Tuesday, December 20, 2016

US Antarctic Program/CTSC Report Identifies InfoSec Opportunities

CTSC and the National Science Foundation’s Office of Polar Programs have wrapped up an engagement focused on the United States Antarctic Program (USAP) processes and policies relevant to polar science information security. CTSC produced a report focused on the present state of infosec integration and opportunities for improvements, entitled “Integrating Information Security into USAP’s Science Project Lifecycle”. During the course of the engagement, CTSC reviewed over 110 artifacts and interviewed four representatives of polar science projects and facilities. Additionally, CTSC and USAP held 12 calls with NSF and Leidos staff.

This engagement presented a unique opportunity for CTSC to engage directly with the people and program that facilitates all US science in Antarctica. The CTSC team approached this engagement from the viewpoint of PIs, researchers, and grantee personnel, mapping their experience integrating with USAP’s processes and infrastructure. The report included a factual summary of information security information provided in various phases from proposal to deployment to the ice; opportunities for improvement; and potential areas for future collaborations. The opportunities ranged from event timing, clarification and usability, and improved information security for the science projects. CTSC provided appendices listing the artifacts reviewed, a detailed event timeline from the grantee point of view, and detailed comments on selected artifacts.

Antarctica is an incredibly important and challenging environment for science and the use of technology. Its remoteness and harsh environment stretches the boundaries of where the Internet and other utilities we take for granted can reach and function. The logistics of moving people and technology from hundreds of different institutions on and off the ice is challenging, indeed. CTSC engagement team was honored to have the opportunity to learn about the polar science process and talk to some of the people who make it happen. We hope the report is a valuable input.

In its immediate post-engagement evaluation, USAP selected the following areas where the engagement helped improve cybersecurity: “Communication of risks to decision-makers and stakeholders”; “Increased cybersecurity knowledge among staff and personnel.”

NSF manages the USAP to enable NSF-funded polar research carried out by grantees at colleges and universities nationwide. Within NSF Office of Polar Programs, the Antarctic Infrastructure and Logistics Section (AIL) manages the support systems for the field science, primarily through the Antarctic Support Contractor, Leidos. These functions include station operations, logistics, information technology, construction, and maintenance. USAP has a goal of maximizing grantees’ effective integration of information security planning and implementation into that lifecycle.

For more information regarding the engagement deliverables, please contact Tim Howard, USAP Information Security Manager, tghoward@nsf.gov.

Monday, December 19, 2016

CCoE Webinars: Wrapping up 2016 and preparing for 2017

This year we launched our new webinar series with the goal of delivering high-quality, actionable guidance regarding cybersecurity to the NSF community. We have built an impressive catalog so far and are excited to continue the program in 2017. Suggestions for future speakers and topics are welcome, you can contact us here.

If you missed any of our webinars, here's a list of our presentations from the past year:
A few topics we have planned for early 2017 are:
  • January 23rd: Open Science Cyber Risk Profile (OSCRP)
  • February 27th: Cybersecurity Program for Small Projects
  • March 27th: SDN and IAM Integration at Duke University
Join CTSC's discuss mailing list for information about upcoming events. Happy New Year.

Friday, December 9, 2016

CASC Brochure Features Cybersecurity, NSF Summit

The Coalition for Academic Scientific Computation (CASC) 2017 Brochure features a section on cybersecurity (p.8-9) with remarks from CTSC Director Von Welch and photos from the NSF Cybersecurity Summit.

Wednesday, November 30, 2016

Change of CTSC co-PI and Thank you to Randy Butler

It is with some regret that I announce Randy Butler stepping away from CTSC. Randy Butler has been a CTSC co-PI since CTSC's inception in 2012 and led the Scientific Software Security Innovation Institute Workshops that led to the concepts and documented the community requirements that were the foundation of CTSC.

I wish Randy all the best with his promotion to Senior Associate Director for Integrated Cyberinfrastructure at NCSA.

Jim Basney, already a CTSC co-PI, will be the lead for CTSC activities at NCSA. Bart Miller, currently CTSC senior personnel from the University of Wisconsin, will be taking on a co-PI role in CTSC. Bart’s new role recognizes his strong contributions to software security and training, and CTSC’s growing emphasis on software assurance.


