems, and manually inspected key components of source code for vulnerabilities.

Findings included the need for more systematic sanitization of user input, keeping libraries up to date, and recommendations for secure settings of web services of GenApp-generated applications.

The GenApp staff has graciously consented to publication of the engagement report after a sufficient period to implement suggestions for remediation of issues. Trusted CI will contact GenApp towards the end of 2018 to verify that issues have been addressed, after which the engagement report will be made available to the public. The hope is that other NSF-funded projects which are primarily software-based can learn from the tasks accomplished during this engagement.

Thursday, June 21, 2018

NCSA video and news story about Trusted CI

The Trusted CI team is made of a partnership with Indiana University, the National Center for Supercomputing Applications (NCSA) at the University of Illinois, the University of Wisconsin-Madison, and the Pittsburgh Supercomputing Center.

Recently NCSA produced a short video about Trusted CI, titled "NCSA's Partnership with Trusted CI helps secure over $7 Billion worth of Science." Click below to see the video. Read the corresponding news story here.




Thursday, June 14, 2018

2018 NSF Cybersecurity Call For Participation (CFP) Extended to June 20th

We've extended the CFP deadline an additional week for community submissions.

Program content for the Cybersecurity Summit is driven by our community. We invite proposals for plenary presentations, training sessions, student scholarships, Table Top Talks and new this year the Community Leadership Recognition Program.

To learn more about the CFP, please visit: https://trustedci.org/call-for-participation-2018

Monday, June 11, 2018

Announcing the 2017 NSF Community Cybersecurity Benchmarking Survey Report and the 2017 NSF Cybersecurity Summit Report

The second NSF Community Cybersecurity Benchmarking Survey Report is now available:

http://hdl.handle.net/2022/22171

The Community Survey’s purpose is to collect, analyze, and publish useful baseline benchmarking information about the NSF science community’s cybersecurity programs, practices, challenges, and concerns. This year’s survey is significant for receiving responses from 15 of the 25 NSF Large Facilities, and should provide particular insight into the specific cybersecurity practices and concerns of Large Facilities. Notable takeaways from this year’s survey include the dramatic increase in respondents who use multi-factor authentication, the lack of standardization or uniformity around cybersecurity budgets, and the highly variable implementation of software best practices, operational and programmatic cybersecurity safeguards, and cybersecurity governance.

Additionally, the report of the 2017 NSF Cybersecurity Summit to the community is also available. The report outlines progress the community has made based on recommendations from the previous year, attendee details and survey results for both the plenary and training portions of the Summit. The report in its entirety can be reviewed here: 

http://hdl.handle.net/2022/21882

We hope the results and analysis provide by these reports offer insight and inspire discussion.

CCoE Webinar June 25th at 11am ET: Security Program at LSST

NCSA's Alex Withers is presenting the talk "Security Program at LSST" on Monday June 25th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The concept behind the Large Synoptic Survey Telescope (LSST) is simple: conduct a digital image-based survey over an enormous area of the sky and build an extensive astronomical catalogue over the course of ten years. LSST’s astronomical data is the ultimate deliverable to its users. This unique scientific computing environment presents many cyber security challenges. LSST has in place a cyber security program to facilitate its scientific mission: to protect its data access requirements and rights. We will discuss the beginnings of LSST’s cyber security program, adoption and experience with its risk management framework, existing and planned security operations at LSST sites, including the observatory site in Chile and the National Center for Supercomputing Operations (NCSA).

This talk is presented by Alex Withers. Alex is a Senior Cybersecurity Engineer at the National Center for Supercomputing Applications (NCSA). He is the Information Security Officer for the Large Synoptic Survey Telescope (LSST). He is also a PI and co-PI for a number of NSF-funded cybersecurity projects.
Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, June 5, 2018

2018 NSF Cybersecurity Summit Call For Participation Deadline Nearing & Registration Now Open


Greetings everyone, just a reminder that the 2018 NSF Cybersecurity Summit Call For Participation (CFP) deadline of June 13th is nearing.

Program content for the summit is driven by our community. We invite proposals for plenary presentations, training sessions, student scholarships and new this year is the Community Leadership Recognition Program. The deadline for CFP submissions is June 13th. To learn more about the CFP, please visit: https://trustedci.org/call-for-participation-2018

Registration - Now Open
We’re happy to announce that registration for the NSF Large Facilities community is now open: https://cacr.iu.edu/events/nsf-summit/registration.php
Ensure your participation and register today.

