Tuesday, August 11, 2020

Trusted CI Engagement Application is Open

                 

  Trusted CI Engagement Application Period is Open

                   Applications Due Oct. 2, 2020

            Apply for a one-in-one engagement with Trusted CI for Late 2020.


 Trusted CI is accepting applications for one-on-one engagements to be executed in Jan-June 2021. Applications are due Oct. 2, 2020 (Slots are limited and in demand, so this is a hard deadline!)


To learn more about the process and criteria, and to complete the application form, visit our site:

http://trustedci.org/application


During Trusted CI’s first 5 years, we’ve conducted
 more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

 As the NSF Cybersecurity Center of Excellence, Trusted CI’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

 

Friday, August 7, 2020

Chem Compute JupyterHub (1st May, 2020 - 15th July, 2020)

Chem Compute provides free access to computational chemistry software for undergraduate students and for researchers. This is done all without compiling, installing and maintaining software and hardware. Chem Compute also features Jupyter notebooks for students to do data analysis using Python.


Trusted CI partners with Science Gateways Community Institute (SGCI) on SGCI engagements that require cybersecurity expertise. The cybersecurity staff from Trusted CI engaged with Mark Perri from Chem Compute over a period of 2.5 months (May-July 2020) to review its security including servers, services and policies. Recommendations were made around the risks that were identified. The cybersecurity team also made some best practices recommendations for Chem Compute’s JupyterHub. Most of the best practices recommendations were made from the following sources: 

https://jupyterhub.readthedocs.io/en/stable/reference/websecurity.html

https://jupyterhub.readthedocs.io/en/stable/getting-started/security-basics.html


We started the engagement with a kickoff meeting to get an overview of Chem Compute, how the systems are enabled/work and discussed the requirements and expectations from the engagement. Post that, the SGCI cybersecurity team set up weekly meetings amongst themselves to discuss and work on the project. The Cybersecurity team also scheduled meetings with Mark Perri as and when required to provide an update and get some inputs. The final product of the engagement was a 12-page security report containing specific recommendations on how to address the security gaps identified during the engagement.

Overall it was a successful engagement, thanks to Mark Perri’s valuable inputs with quick turnaround time.


Removed language with racial biases

As announced in our June 12 blog post, Trusted CI has joined other organizations in ceasing the use of terms such as “whitelist,” “blacklist,” and similar cybersecurity terms that imply negative and positive attributes and use colors also used to identify people. There simply is no place today for biased language with racial implications. 

In addition to the prior updates to our code of conduct, we have completed a review of the Trusted CI guide and related templates and blog posts and updated instances where found. We recognize the potential use of this language in past presentations and do not intend to rewrite history. No new materials produced will use such language.

We welcome your input on how we can continue to improve, making our community welcoming for all. If we missed any instances of this language, please let us know and we will address it promptly.

Von Welch for Trusted CI

Tuesday, August 4, 2020

Registration is now open for the 2020 NSF Cybersecurity Summit


It is our great pleasure to announce the 2020 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure. The event will take place virtually Tuesday, September 22 through Thursday, September 24, 2020. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities.

Registration Complete the online registration form: https://trustedci.org/2020-nsf-summit



Thank you on behalf of the Program and Organizer Committee.

Wednesday, July 29, 2020

Trusted CI begins Engagement with Galaxy

Galaxy is an open-source, web-based application for performing data-intensive biomedical research. It combines common software tools and data workflows to provide researchers without an informatics platform in an accessible, easy to use interface, which abstracts the complexity of interacting with compute resources. Galaxy provides a free, public, internet accessible instance at https://usegalaxy.org, utilizing infrastructure provided by CyVerse at the Texas Advanced Computing Center, with support from the National Science Foundation. Galaxy can also be installed and run locally at sites, or run in the cloud, providing flexibility for deployment, custom security requirements, and compute availability. The Galaxy Project is supported in part by NSF, NHGRI (National Human Genome Research Institute), The Huck Institutes of the Life Sciences, The Institute for CyberScience at Penn State, and Johns Hopkins University. The Galaxy Team is a part of the Center for Comparative Genomics and Bioinformatics at Penn State, the Department of Biology at Johns Hopkins University, and the Computational Biology Program at Oregon Health & Science University

The overall goal is for Trusted CI to work with Galaxy in reviewing the current security practices of the Galaxy project container-based deployments and provide recommendations to ensure safe handling, processing, and storage of data. To that end, Trusted CI will focus on the following activities:

  • Review Galaxy components and their interactions to gain a detailed understanding of the overall security architecture, and data work-flow, while generating updated architecture diagrams.