Monday, November 28, 2016

CCoE Webinar Dec. 12th 11am EDT: CICI Regional Cybersecurity Collaboration projects

Our last webinar for the year will be a group presentation on the CICI Regional Cybersecurity Collaboration projects, on December 12th at 11am (EDT). More detailed information about the individual projects is listed below.

The presenters and project names are:
  • Xinwen Fu, New England Cybersecurity Operation and Research Center (CORE)
  • James Joshi & Brian Stengel, SAC-PA: Towards Security Assured Cyberinfrastructure in Pennsylvania
  • Jaroslav Flidr, Substrate for Cybersecurity Education; a Platform for Training, Research and Experimentation (SCEPTRE)
  • Jill Gemmill, SouthEast SciEntific Cybersecurity for University REsearch (SouthEast SECURE)
Anita Nikolich from NSF will provide an introduction to the NSF CICI program.

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

New England Cybersecurity Operation and Research Center (CORE)

CORE Project Web Site

Presenter: Xinwen Fu (University of Massachusetts Lowell)

The New England Cybersecurity Operation and Research Center (CORE) is a collaboration between cybersecurity researchers and networking experts from the University of Massachusetts Lowell, and Information Technology (IT) support personnel and leadership from the Office of the President of University of Massachusetts (UMass), who work together to improve the security of under-resourced institutions in New England and providing a model of a regional approach to cybersecurity. The researchers have established an open cybersecurity program at UMass, which guides customers through a sequence of steps and selects security controls and technologies from both proprietary solutions and free open source solutions, considering the budget of the institution or enterprise that wants to protect their assets. This project also performs research on emerging threats, trends and defense based on the collected data.

SAC-PA: Towards Security Assured Cyberinfrastructure in Pennsylvania 

Presenters: James Joshi & Brian Stengel (University of Pittsburgh)

Cybersecurity is a growing concern for individuals, communities, nations and the world. Increasing cyberattacks make cybersecurity a critical national security concern. Information technology provides tremendous opportunities to accelerate data-driven scientific research and education. Increasing cybersecurity problems can adversely impact the research and its economic and social benefits if our cyberinfrastructure that supports scientific research and education is not well protected. Beyond innovative cybersecurity solutions, it is critical to establish structured and effective practices and better collaboration among various stakeholders to share cybersecurity resources, expertise and information. This project focuses on establishing a regional collaboration and partnership within the state of Pennsylvania, referred to as SAC-PA. SAC-PA will provide critical support to smaller academic institutions (schools and colleges, etc.) including resource constrained regional institutions that serve under-represented groups, females and high school teachers and students. It will establish a collaboration and partnership framework to enable concerted activities promoting the use of effective cybersecurity techniques and practice of security-assured cyberinfrastructure. While enhancing the cybersecurity posture of PA, SAC-PA will provide a regional cybersecurity collaboration and partnership model that can be adopted by other regions, or be extended for national level collaborations. The SAC-PA project will include participation from the public-private sectors and academic institutions in PA in the following key activities: (i) developing and delivering three regional workshops in Pittsburgh to bring together various regional stakeholders from scientific research related communities with cyberinfrastructure or cybersecurity resources to better understand the regional capabilities; explore existing and emerging cybersecurity challenges/solutions; and devise collaboration and partnerships to enable concerted cybersecurity activities to promote the use of effective cybersecurity techniques and practices; (ii) collaboratively developing training/awareness materials based on the needs and capabilities identified in the workshops, and sharing these extensively with regional partners and beyond through various channels; and (iii) establishing regional partnerships and a shared repository of cybersecurity resources/capabilities to facilitate collaborative and concerted efforts towards protecting scientific cyberinfrastructures.