On behalf of the 2018 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in August.


Jim Marsteller 
Program Chair

Monday, May 7, 2018

Trusted CI Webinar May 21st at 11am ET: The EU General Data Protection Regulation (GDPR)



CACR's Scott Russell is presenting the talk, "The EU General Data Protection Regulation (GDPR)" on May 21st at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The European Union’s General Data Protection Regulation (GDPR) is slated to come into effect on May 25, 2018, and organizations around the world are struggling to determine whether they are covered, what is required, and what will happen if they don’t satisfy its requirements.

This webinar will provide an introduction to GDPR, including an overview of the law's requirements, an in-depth discussion of when and to whom the law may apply, and potential strategies for organizations that are unsure of whether they are covered. The webinar will also provide insight into the motivation behind the law, the legal and practical ramifications of its enforcement outside of the EU, and highlight current uncertainties relating to the scope and impact of the law. Attendees will leave with an improved understanding of how GDPR may impact their organization, and will be equipped with basic strategies to manage risks arising from the enforcement of the law.

This webinar is a product of the Trusted CI, the NSF Cybersecurity Center of Excellence. Trusted CI is supported by the National Science Foundation under Grant Number ACI-1547272. For more information about the Trusted CI please visit: http://trustedci.org/. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research (CACR), where his work focuses on privacy and cybersecurity policy. A lawyer and researcher, Scott received his B.A. in Computer Science and History from the University of Virginia, received his J.D. from Indiana University, interned at MITRE, and served as a postdoctoral fellow at CACR.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, April 24, 2018

Announcing: 2018 NSF Cybersecurity Summit Call for Participation and Student Program

Greetings! It is our great pleasure to announce and invite you to the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.  The event will take place Tuesday, August 21st through Thursday, August 23rd, at the Westin Alexandria near the new National Science Foundation Headquarters in Alexandria, VA. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities. Registration and hotel reservations details will be announced in the coming weeks. We are pleased to announce the call for participation and student program are now open!


Call for Participation (CFP) - Now Open
Program content for the summit is driven by our community. We invite proposals for presentations and training sessions as well as nominations for student scholarships. The deadline for CFP submissions is June 13th. To learn more about the CFP, please visit: https://trustedci.org/call-for-participation-2018

Nominations for the Community Leadership Recognition Program
The Summit seeks to recognize outstanding leadership in the cyberinfrastructure and cybersecurity field. These leaders have developed and established the processes and practices for building a trusting, collaborative community, and seriously addressing that community's core cybersecurity challenges in ways that remain relevant, as research technologies and infrastructure evolve and change. More information on the program and how to submit a nomination can be found here: http://trustedci.org/community-leadership-program

Student Program - Accepting Applications
Each year, the summit organizers invite several students to attend the summit. Students who are interested in complex cybersecurity needs around and new, efficient, effective ways to protect information assets while supporting science will benefit more from attending.
Undergraduate and Graduate students may self-nominate or be nominated by a teacher or mentor. The deadline for applications is June 4, 2018. To learn more about the Student Program, please visit: https://trustedci.org/summit2018/students


On behalf of the 2018 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in August.

Wednesday, April 11, 2018

Trusted CI Webinar April 23rd at 11am ET: Toward Security-Managed Virtual Science Networks

Duke University's Jeff Chase and RENCI's Paul Ruth are presenting the talk, "Toward Security-Managed Virtual Science Networks" on April 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Data-intensive science collaborations increasingly provision dedicated network circuits to share and exchange datasets securely at high speed, leveraging national-footprint research fabrics such as ESnet or I2/AL2S.   This talk first gives an overview of new features to automate circuit interconnection of science resources across campuses and in network cloud testbeds, such as GENI (e.g., ExoGENI) and NSFCloud (e.g., Chameleon).    Taken together, these tools can enable science teams to deploy secure bandwidth-provisioned virtual science networks that link multiple campuses and/or virtual testbed slices, with integrated in-network processing on virtual cloud servers.

Next, we outline a software framework to address security issues arising in these virtual science networks.   We show how to deploy virtual science networks with integrated security management programmatically, using software-defined networking and network function virtualization (SDN/NFV).   As an example, we describe a prototype virtual Network Service Provider that implements SDX-like functionality for policy-based interconnection of its customers, and incorporates out-of-band monitoring of permitted flows using Bro intrusion detection instances hosted on cloud VMs.  We also describe how to use a new logical trust system called SAFE to express and enforce access policies for edge peering and permitted flows, and to validate IP prefix ownership and routing authority (modeling RPKI and BGPSEC protocols) in virtual science networks.

