CTSC Risk Assessment of NEON

The National Ecological Observatory Network (NEON) is a nationwide network of ecological sensors and observation facilities sponsored by the National Science Foundation (NSF) to gather and synthesize data on the impacts of climate change, land use change, and invasive species on natural resources and biodiversity. NEON collects data from over 80 land and water based sites across the United States and standardizes this data for use by scientists.

CTSC, in collaboration with the NEON team, performed a cybersecurity risk assessment on the NEON network of sensors and data servers. The results of this assessment will be used to develop a cybersecurity plan for the NEON project. The engagement commenced in March 2015 and was completed in August 2015. CTSC personnel conducted this review using CTSC assessment methodologies designed to fit the scope and objectives of the review. CTSC personnel interacted closely with NEON personnel to perform this engagement.

The goals for the collaboration with NEON were to:

• generate a list of threats, vulnerabilities, estimates for likelihood, and impacts;
• review and prioritize these lists into risks; and
• generate a high level cybersecurity plan for NEON's Airborne Observation Platform (AOP) and CyberInfrastruture (CI).

The engagement began with a CyberCheckup to get a rough assessment of the status of NEON cybersecurity. NEON staff reviewed "Securing Commodity IT in Scientific CI Projects" to see how well the recommended controls were applied to NEON's systems. The areas reviewed included policies and procedures, host protection, network security, physical security, and monitoring and logging. The results of this quick survey led to a more detailed Risk Assessment and Security Planning effort.

The formal Risk Assessment of NEON identified issues which are being addressed through NEON policies and implementation of formal operational processes and procedures. Other issues can be addressed by utilizing software solutions such as monitoring and vulnerability scanning software.

Working closely with the NEON team, CTSC concluded the risk assessment, transferred the skill of performing future iterations of the risk assessment, and assisted the NEON team in documenting recommended cybersecurity controls that, when implemented, will mitigate the current level of risks for NEON. Considering that full operation of the NEON network is planned by 2017, an effective security strategy is critical to protecting and isolating data from external and internal threats.

Help us select dates for the 2016 NSF Cybersecurity Summit!

http://doodle.com/poll/3xq7aguvytg2vvnm

CTSC is working to identify a three day period in August 2016 for the next NSF Cybersecurity Summit. We've heard the community's feedback and are trying to secure a Tuesday-Thursday event at our preferred venue to help folks avoid weekend travel. As of today, we have three options available to us. We'll keep this poll open for one week. 

 If you anticipate trying to attend the 2016 summit, please let us know your preferences!

(Feel free to identify yourself, your project, or your favorite superhero when you vote.  One vote per individual please.)

CTSC Year 3 Report Published

CTSC's Year 3 report, covering activities from October of 2014 through September of 2015, has been accepted by NSF and is available online at http://trustedci.org/reports.

Nice incident response case study by U. Michigan

The University of Michigan has published a nice case study on an incident with their social media early this month. Publishing case studies such as this are a good way to disseminate our experiences and learn from each other.

(Image credit: http://socialmedia.umich.edu/blog/hacked/)

Gemini and CTSC Collaborate on Intensive Cybercheckup

In June 2015, as a precursor to a forthcoming full engagement, Gemini Observatory and CTSC undertook a brief, but very intensive “cybercheckup”-style engagement. Using Indiana University’s REDCap service (https://redcap.uits.iu.edu/), CTSC has developed a questionnaire designed to gather key pieces of information regarding the information security program at large-scale NSF projects and facilities. Gemini personnel completed this questionnaire, and met with the CTSC engagement team on two occasions, to discuss the cybercheckup process and provide more detailed information. In early July, CTSC delivered a report to Gemini with recommendations for the Gemini information security program, prioritized by CTSC’s estimated cost and impact in implementing the recommendations. Following the NSF Cybersecurity Summit, we will sit down in person in Arlington  to review the report. Gemini and CTSC will use these results to structure and make the most of our Fall 2015 full engagement.

