Wednesday, May 28, 2014

CTSC Creates Tutorial Series on Cybersecurity

The National Center for Supercomputing Applications (NCSA) security team has produced “Building a Cybersecurity Program”—a 19-part online video tutorial series—as part of the Center for Trustworthy Scientific Cyberinfrastructure’s (CTSC) continuing effort to improve the cybersecurity of NSF-funded computational science and engineering projects. CTSC is a collaborative effort bringing together expertise in cybersecurity from multiple internationally recognized institutions, including NCSA, Indiana University, the University of Wisconsin-Madison, the University of Wisconsin-Milwaukee, and the Pittsburgh Supercomputing Center (PSC).

Science and engineering increasingly rely on computing, digital data and interoperability for the success of their education, collaboration and research efforts. Collaboration across countries and between disciplines is characterized by its open nature, use of unique instruments, large and complex data sets, and rich ecosystems. Appropriate cybersecurity measures for scientific cyberinfrastructure (CI) can therefore look very different from those of commercial CI. Just evaluating and choosing technologies for identity management, authentication, authorization, and auditing are major challenges.

CTSC feels that cybersecurity should not dictate how science is done; rather, it should support and enable the workflows and technology choices made by science teams.

“CTSC grew from the understanding that these teams want to focus on their research endeavors and collaborate across campus and the across the country without having to worry about what might hinder them doing so freely and openly,” says Randy Butler, Deputy Director for CTSC, leader of CTSC Education, Outreach and Training, NCSA Director of the Cybersecurity Directorate and Chief Security Officer. To address that need, NCSA’s security team put together this series of video tutorials, giving an overview of what cybersecurity looks like for a scientific CI project and how to build it in. “We have outlined a specific process, carefully tailored to the science community’s needs. The new videos make that process easy to understand and enact,” continues Butler.

“Many research projects don’t have the dedicated information security expertise, time or resources to develop a comprehensive information security program,” adds James Marsteller, PSC Information Security Officer and member of the CTSC team. Marsteller was one of the authors who developed the class materials that served as the starting point for the video production process. “Researchers and the general public can be assured these training resources were developed by information security professionals who understand the needs of the scientific CI community’s unique needs.”

Patrick Duda, Research Programmer for NCSA Cybersecurity and producer of these CTSC video tutorials, says the team is now looking to expand this original “how to get started” idea into a full blown, one-stop resource for all things cybersecurity series, “It’s looking at the community that we are working with and saying ‘what is it that a lot of people are struggling with right now and focusing on those particular topics over time.”

Duda imagines that, from here, the team will begin to focus on writing and producing tutorials delving deeper into passwords and password management as well as identity management. They hope to have five new videos posted this summer.


Keep up on project happenings by following the CTSC blog and continue to be on the look out for new videos posted to the project’s online video tutorial space

Friday, May 23, 2014

May 28 IAM Online: Good Federation Citizenship

CTSC's Jim Basney will be one of the presenters at the Wednesday, May 28 IAM Online webinar on Good Federation Citizenship. The webinar will cover many recommended practices for participants in the InCommon federation.

Why is "good federation citizenship" especially important for scientific cyberinfrastructure (CI)? Often CI represents the "long tail" of federated services, with collaborating scientists from many institutions using federated identities to access CI. This widely distributed user community makes it particularly challenging to support consistent user experience, effective error handling, and appropriate security incident response.

Visit www.incommon.org/iamonline for more details on joining the webinar.

Friday, May 16, 2014

CTSC Advice on Cybersecurity for NSF IRNC Solicitation

NSF’s IRNC solicitation has the following special award condition:

The awardee is responsible for security of all equipment and information systems funded directly or indirectly by this award. The awardee may be required to present to the cognizant NSF Program Officer and Grants and Agreements Officer an IT security plan addressing policies and procedures for review and approval within 60 days of award. The plan should include evaluation criteria that will measure the successful implementation and deployment of the plans, policies and procedures.

CTSC has the following advice when crafting this security plan, some of which you may want to mention in your proposal:
  1. When considering cybersecurity, consider the security of the network routing, monitoring and operations infrastructure, as well as the information security needs of the endpoint customers you are serving.
  2. Review the outcomes of the Security at the Cyber Border workshop which discusses the shared cybersecurity responsibilities of link operators and the organizational endpoints they serve. The report also discusses challenges of making network data available to researchers.
  3. When considering the cybersecurity of the network, take a risk-based approach as described by NIST and CTSC. CTSC has online training on developing a risk-based cybersecurity program.
  4. For monitoring needs, consider Bro and the NSF-funded Bro Center of Expertise.

Finally, CTSC exists to help NSF project with cybersecurity challenges. We can give your plan a quick review for completeness, or collaboratively help you address challenges. Please feel free to contact us either before or after proposal submission.

Monday, May 5, 2014

Seeking CC-NIE projects for peer-to-peer cybersecurity reviews

Last week I had the opportunity to speak about cybersecurity for science at the NSF CC-NIE PI meeting.  As I mentioned in my presentation, CTSC is offering to facilitate cybersecurity peer reviews between CC-NIE PI projects. CTSC will provide a framework and guidance for the reviews, and facilitate them to make sure they complete successfully. We're excited about this process as it represents something that can both scale to the 80+ CC-NIE projects as well as help the projects share practices and build up expertise.

We've got one project already interested, if there are others, please let me know.

If you are a NSF project outside of the CC-NIE program and this sounds interesting, please let me know as we're interested in expanding this program if is proves successful.

Friday, May 2, 2014

OpenAuth 2.0/OpenID "Covert Redirect": Known issue

Today an security issue "Covert Redirect" with OAuth 2.0 and OpenID has been in the news[1][2].

This issue is not new and is discussed in Section 4.2.4 of the OpenAuth specification, which provides a discussion of countermeasures:
  • Require clients to register any full redirect URIs (Section 5.2.3.5).
  • Don't redirect to a redirect URI if the client identifier or redirect URI can't be verified (Section 5.2.3.5).
Statements from the CILogon developers on the sciencegatewaysecurity.org discuss email list indicate they do not believe it is vulnerable to these attacks.

Added at 4:09pm ET: Nice description of the attack by Jesper Jurcenoks
Added 5/5 10:42am ET: CSO Online article: "Covert Redirect isn't a vulnerability, and it's nothing like Heartbleed"

[1] http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
[2] http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/