This material is based upon work supported by the National Science Foundation under Grants No. (ACI-1642140, ACI-1642142, CNS-1330659, CNS-1243315) and through the Global Environment for Network Innovations (GENI) program.  Any opinions, findings, and conclusions or recommendations do not necessarily reflect the views of NSF.
Jeffrey S. Chase is a Professor of Computer Science at Duke University.  He joined Duke in 1995 after receiving his PhD in Computer Science from the University of Washington (Seattle).    He was an early leader in automated management for cluster services, cloud hosting systems, and server energy management.   He served as an architect in NSF’s GENI project and is a principal of ExoGENI, a multi-campus networked cloud testbed.

Paul Ruth is a Senior Research Scientist at RENCI-UNC Chapel Hill.  He received his PhD in Computer Science from Purdue University in 2007.  He has been a primary contributor to the ExoGENI testbed since 2011 and is currently the networking lead for the NSF Chameleon testbed.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, April 9, 2018

Cyberinfrastructure Vulnerabilities 2018 Q1 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.

Some of the sources we monitor for possible threats to CI include:


In 1Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 3 vulnerability alerts to 91 subscribers:


If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available through https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Tuesday, April 3, 2018

Single vs multiple users on a cluster node?

Trusted CI recently received the following query from Chester Langin and are sharing his question and our answer with his permission:
As a security person, can you tell me the advantages and disadvantages of allowing more than one than one user on a cluster node at a time?  I ask because we just moved from Rocks/SGE to OpenHPC/SLURM.  Our old cluster allowed multiple users per node so, with 20 cores as an example, users with jobs running 8, 8, and 4 cores could all be running on the same compute node.  This provides high efficiency.  Our new cluster apparently restricts this so if the first user runs a job with, say 8 cores, nobody else can use that same node and 12 cores are not being used.  So, our users will be noticing that jobs will be backing up in queue.
Should we configure SLURM to allow multiple users per node?  Do you have a recommendation?  Can you give me pros and cons?
This is a classic example of a risk/reward trade-off. As you note in your question, allowing only a single user per node has the down side of lower efficiency. So what do you gain? 

There are risks with allowing multiple users per node in that user accounts are not as strong a guarantee of isolating users from each other as is having them on separate nodes. Bugs in the underlying system  (and hypervisor if we’re talking virtual machines), misconfigurations of the operating system, and errors in setting file permissions can allow information, potentially sensitive information and credentials, to leak between users on the same node. Some examples include CVE-15566, CVE-2017-5715, CVE-2017-4924. Additionally we've seen two recent cases in our software assessments where we found file system permissions were set too permissive allowing users to see each other data.

Hence you gain some risk reduction. We assume you can estimate the value of the efficient reduction in terms of lost CPU time, but how to you estimate the benefits of the risk reduction so you can compare these two things?

Unfortunately, quantifying this trade-off isn’t trivial - it’s a judgement call. Some questions to ask to determine which path makes sense for your system involved gauging the consequences of the security risks:
  • How big and diverse is your user community? If your users are all from a collaborating community or within the same institution, the consequences of data leakage could be lower. But if you have users who are competing research groups or companies, the stakes could be higher
  • What type of data does your system handle? Is it regulated data or other sensitive data that would increase the impact of the risks in question?
  • How you handle an incident can greatly impact its consequences. How poised are you to handle a incident if it occurs? Do you have a incident response plan in place that you regularly exercise? 
  • What is the risk tolerance of your stakeholders? Are you expected to squeeze every ounce of performance out of the system or is reputation considered more important? Is there any recent history related to security incidents that may impact this?

Monday, March 26, 2018

Upcoming events featuring Trusted CI

Interested in the latest from Trusted CI? Want a chance to chat in person with us? Members of Trusted CI will be participating in a number of upcoming events over the next few months.

EDUCAUSE Security Professional Conference 2018 (April 10-12) in Baltimore, MD. EDUCAUSE brings higher education security professionals together to network and discuss current trends in the industry. Trusted CI's Mark Krenz and Warren Raquel are presenting training sessions on Incident Response and Security Log Analysis. Also, Trusted CI's Von Welch and Jim Basney are co-presenting with IU CACR's Anurag Shankar on Cybersecurity for Research on Campus.