  • Evaluate Galaxy against NIST 800-53 and determine where controls need to be implemented.

  • Conduct a HIPAA gap analysis to identify any areas needing additional safeguards. Provide guidance on processes and tools needed to fill any gaps identified.

  • Provide guidance on processes and tools required to fill these gaps.

  • Time permitting: Review the architecture and implementation of usegalaxy.org and make recommendations for improving security.

This engagement is a collaboration between the Science Gateway Community Institute’s (SGCI) incubator service and Trusted CI.


The engagement started July 2020 and is scheduled to conclude by the end of December 2020.

Tuesday, July 28, 2020

Trusted CI Webinar: Transitioning Cybersecurity Research to Practice - Aug. 11th at 11am (EDT)


Add caption
Florence Hudson, Ryan Kiser, Patrick Traynor, and S. Jay Yang, are presenting, Transitioning Cybersecurity Research to Practice - Success stories and tools you can use, on Tuesday August 11th at 11am (Eastern). 

Please register here. Be sure to check spam/junk folder for registration confirmation email.
"Transition to practice is really a passion of mine. It is wonderful to write papers and have great ideas. But it is even cooler to get a million people using it." – Professor Patrick Traynor.

Join us to hear exciting Cybersecurity Research success stories, and lessons learned along the way, from Professor Patrick Traynor from the University of Florida who has successfully transitioned his research to practice in a number of ways. One of his technologies, the Skim Reaper, is being used across multiple U.S. states to protect from credit card skimming. We will also share tools that Trusted CI has developed to help you take the Transition To Practice journey as a developer and researcher. Florence Hudson and Ryan Kiser will present the "Trusted CI TTP Playbook" available on the Trusted CI website, with TTP Tools you can use. This includes a TTP Canvas to enable the researcher and developer to clarify their target users, value proposition, and how they will TTP. We also include a TTP Technology Readiness Level (TRL) assessment tool to design your technical journey to mature and transition to practice your valuable research.
Speaker Bios:

Florence D. Hudson is a Special Advisor at Trusted CI, the NSF Cybersecurity Center of Excellence, co-leading the Transition To Practice (TTP) program. She has led TTP at IBM, Internet2 and Trusted CI. She is a former IBM Vice President and Chief Technology Officer, Internet2 Senior Vice President and Chief Innovation Officer, and Aerospace and Mechanical Engineer at Northrop Grumman and NASA. She is Executive Director for the Northeast Big Data Innovation Hub at Columbia University, and Founder and CEO of Advanced Technology and Diversity & Inclusion Consulting Firm FDHint, LLC. She received her BSE in Mechanical and Aerospace Engineering from Princeton University, and completed Executive Education at Harvard Business School and Columbia University.

Ryan Kiser is a Senior Security Analyst at the Indiana University Center for Applied Cybersecurity Research. Ryan has worked on information security projects across a wide variety of domains including leading efforts to assess and improve the security of automotive engine systems, performing risk assessments for university central IT systems, and supporting researchers in efforts to adhere to regulated data requirements such as HIPAA, FISMA, and various CUI requirements. Ryan has been heavily involved in organizations serving information security needs for higher-ed and national research communities. Some of these include the Open Science Grid (OSG) as a member of the OSG Security Team and Trusted CI where he has led engagements to assist NSF-funded research projects in improving their security posture. His current interests involve novel applications of predictive modeling, machine learning, and brazilian jiu-jitsu.

Patrick Traynor is a professor of Computer and Information Science and Engineering (CISE) at the University of Florida. Patrick's research focuses on the security of mobile systems, with a concentration on telecommunications infrastructure and mobile devices. His research has uncovered critical vulnerabilities in cellular networks, developed techniques to find credit card skimmers that have been adopted by law enforcement and created robust approaches to detecting and combating Caller-ID scams. He received a CAREER Award from the National Science Foundation in 2010, was named a Sloan Fellow in 2014, a Fellow of the Center for Financial Inclusion at Accion in 2016 and a Kavli Fellow in 2017. Professor Traynor earned his Ph.D and M.S. in Computer Science and Engineering from the Pennsylvania State University in 2008 and 2004, respectively, and his B.S. in Computer Science from the University of Richmond in 2002. He is also a co-founder of Pindrop Security, CryptoDrop, and Skim Reaper.