"I feel very fortunate to have the resources of CTSC available to Gemini Observatory as we develop a more mature, comprehensive "v2.0" cybersecurity program. The breadth and depth of knowledge and experience that the CTSC team has contributed thus far is vast, and has been key in gaining budgetary and Directorate support for cybersecurity initiatives.” -- Tim Minick, Information Technology Services Manager, Gemini Observatory

CTSC thanks Gemini for the effort and openness required to make this kind of activity valuable.  

October 2015 WISE Workshop

Operators of scientific cyberinfrastructure (CI) and National Research and Education Networks (NRENs) will be meeting October 20-22 in Barcelona to discuss security collaboration at the WISE Workshop ("Wise Information Security for collaborating E-infrastructures"). Participants will discuss evaluating the maturity of security operations using frameworks such as ISO 27000, the Trust Framework for Security Collaboration among Infrastructures (SCI), and the CTSC Guide. Also, participants will discuss security incident handling, including the Security Incident Response Trust Framework for Federated Identity (Sirtfi). Please consider joining us at the workshop. It will be a particularly valuable opportunity for security staff supporting international scientific collaborations to interact with their European counterparts. Registration is now open. If you have any comments, including topics you would like CTSC staff to raise at the workshop, please join the CTSC discussion list or contact CTSC directly.

Large Synoptic Survey Telescope (LSST) Realigns Cybersecurity Plan to CTSC’s Guide

At the 2014 Cybersecurity Summit, Don Petravick approached CTSC to assist with developing a new LSST security plan based on CTSC’s “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects.”  With a January 2015 deadline to provide a progress report to the NSF, CTSC committed to meet with LSST on a weekly basis through the end of 2014 to help rework their security plan. The effort was extended through the end of January 2015. The LSST team carried out the planning effort, with CTSC acting in an advisory role to align the new LSST plan with the CTSC cybersecurity framework.  LSST’s provided CTSC with a first hand view of the Guide in action,and constructive feedback for future versions. At the completion of the five month engagement, LSST had a revised cybersecurity plan that included a Master Information Security Policy, Acceptable Use Policy, Incident Response Policy and a risk assessment based on the current and planned project environment.

“The project was under pressure to deliver an updated Cybersecurrity program. CTSC understood our situation and provided a contemporary framework that was straightforward and practical to apply to our environment. With their support we were able to meet the deadline with a revised modern Cybersecurity plan.” - Don Petravick, PI Dark Energy Survey Data Management, and Consultant To ISLE Project

AARC and CTSC Collaborate on Interfederation

CTSC is starting a collaboration with the European Authentication and Authorisation for Research and Collaboration (AARC) project on use of federated identities for international science. AARC is a two year project that started May 2015. Jim Basney from CTSC joined the June 3-4 AARC kick-off meeting to begin the collaboration.

As the infrastructures for international scientific collaborations migrate from X.509 to SAML for identity management, there is a strong need for interoperability across national SAML federation boundaries. In 2014, the US InCommon federation joined eduGAIN, which connects SAML federations around the world, and now InCommon is engaging with science projects on international interfederation pilots. At the same time, the AARC project in Europe is addressing international adoption of SAML federations by research projects. This represents an opportunity to achieve critical mass around EU-US interfederation activities for science, with CTSC providing needed coordination on the US side.

Specific goals for the CTSC-AARC collaboration include:

1. Training: Develop and disseminate training materials to enable science projects to implement federated access.
2. Pilots: Facilitate US participation in interfederation pilot projects.
3. Incident Response: Establish an operational framework for security and incident response in R&E federations via the SIRTFI working group.
4. Levels of Assurance: Map requirements of cyberinfrastructure providers to an assurance framework that can be implemented in a cost-effective manner by identity federations. 

CTSC will gather input from US cyberinfrastructure (CI) projects for AARC activities, disseminate training and other AARC project outputs to US CI projects, and facilitate EU-US pilot projects.

To participate in the discussion, please join the CTSC Federated Identity Discussion List.