KINBERCON (April 23-25) in Harrisburg-Hershey, PA. KINBERCON's focus is on next generation networks and technology, and brings together leaders in education, healthcare, libraries, and government. The format of KINBERCON includes panels and technical workshops. There are many opportunities for collaborative discussions with speakers and attendees. Trusted CI's Von Welch will be presenting on the project and the intersection of campus IT, info sec, and research.

The 2018 NSF SI2 PI Meeting (April 30-May 1) in Washington, D.C. The SI2 PI workshop brings together PIs to present their projects to fellow PIs through posters, lightening talks, and brief presentations. Trusted CI's Von Welch is presenting "Software Security: Selecting engineering and security practices to enable robust CI and trustworthy science."

Internet2 Global Summit (May 6-9) in San Diego, CA. The summit focuses on advanced and trusted infrastructure, identity, federation and access management, and solutions for researchers with the goal of benefiting the entire research and education ecosystem. Trusted CI's Jim Basney will be co-presenting CACR's Anurag Shankar on "Cybersecurity for Research on Campus: Not Just HIPAA & FISMA."

PEARC 18 (July 22-26) in Pittsburgh, PA. PEARC is an all-inclusive event for scientists, engineers, scholars, artists, and educators who depend on efficient, secure, and reliable digital infrastructure. This year's theme is seamless creativity. Presentation abstracts are still under review. Trusted CI intends to attend and present at this year's conference and will update the community as more information is available.

The 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure (August 21- 23) in Alexandria, VA. The Summit is hosted by Trusted CI and welcomes cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI Community, as well as key stakeholders and thought leaders from the broader scientific and information security communities. The Summit includes training sessions, plenary session, and opportunities to network and socialize with peers. Be on the lookout for our call for proposals.

Whether you are an operational security pro, high speed networking researcher, NSF PI, or identity management specialist; the coming months present some interesting opportunities to network and collaborate. We look forward to seeing you at these events.

Thursday, March 22, 2018

New name, same mission

Dear friends of CTSC,

We're writing to announce that the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is becoming Trusted CI, the NSF Cybersecurity Center of Excellence.

Why are we making this change? While it clearly conveyed our mission, our initial name was a mouthful -- and, with the added CCoE designation, we found that people struggled to remember it. Trusted CI will build better name recognition, through consistent branding across our website (trustedci.org) and social media (@TrustedCI). 

The new name still emphasizes what we're about: Achieving the NSF goal of creating high-quality, trusted cyberinfrastructure (CI) that supports high-quality, trusted science. It will also make it easier for you to remember how to get help for your NSF CI projects: Email ask@trustedci.org (be sure to identify which NSF project your query relates to). 
 
As we roll out the new branding this spring, we'd like to extend an active invitation to engage our services. From quick questions to collaborative engagements lasting months, Trusted CI tackles challenges of all sizes. 

We're happy to assist with anything related to cybersecurity for NSF CI projects, and we're focused on tailored solutions that impact your work as little as possible. And now all you have to remember is Trusted CI!

Monday, March 12, 2018

Trusted CI Webinar Mar. 26th at 11am ET: Data Quality and Security Evaluation Framework

Rochester Institute of Technology's Leon Reznik and Igor Khokhlov are presenting the talk "Data quality and security evaluation framework development" on March 26th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
In this talk, we are presenting our work on building a data quality and security (DQS) framework, which integrates cybersecurity with other diverse metrics, such as accuracy, reliability, timeliness, and safety into a single methodological and technological framework. This innovation has a high potential to enable a significant improvement in a wide spectrum of science and technology applications as it will create new opportunities for optimizing data structures, data processing and fusion procedures based on a new quality and security information application. While the developed evaluation techniques may cover a wide range of data sources, the current framework’s implementation concentrates on using an ordinary user’s owned mobile devices and Android-based smartphones in particular.  
After discussing a motivation and general concepts of data quality evaluation, we will present preliminary results. As the framework integrates various metrics from accuracy to security and privacy, we will show examples of cyberinfrastructure elements from those areas developed so far. The security evaluation aspect of the framework is introduced with the Android applications that evaluate a smartphone security, gives a comprehensive score, and advises how the smartphone security can be improved. Two applications that are already available on Google Play will be presented and discussed. In addition, we will show some examples of the framework’s user interface designed for data quality metrics assignment and demonstrate its visualization capabilities. 
The data privacy evaluation is presented with the investigation of the colluded application vulnerability in Android OS devices. We will discuss and analyze the results achieved in this domain.
We believe that DQS evaluation framework will stimulate further improvement of the quality of the whole cyberinfrastructure and, in particular, cybersecurity. We will discuss possible further developments and seek the feedback and advice on the further DQS evaluation research directions. In particular, we are looking for a collaboration in the development of our framework applications in various science and technology domains.