Substrate for Cybersecurity Education; a Platform for Training, Research and Experimentation (SCEPTRE) 

Presenter: Jaroslav Flidr (The George Washington University)

In collaboration with the Michigan Cyber Range (MCR) facility operated by Merit Network, and the Cyber Academy operated by the College of Professional Studies (CPS) at the George Washington University, the project proposes to establish and deploy an open and flexible technology platform for broad-context cybersecurity education and hands-on training. Initially, the platform will be used in developing and delivering a credit bearing Practicum (2 credit hours) that addresses “Intrusion Detection and Remediation.” The course will be transferable toward the undergraduate certificate in Protection and Defense of Computer Networks, which is part of the Bachelor’s degree completion in cybersecurity. The practicum is a hands-on training that will cover a broad range of network intrusion, prevention, and detection techniques such as implementation and testing of IDS security plans, security monitoring, intrusion detection, alarm management, analysis of events and trends, and vulnerability management. The program will utilize a high-performance, flexible environment built on Cisco’s UCS hardware platform with a modified OpenStack framework. This multi-tenant system, originally developed under an NSF grant, will facilitate the full integration of the Cyber Academy with the MCR resources. Thanks to its virtual nature and its tight coupling with physical cyberinfrastructure components such as HPC, cluster storage arrays, public and private clouds, 100G optical networks, and a wide variety of SDN technologies, the system will be able to deploy nearly any cybersecurity scenario, on demand. The program will start enrolling students immediately after making the platform operational.

Collaborative Research: CICI: Regional: SouthEast SciEntific Cybersecurity for University REsearch (SouthEast SECURE)

Presenter: Jill Gemmill (Clemson)

The SouthEast SciEntific Cybersecurity for University REsearch (SECURE) project helps protect the National Science Foundation's investments in scientific research while providing scientists with tools to safeguard intellectual property and ensure data integrity. The project team provides education, training, and selected cybersecurity services to NSF-funded researchers across the Southeast. The team is multidisciplinary, comprised of cybersecurity experts (both research and practitioner), scientists, and experts in communication. Team members are located in South Carolina, Alabama and Mississippi, with strong representation from Historically Black Colleges and Universities (HBCU). This program raises investigators' awareness of their essential role in creating a secure and trustworthy cyberspace and offers concrete assistance in risk assessment, vulnerability testing, and mitigation tailored to NSF-funded scientists? workflow and program size. Through past collaborations, the team is well positioned to leverage both national and regional cybersecurity organizations and programs to effectively reach the target audience.

SouthEast SECURE impacts the region by raising cybersecurity awareness; providing concise training, assessment, tools and one-on-one help; and assisting in preparation of select cybersecurity metrics. Student interns are conducting many of these activities by means of practicum-based deployment and support, thus developing capabilities in the next generation of cyber professionals. An online survey of NSF-funded investigators in the region will be conducted to learn about their primary cybersecurity challenges and concerns. Training is then tailored to provide concrete and practical assistance in how to do right-sized risk assessment and mitigation. A "toolkit" is provided to test and validate local cybersecurity, and measures of cybersecurity are created and field-tested. The team's approach facilitates communication between research faculty and university IT/Data Security staff. A long-term goal is building communities with common interests in cybersecurity and a commitment to helping others; and building connections with other regions and with national centers and programs.

Wednesday, November 16, 2016

CTSC at Gateways 2016

The Gateways 2016 conference (Nov 2-3, 2016) drew about 120 attendees to learn more about science gateways and the communities they serve. As the lead for CTSC’s collaboration with the Science Gateways Community Institute (SGCI), Randy Heiland (CTSC) led a tutorial on Secure Software Engineering Best Practices and presented an overview of CTSC and its partnership with SGCI.
Science gateways help expand and broaden participation in science - research and education, by providing user-friendly interfaces to computing, data, networking and scientific instrumentation. The goal of the SGCI is to speed the development and application of robust, cost-effective, sustainable gateways and address the needs of scientists and engineers. Within the five-component design of SGCI, CTSC will formally be part of the Incubator component and will focus on security education for gateway software developers and operators.

One of many “open spaces” topical sessions at Gateways 2016.
To learn more about CTSC’s training, including Secure Software Engineering Best Practices, visit: http://trustedci.org/trainingmaterials/
To apply for a one-on-one engagement with CTSC, visit http://trustedci.org/application/

Monday, November 14, 2016

NTP Rescue: one year later

Over the past two weeks I've gotten to take a look back at one of CTSC's 2015 projects, the rescue of the Network Time Protocol reference implementation, and see how far-reaching its impact has been and will be. It began with a presentation titled "Saving Time" at O'Reilly Security Conference. In this presentation I talked about the rescue and what it meant as a model for saving other failing infrastructure software.