Dr. S. Jay Yang received his BS degree in Electronics Engineering from National Chaio-Tung University in Taiwan in 1995, and MS and Ph.D. degrees in Electrical and Computer Engineering from the University of Texas at Austin in 1998 and 2001, respectively. He is currently a Professor and the Department Head for the Department of Computer Engineering at Rochester Institute of Technology. He also serves as the Director of Global Outreach in the Center of Cybersecurity at RIT, and a Co-Director of the Networking and Information Processing (NetIP) Laboratory. His research group has developed several pioneering machine learning, attack modeling, and simulation systems to provide predictive analysis of cyberattacks, enabling anticipatory or proactive cyber defense. His earlier works included FuSIA, VTAC, ViSAw, F-VLMM, and attack obfuscation modeling. More recently, his team is developing a holistic body of work that encompasses ASSERT to provide timely separation and prediction of critical attack behaviors, CASCASE to simulate synthetic cyberattack scenarios that integrates data-driven and theoretically grounded understanding of adversary behaviors, and CAPTURE to forecast cyberattacks before they happen using unconventional signals in the public domain. Dr. Yang has published more than sixty papers and worked on eighteen sponsored research projects. He has served on organizing committees for several conferences and as a guest editor and a reviewer for a number of journals and textbooks. He was invited as a keynote or panel speaker for several venues. He was a recipient of Norman A. Miles Outstanding Teaching Awards, and a key contributor to the development of two Ph.D. programs at RIT and several global partnership programs.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, July 21, 2020

Trusted CI Completes a Highly Successful Engagement with UC Berkeley

Handling regulated data is becoming a key requirement for supporting research, especially for high performance computing (HPC) service providers who have not previously been subject to rules and regulations.  While the list of institutions with research cyberinfrastructure approved for critical data such as protected health information (PHI) or Controlled Unclassified Information (CUI) is growing, it still remains woefully short.  Any major university effort to accommodate researchers with regulated data adds to the pool of research enablers, while simultaneously protecting sensitive research data.

For HPC service providers that support research sponsored by the NSF,  pursuing compliance also diverts resources, potentially affecting this support.  External help can be invaluable in reducing the impact, especially for providers tackling compliance for the first time.  

Trusted CI recently concluded a highly successful engagement with UC Berkeley that both validated and bolstered UC Berkeley’s nascent regulated data effort, namely a “Secure Research Data and Compute” (SRDC) platform.   The SRDC platform is expected to have a significant impact on UC Berkeley’s ability to enable and empower a wide range of researchers to conduct research with data subject to rules and regulations in scientific fields as diverse as biology, engineering, computer science, and a broad spectrum of social sciences and professional schools such as business, public health, and law.

According to Ken Lutz, Director of Research Information Technology at UC Berkeley: 

“Our engagement with Trusted CI has been very successful and has been an important part of preparing for the launch of our SRDC Platform. While we had already obtained a commitment by senior leadership to develop the platform, the perspective and expertise provided by the Trusted CI team helped us build trust across our complex network of stakeholders. Our UC Berkeley team especially appreciated the broader higher education experience that the Trusted CI team brought to the engagement. Based on this engagement, we feel confident that we are developing a platform and service that will enable our research community to pursue high impact research involving highly sensitive data.”

Initial engagement objectives included a review of SRDC’s design, security and compliance goals and future vision, a comparison of SRDC security against best practices at peer institutions, gap identification, and recommendations on how to fill those gaps.

The engagement spanned eleven 1-hour meetings and an all-day virtual campus visit. The meetings, submitted artifacts, and other input from UC Berkeley enabled Trusted CI to assess the SRDC security architecture, workflows, and current policies and procedures, evaluate and validate the cybersecurity framework UC Berkeley is developing with help from a commercial third party, and gauge UC Berkeley’s approach to regulated data against what peer institutions are doing.

During the virtual campus visit, Trusted CI met many of the other SRDC stakeholders on campus (including the CISO) and did a presentation for a group of these stakeholders that detailed current regulated research data approaches nationally and how UC Berkeley’s effort fits in.

The final product of the engagement was a 21-page report containing specific, prioritized recommendations on how to address the security gaps identified during the engagement (including HIPAA gaps), adopt best practices, and avoid pitfalls while maintaining a healthy balance between usability and security.  Trusted CI also provided policy templates and guidance on how best to leverage the cybersecurity framework recommended by the third party.

Trusted CI benefited from this engagement as well from working alongside a commercial third party and learning about their approach to compliance, and from the addition of another institution that Trusted CI can refer future seekers of compliance to for guidance and counsel.

The success of this engagement is noteworthy in light of the challenges COVID-19 introduced in the midst of the engagement, including the cancellation of a campus visit and face to face interaction, both of which are typically important to the success of highly collaborative projects.