Leon Reznik is a Professor of Computer Science (primary affiliation) and Computing Security (secondary affiliation) at the Rochester Institute of Technology. His current research concentrates on data quality and security evaluation and assurance; cognitive sensor networks and systems; intelligent intrusion detection and big data analytics.

Igor Khokhlov is a Ph.D. candidate at the Rochester Institute of Technology. He conducts research on data quality and value evaluation for sensor-originated data. Igor’s fields of interest include Android OS, cyber-security, and AI.
Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, March 2, 2018

NRAO and Trusted CI Launch Engagement

Trusted CI is pleased to announce the start of an engagement with the National Radio Astronomy Observatory (NRAO), an NSF Large Facility supported in part by NSF Award # 1647378. This engagement is expected to continue through the end of June. Our shared goal for this engagement is to assess and facilitate the continued maturation of NRAO’s information security program, as well as to positively impact its adaptiveness and longevity. We will accomplish this by evaluating their existing policies, practices, and documentation, and providing recommendations for opportunities to strengthen these within the overarching framework of the four pillars of cybersecurity: mission, governance, resources, and controls.

Initially established in 1956, the National Radio Astronomy Observatory is operated under cooperative agreement by Associated Universities, Inc. (AUI). NRAO provides state-of-the-art radio telescope facilities for use by the international scientific community, open to all astronomers regardless of institutional or national affiliation. NRAO also provides both formal and informal programs in education and public outreach for teachers, students, the general public, and the media. Their instruments include the Jansky Very Large Array in New Mexico and the North American component of the Atacama Large Millimeter/submillimeter Array in Chile.

With its latest renewal, NRAO’s mandate is to improve not only the accessibility of its scientific instruments, but also the accessibility of its multi-petabytes of archived observational data for re-processing and re-use beyond the initial intent and audience. NRAO’s revised mission seeks to extend beyond the traditional radio astronomy community into the fields of general scientific endeavor looking at complex molecules in space, real-time events, and the explanation of origins of life, planets, solar systems, galaxies, and the universe.

Wednesday, February 14, 2018

CTSC Begins Engagement with GenApp

GenApp (NSF OAC-1740097) is a tool for rapidly generating science gateways. The goal of GenApp is to provide a graphical frontend for command line scientific applications. This is accomplished by creating JSON configuration files which specify input and output parameters for the scientific application, as well as parameters for the GUI elements of the resulting graphical frontend.

The most used GenApp-generated science gateway (SASSIE2), which is focused on the small-angle scattering field, has over 500 registered users and 16K jobs submitted through the gateway in 2017. GenApp-generated gateways are running on dedicated local resources as well as cloud resources, primarily NSF Jetstream at this time, but such functionality has also been tested on AWS.

As vulnerabilities present in GenApp may lead to vulnerabilities in the generated gateway applications, it is imperative to address any security issues which may be in the GenApp framework, to protect the integrity of the gateway applications and the computing platforms they use. CTSC will review GenApp's design and architecture in attempt to identify potential security issues and recommend remediations. CTSC will also use code analysis tools and web-based scanning tools on both the GenApp frontend-generation engine as well as the several web frontends created by the GenApp framework.

The CTSC-GenApp engagement began January 2018 and is scheduled to conclude by the end of June 2018.

Monday, February 12, 2018

CCoE Webinar Feb. 26th at 11am ET: SmartProvenance

The University of Texas at Dallas's Dr. Murat Kantarcioglu is presenting the talk "SmartProvenance: A Distributed, Blockchain Based Data Provenance" on February 26th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Blockchain technology has evolved from being an immutable ledger of transactions for cryptocurrencies to a programmable interactive environment for building distributed reliable applications. Although the blockchain technology has been used to address various challenges, to our knowledge none of the previous work focused on using Blockchain to develop a secure and immutable scientific data provenance management framework that automatically verifies the provenance records using off-chain techniques. In this talk, we discuss how we leverage Blockchain as a platform to facilitate trustworthy data provenance collection, verification, and management. The developed system utilizes smart contracts and open provenance model (OPM) to record immutable data trails. We show that our proposed framework can securely capture and validate provenance data that prevents any malicious modification to the captured data as long as the majority of the participants are honest.