I told the story of how NTP had become a liability not just to the science projects that depend on accurate time, but to the internet as a whole.  CTSC had a chance to make a difference in a failing system by partnering with nonprofit ICEI in a short, intense intervention. About a year later the work we made possible has been carried on by others. The NTP Security Project (NTPSec) has taken the lead, resulting in a new life for this critical infrastructure:
  • NTPSec's code base is down to 75kloc (75,000 lines of code) from the original 227klok.  That 2/3 reduction in attack surface has paid off: NTPSec has been immune to about half of old NTP's vulnerabilities before discovery, and 84% in the past year.
  • NTPSec's code is now stored in a standard git repository, accessible to all.  Its documentation has been brought up to date, and the project has begun onboarding and training new developers.
  • NTPSec's success has helped increase awareness of critical infrastructure in need, and made fixing it approachable.  Recent articles by Brady Dale of the NY Observer and the (in)famous Cory Doctorow helped spread the story.
At the time it felt like a scurrying few months amid a busy year. It seemed like a last ditch effort to ensure that our friends in science could get accurate time signals without taking on a security nightmare.  It's nice to see how much more it became.

Friday, November 4, 2016

Engagement Launched with OSiRIS Project

CTSC is pleased to announce our engagement with OSiRIS, the Open Storage Research Infrastructure (NSF Award # 1541335). CTSC will assist OSiRIS with evaluation of their authentication and authorization implementation, and will also provide direction for utilizing current software solutions such as COmanage. The engagement began in October 2016 and is expected to continue through March 2017.

Wednesday, November 2, 2016

Engagement launched with IRNC TransPAC project

CTSC is happy to announce we have undertaken an engagement with the IRNC TransPAC project (NSF Award #1450904). The TransPAC project is developing a cybersecurity plan using CTSC’s Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects and CTSC will be assisting them through the process by answering questions and providing advice. Please watch the CTSC blog for updates.

Monday, October 31, 2016

Working Group on Open Science Cybersecurity Risks Releases First Document Draft for Public Comment

Over the past several months, ESnet and the NSF Cybersecurity Center of Excellence collaborated with research and education community leaders to develop a risk profile for open science to formally capture and benchmark this expertise, allowing other organizations to apply these best practices more broadly.

Today, the group is releasing its draft Open Science Cyber Risk Profile (OSCRP) and inviting comment from the research community. The OSCRP is designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. The draft document, along with information on how to comment, can be found at http://trustedci.github.io/OSCRP/.

Managing the security risks to scientific instruments, data and cyberinfrastructure is a priority   for creating a trustworthy environment for science. Assessing, understanding and managing concerns of open science to explicitly capture risks to its integrity and availability, and sometimes also privacy issues, involves making judgments on the likelihood and consequences of risks. Deep experience in understanding cybersecurity and the science being supported is needed to achieve these goals.

The group invites comments on the document prior to final publication in early 2017.  Longer-term, the document is intended to be a living, community document, being updated as open science computing evolves, and also as new approaches to security arise.  

About the OSCRP Working Group

About the NSF Cybersecurity Center of Excellence • trustedci.org  

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is funded as the National Science Foundation’s Cybersecurity Center of Excellence. The mission of CTSC is to improve the cybersecurity of NSF science and engineering projects, allowing those projects to focus on their science endeavors. This mission is accomplished through one-on-one engagements with projects to address their specific challenges; education, outreach, and training to raise the state of security practice across the scientific enterprise; and leadership on bringing the best and most relevant cybersecurity research to bear on the NSF cyberinfrastructure research community.

About ESnet • www.es.net

The Energy Sciences Network (ESnet) is an international, high-performance, unclassified network built to support scientific research. Funded by the U.S. Department of Energy’s Office of Science (SC) and managed by Lawrence Berkeley National Laboratory, ESnet provides services to more than 40 DOE research sites, including the entire National Laboratory system, its supercomputing facilities, and its major scientific instruments. ESnet also connects to over 140 research and commercial networks, permitting DOE-funded scientists to collaborate productively with partners around the world.