Analyzing authentication events

Part of CTSC's mission is to help educate the NSF community about tools and processes related to cybersecurity. For example, our software assurance team offers tutorials on static analysis tools and to test those tools, they provide benchmark datasets (code). In this article, we describe tools (Python modules) and a benchmark dataset for analyzing authentication data. However, the tools are sufficiently general that they could apply to other types of data related to cybersecurity, e.g. network traffic or more general data flows.

I recently had the pleasure of attending the SIAM Workshop on Network Science where I presented our poster on the analysis of a rather large authentication¹ dataset. The public dataset was made available from Los Alamos National Laboratory (LANL) and represented over 700 million anonymized authentication events over a nine-month period.[1][2]

Our poster submission demonstrated the use of Python to analyze and visualize the data. Since our scripts relied on various Python modules not found in the standard library, we recommended using the Anaconda Python distribution (3.x) which contained those modules (and a lot more). One key module that we used, to perform some of the network analysis, was NetworkX. Another module, to plot results, was matplotlib. We also demonstrated how one could use the IPython Notebook in a browser.

An authentication event was represented as a simple entry: "time,user,computer", where "time" was in seconds offset from the beginning, and "user, computer" were anonymized entries with unique numeric identifiers (e.g. U214,C148). We preprocessed the dataset to generate two files: one containing just the time values, another representing the user-computer information as a global, static graph. This type of graph, with two disjoint sets of nodes (users and computers), is known as a bipartite graph. Since the second file, containing the graph, took about 8 hours to generate, we made it publicly available in case others wanted to experiment. (Generating the first file, with only time values, just took a few minutes using one of our scripts.)

Our first step was to perform a sanity check on the time values for the authentication events. Fig. 1 is a histogram plot of all events over the nine-month period. Using the matplotlib module, we can interactively select a region to zoom into and see general daily and weekly usage patterns. The script to generate this histogram is parameterized so that a user can see more detailed (or coarse) plots.

Fig. 1: A histogram, over time, of all authentication events (top); zooming into a 2 week window (bottom)

Next, we use the NetworkX module to plot the graph and zoom in on particular nodes that seem to be hubs in the network. In the following two figures, the User nodes are colored red and Computer nodes are colored white. Fig. 2 shows C148 as a hub with numerous User nodes connected to it. Fig. 3, in contrast, shows U12 connecting to numerous computers. Obviously, if we had more information about the authentication events, we might be able to determine that certain User hubs were, for example, just the result of system administrators performing maintenance. On the other hand, it may be an indication of questionable user behavior.

Fig. 2: Node C148 as a hub.

Fig. 3: Node U12 as a hub.

In addition to visually inspecting the graph, we can programmatically analyze it to discover certain features, e.g., hubs or connected components. These techniques can be found in our poster and scripts.

Discussing results with LANL's Hagberg (left)

According to LANL's Aric Hagberg, there will likely be another dataset coming sometime this year that will have more metadata.

Our abstract, poster, Python scripts, and additional documentation can be found at https://github.com/rheiland/authpy.

We welcome your comments.

^{1. Authentication, in this context, is the process of verifying the identity of a person connecting to, e.g. logging into, a computer.}

---

[1] A. Hagberg, A. Kent, N. Lemons, and J. Neil. Credential hopping in authentication graphs. In 2014 International Conference on Signal-Image Technology Internet-Based Systems (SITIS). IEEE Computer Society, Nov. 2014.

[2] A. D. Kent, L. M. Liebrock, and J. C. Neil. Authentication graphs: Analyzing user behavior within an enterprise network. Computers & Security, 48:150-166, 2015.

Soliciting input on federated identity/InCommon needs

Hello, Von Welch, CTSC Director and PI here.

 I've recently accepted a one-year advisory term on the InCommon Steering committee. In that role, I will work to see the needs of NSF CI projects and similar research service providers (SPs) are addressed.