Dr. Kantarcioglu is a Professor in the Computer Science Department and Director of the Data Security and Privacy Lab at The University of Texas at Dallas (UTD). Dr. Kantarcioglu’s research focuses on the integration of cyber security and data science.Presentations are recorded and include time for questions with the audience.
Join CTSC's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, February 9, 2018

Deadline extended for REU student applications at IU.

The application deadline for undergraduate students at IU interested it working on software security research with CTSC has been extended to February 18th.

Please see the original post for more details.

Tuesday, February 6, 2018

Apply for an Engagement with the NSF Cybersecurity Center of Excellence (applications due April 6)

We are accepting applications for one-on-one engagements to be executed in July - December 2018.  Applications are due April 6, 2018. (Slots are limited and in demand, so this is a hard deadline!)


To learn more about the process and criteria, and to complete the application form, visit our site:



During CTSC’s first 5 years, we’ve conducted more than 20 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  


As the NSF Cybersecurity Center of Excellence, CTSC’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

CTSC Engages with Community to Develop Academic Cloud Provider Best Practices


A community of academic cloud service providers in collaboration with CTSC intend to identify and document a set of security best practices for both operators and software developers of academic cloud service providers.  The community that will spearhead this thrust is comprised of various R&E cloud service provider initiatives, including: Agave Platform (TACC - NSF OCA-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF CI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), and Jetstream (IU - NSF 1445604).

A “cloud resource” within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. Additionally, virtual machines or container images can be curated and provided by the cloud resource operator, they can be provided by the user, or they can be provided by a third party.  This presents a number of challenges in the domain of cloud cybersecurity, e.g., users’ images are run with privileged access, images can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to images is cumbersome.

To address these issues, this engagement will, (i) identify issues and concerns geared for academic cloud operators and those developing software for cloud resource operators, (ii) survey existing security recommendations that govern generic cloud computing, (iii) aggregate those principals found in (ii) for the issues and concerns affecting academic cloud service providers or develop new principles for secure operation of a cloud resource, including specific measures to achieve those principles, and (iv) disseminate the set of principles to the NSF community to maximize its impact.

The overarching goal of this engagement is to improve cybersecurity for operators and users of academic clouds.

Wednesday, January 31, 2018

DEADLINE EXTENDED: Undergraduate Research Opportunity at IU

UPDATE:  We've extended the application deadline to February 18, 2018.  Please direct any questions to sesons@iu.edu .

The NSF Cybersecurity Center of Excellence (CTSC) is seeking an undergraduate research assistant at Indiana University Bloomington to aid in the development of a software engineering security guide for NSF-funded science and research projects. The student will work under the supervision of Chief Security Analyst Susan Sons to through data on unusually high-impact vulnerabilities across many types of software, as well as on which vulnerabilities most commonly have impact, to and in drawing and explaining conclusions about which types of software weaknesses or development problems should be focused on in developer education and in the first security evaluations on software in an unknown security state.

The student’s work would be comprised of about 60% mining existing databases on software weaknesses and vulnerability reports, about 20% writing up results on that process, with a focus on the top vulnerabilities, and about 20% fleshing out the teaching materials by integrating feedback from outside reviewers and information gained from testing various software tools’ abilities to identify these selected top vulnerabilities.

The student will be appropriately credited, based on work completed, in the final publication.

Schedule and Compensation:


Work will commence in mid February (schedule flexible) with conclusion in May 2018. The student will be expected to work 20 hours per week on a flexible schedule for a $300/week stipend for up to 22 weeks. Primary place of work is the IU Innovation Center at 2719 E Tenth Street, with remote work possible.

Required skills:
  • Experience using an appropriate programming language (e.g. Python or Perl) to search text and database records for information.
  • Ability to take on moderately-sized technical writing tasks.
  • Excellent task management skills: ability to take on tasks or projects, keep track of relevant information, ask for help when needed, and provide consistent feedback on project status with attention to quality and deadlines.
  • Interest in cybersecurity (experience a plus but not required).