Thursday, October 27, 2016

Ransomware and Lost Data

It's nearing the end of the work day and you're working through a final batch of emails. You click on the one that was sent from your colleague including a file that you were not expecting. Without a second thought you open the file and click through the annoying pop-up windows that seem to just get in the way of you getting home. Nothing happens and you try to open it again. With no further success you decide to call it the end of the day and head home.

The next morning you come to work and instead of your regular computer desktop you're greeted with a message stating that all of your files—the ones you said you would eventually back up—are encrypted and that if you wanted them back you would have to pay. You frantically check to see if this is some prank and that your files are actually ok, but every one that you try to open just won't open. You check with co-workers and contact IT Support to see what can be done. You try to find solutions on-line to your predicament, but all roads lead to the inevitable fork in the road; either you pay and hope the attacker keeps his word, or you accept the loss and restart from scratch.

Photo by Christiaan Colen / (CC BY-SA 2.0)
Thousands of people have faced this scenario over the last few years in the form of ransomware. This particular form of malware infects systems and attempts to encrypt every file it can get its digital claws on. Not just files on your computer, but any that are on connected devices like flash drives or even network drives. You may have heard of ransomware variants such as Locky, CryptoLocker, or Cryptowall. Many people end up paying to get their files back. A lucky few are informed of alternative ways to reverse the damage, but many more simply accept that their files are gone and struggle to get back to work. There are many others, though, that can, with a little effort, simply clean their systems and restore their files and continue on as if nothing happened.

There are a number of rationalizations that people make to avoid taking a few extra steps to protect themselves:
  • I don't have time for this, it will take too long, I'll get to it eventually.
  • I’m not technical enough to implement these security measures.
  • I'm security conscious, I'm pretty sure I would never fall for something like that.
  • My data is just not that important, so why do I need to bother?
  • I have way too much data to backup, and every solution is really expensive.
Preparing for disaster is far easier than many anticipate and will take less commitment than you think.

Many tips that people will give you include a number of technical steps, which, if you implement them, can help you reduce your chances of becoming a victim of a ransomware attack. They include steps like using anti-virus software and keeping it updated, being mindful of unexpected attachments in email, and implementing safe-browsing practices while exploring the web. All of these are very good suggestions and will help you minimize your exposure. However, none of these can truly prevent the loss of your data in the event of compromise or even unintentional loss through a failed drive, accidental deletion or overwriting of data. The simplest and most effective thing you can do to protect your data is to back it up.

Enterprise level backup solutions are often invisible to the end user. Network file shares should be properly backed up but you can't always assume this. Check with your organization to ensure that they are providing this service if you rely on storing your important data on enterprise hosted network shares. Desktop and laptop backup solutions are other enterprise level options that involve installing a client on your system that will backup files to an organizationally hosted backup service. We encourage you to explore the backup options available at your organization.

If you have no options at your organization for backups or you’re looking to backup your personal systems there are a number of available services that you can utilize. Mac users already have a built-in backup service called Time Machine that you can use with Apple’s ‘Time Capsule’ or any other external storage device that you have available. Windows users have a built-in backup solution as well called ‘File History’ which can also actively backup important files on your computer. Please note: Some of these directly attached backup solutions are being actively targeted by ransomware designers so please make sure to research your selected backup solution for recommendations on proper deployment.

Aside from the built-in solutions on these various operating systems, you can also look into cloud services for storing your information. Services like Box, Carbonite, and other companies offer different types of backup and online data storage services. Make sure you check to ensure that they provide a backup service with access to historical versions, not just current online copies of your data. It is not a true backup service if you are unable to get an original copy of a file before it has been corrupted.

On a final note, be mindful of the type of data you are intending to backup as well. Protected data like HIPAA, PHI, et al, have strict regulations on where that data can be stored. If you work with any kind of sensitive data you should seek consultation on the best course of action for storing this information.