 The first thing I'd like to work on is getting all universities of interest to NSF projects to streamline scientific collaboration by sending those projects a user's name and email address when the user authenticates to the project using InCommon federated authentication. The InCommon Research and Scholarship (R&S) program includes only 100 universities that agree to send name and email address, and some of the largest research universities do not participate in the R&S program.

 We would like to change that. The InCommon Steering Committee plans to contact the CIOs at these universities to request their support. Knowing more about NSF funded projects that could benefit from outsourcing authentication to InCommon allows me to prioritize and strengthen those requests. As a starting point, if there is benefit to your project from specific universities supporting federated authentication and releasing a user's name and email address, please let me know who they are. 

 Going forward, I've created the CTSC Federated Identity Discussion List for further discussions around NSF CI projects and InCommon and federated identity. I won't be sending you any more emails directly, please join the list to be included in further discussions. You can find details at http://trustedci.org/ctsc-email-lists/

I welcome hearing any other concerns or suggestions you have about InCommon, now or in the future.

Regards,

Von 
--
Von Welch Director, Director and PI, Center for Trustworthy Scientific Cyberinfrastructure

Globus and CTSC engagement: data sharing

CTSC and Globus recently completed an engagement in which CTSC took a close look at the Globus data sharing feature. As many in the NSF community already know, Globus provides both services and applications that try to make it easier for scientists to focus on their science. One key Globus service is data management, especially the movement of files between two endpoints, e.g. between two users’ personal computers, between a user’s computer and a large institutional storage site, or between two other endpoints. In addition to an explicit data copy between endpoints, Globus also has a data sharing feature in which a user can make an entire folder accessible (read/write) to other Globus users. CTSC performed an assessment of this particular feature of Globus. The assessment covered a review of the design, architecture, and high-level implementation of the sharing feature. It was not a code review; however, the CTSC team did perform a source code installation of a Globus Connect Server, with the sharing feature enabled, and analyzed how credentials were being handled and how log files were being generated. While the assessment did not reveal any high security risks for the data sharing feature, CTSC did make a number of recommendations to address low-to-medium risks. These recommendations included improving the documentation, for both system administrators and users, and improving the logging and monitoring of sharing activity.
An ongoing challenge in such assessments of software features is the lack of clear process for doing the assessment, as the question is more one of “is this doing the right thing” without clear definition of what “the right thing” is (a challenge we also tackled in our engagement with Pegasus WMS). For this engagement we utilized a modified set of principles originally put forth by Saltzer and Schroeder in 1975 on the protection of information systems, to help guide our assessment. We think utilizing the principles helped significantly and plan to continue exploring their use in future engagements.
For more information, please see the Globus-CTSC Engagement final report, available at http://hdl.handle.net/2022/19165.
We want to thank the Globus team, especially Rachana Ananthakrishnan, Mike Link, and Steve Tuecke, for their helpful collaboration on this engagement.
See how CTSC might engage with you and your NSF project at http://trustedci.org/howwehelp/.

Join CTSC! Analyst position open at IU CACR

IU/CACR has a position open for a analyst to join the CTSC team. This is an opportunity to join a team of smart, talented folks working on securing NSF computational science. Please apply via the prior link or contact Von Welch if interested.

Shutting down trustedci.groupsite.com June 1st, 2015

For the past couple of years, we've operated trustedci.groupsite.com as forum for conversations and announcements about CTSC and cybersecurity for CI.  Based on the feedback we've gotten, it seems trustedci.groupsite.com isn't clicking with people as a way for communication. Since creating it, we've also established a set of email lists for discussions about cybersecurity and CI at http://trustedci.org/ctsc-email-lists/.

Since it's costing a small, but non-trivial amount of money to operate the trustedci.groupsite.com service, we're going to shut it down on June 1, 2015.

We hope you'll subscribe to one or more of the email lists at http://trustedci.org/ctsc-email-lists/. If you have other suggestions for how you'd like to communicate with CTSC or your peers working on cybersecurity for CI, please let us know.

Von, for the CTSC team