Application Process:

Applications will be reviewed by a committee from CTSC, with a decision to be made by February 9th. Candidates should email the following information to Susan Sons, sesons@iu.edu, by 5pm Eastern on February 18th, 2018:
  1. University Transcripts
  2. Letter of Recommendation from a faculty member
  3. A 250-300 word essay answering “How will this experience benefit me?”
  4. A 250-300 word essay answering “What are my expectations for this experience?”
Applications will be reviewed by a panel of CTSC Analysts.

Tuesday, January 30, 2018

SGCI Webinar Feb. 14th at 1pm ET: Cybersecurity for the Modern Science Gateway.


CTSC's Von Welch and Mark Krenz are presenting the talk "Cybersecurity for the Modern Science Gateway" on February 14th at 1pm (Eastern) for the Science Gateway Community Institute's (SGCI) February Webinar.

Please register here.

  Science Gateways may be varied in their individual design and purpose, but can all benefit from a commonly used approach to Cybersecurity. Join security experts from the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) as they present an easy to follow overview of the resources available to start or improve your gateway's cybersecurity program. From this presentation you will learn the three key cybersecurity aspects that science gateways share as well as the three goals your program should strive to achieve in cybersecurity program. An overview of techniques and tools will be shown to provide guidance to those not focused on cybersecurity, but wishing to address it's challenges.

This talk is presented by Von Welch and Mark Krenz. Von Welch is the Director and PI of the Center for Trustworthy Scientific Cyberinfrastructure and Director of the Center for Applied Cybersecurity Research at Indiana University. Mark Krenz is the Lead Security Analyst for the Center for Applied Cybersecurity Research at Indiana University.

Thursday, January 25, 2018

Cyberinfrastructure Vulnerabilities 2017 Q4 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to CTSC's mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the CTSC mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.

Some of the sources we monitor for possible threats to CI include:


In 4Q2017 the Cyberinfrastructure Vulnerabilities team issued the following 3 vulnerability alerts to 87 subscribers:



If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available through https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Monday, January 15, 2018

CCoE Webinar Jan. 29th at 11am ET: Security Program at LSST

NCSA's Alex Withers is presenting the talk "Security Program at LSST" on January 29th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The concept behind the Large Synoptic Survey Telescope (LSST) is simple: conduct a digital image-based survey over an enormous area of the sky and build an extensive astronomical catalogue over the course of ten years. LSST’s astronomical data is the ultimate deliverable to its users. This unique scientific computing environment presents many cyber security challenges. LSST has in place a cyber security program to facilitate its scientific mission: to protect its data access requirements and rights. We will discuss the beginnings of LSST’s cyber security program, adoption and experience with its risk management framework, existing and planned security operations at LSST sites, including the observatory site in Chile and the National Center for Supercomputing Operations (NCSA).

This talk is presented by Alex Withers. Alex is a Senior Cybersecurity Engineer at the National Center for Supercomputing Applications (NCSA). He is the Information Security Officer for the Large Synoptic Survey Telescope (LSST). He is also a PI and co-PI for a number of NSF-funded cybersecurity projects.
Presentations are recorded and include time for questions with the audience.

Join CTSC's announcments mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, January 4, 2018

CTSC Collaboration with NSF Campus Cyberinfrastructure and CyberTraining Projects

CTSC's Warren Raquel and Mark Krenz at the Great Plains Network & Greater Western Library Alliance training in June 2017
NSF's 2018 solicitation for Campus Cyberinfrastructure (CC*) projects states that the "Campus CI plan should address the campus-wide approach to cybersecurity in the scientific research and education infrastructure," and NSF's 2018 solicitation for CyberTraining projects highlights the need for "training and certification of CI Professionals in cybersecurity technology and management for advanced CI-enabled research."

CTSC resources and staff are available to assist Campus Cyberinfrastructure and CyberTraining projects with cybersecurity plans and training, via one-on-one engagements and other CTSC activities. For example, CTSC recently engaged with the University of New Hampshire Research Computing Center (funded in part by the NSF CC*DNI program).

Our cybersecurity program guide provides recommendations and templates for establishing and maintaining cybersecurity programs. Our online training materials and webinars cover many cybersecurity topics tailored to the NSF CI community. CTSC staff are available to participate in training events as our schedule and travel budget allows. We can also assist with disseminating announcements about training events and training materials to the community. Our annual cybersecurity summit provides a venue for training sessions for cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community.

If you are preparing a Campus Cyberinfrastructure or CyberTraining proposal to address cybersecurity needs, please see our guidance on including CTSC in a proposal and don't hesitate to contact us to discuss how CTSC can help.