Thursday, October 20, 2016

CTSC Set to Work with HUBzero

HUBzero, a NSF funded, open source software platform for building powerful Web sites and Science Gateways that support scientific discovery, learning, and collaboration, has requested CTSC expertise in help securing their operational processes.

As HUBzero moves forward, strengthening its software assurance process and its expansion into AWS in order to improve hub instantiation time, adaptability, and to accommodate more projects through lower-cost hub offerings, CTSC will engage with HUBzero to maintain a high level of operational security around hubs, and improve the quality of the underlying HUBzero framework and their content management system (CMS).

CTSC is excited to work with HUBzero in achieving the goals set forth within the engagement, including: developing a Master Information Security Policy and Procedures document in order to define and communicate a coherent, effective security strategy across all of HUBzero's new organizational structure, drafting a Software Assurance and Testing Policy for HUBzero’s developed and/or maintained software, generating a risk-aware workflow for HUBZero’s R&D process, facilitating on-site training to HUBzero staff for secure software engineering, and providing teleconferencing consultation to support HUBzero in their migration to AWS cloud services.

The engagement is scheduled to run until the end of the year.  Upon completion, it is CTSC’s expectation that the processes developed, as well as the insights gained in this engagement will benefit HUBzero directly, improving the quality of the platform for the science that relies upon it.  Additional benefits reaped during the six month period should provide models for dealing with similar challenges now and in the future across many other cyberinfrastructure projects.

Wednesday, October 12, 2016

CTSC-Wildbook Engagement Summary

In the first half of 2016, members of the Center for Trustworthy Scientific Cyberinfrastructure (trustedci.org) and Wildbook (ibeis.org) projects collaborated on the development of a role-based access control (RBAC) prototype for the next generation Wildbook platform. The goal of the collaboration was to establish an RBAC design to support the variety of image gathering, curation, and analysis workflows across multiple ecological communities (studying Grevy's Zebras, Sea Turtles, Geometric Tortoises, Whale Sharks, Humpback Whales, Dolphins, etc.) while maintaining animal privacy (e.g., protection from poaching/trafficking).

CTSC and Wildbook (formerly called IBEIS) implemented an RBAC prototype using the open source wso2.com software, which implements the System for Cross-domain Identity Management (SCIM) and eXtensible Access Control Markup Language (XACML) standards. This prototype defined multiple roles and access policies:

Media Asset Contributors
Annotation Contributors
Data Curators
Data Managers
Organization Members (Users)
Organization Administrators
Platform Administrators
media assets, annotations, encounters, etc.
Assign roles to users
Share org A data with org B
Access to APIs

The prototype demonstrated the ability to implement access policies using the XACML Subject-Resource-Action pattern. For example:

Subject (Role) Resource Action
Organization Member Media Asset Create/Read
Data Curator Annotations Create/Read/Update/Delete
Organization Administrator Organization Policy Create/Read/Update/Delete
Platform Administrator Organization Create/Read/Update/Delete

Tanya Berger-Wolf (Wildbook) and Jim Basney (CTSC) presented the results of the collaboration at the July 2016 International Conference on Computational Sustainability (http://www.compsust.net/compsust-2016/).

The next step will be to schedule a follow-on engagement to take the lessons learned from the prototyping exercise to deploy XACML-based RBAC in the online Wildbook system.

To learn more about Wildbook/IBEIS, watch the livestream at 8:45am EDT on Thursday, October 13 (or the recording to be published after) of Professor Tanya Berger-Wolf presenting at The White House Frontiers Conference: http://frontiersconference.org/tracks/national

To apply for a one-on-one engagement with CTSC, visit: http://trustedci.org/application/

Tuesday, October 11, 2016

United States Antarctic Program Begins Engagement With CTSC

The United States Antarctic Program (USAP) supports polar research by providing or managing, among other things, physical, communications, and information infrastructure.  Within NSF's Division of Polar Programs (PLR), the Antarctic Infrastructure and Logistics Section (AIL) manages the USAP.  NSF polar grantees (whether large or small in budget or complexity) interact with a proposal, funding, and logistical lifecycle that is complex due to, among other things, the relative isolation in harsh environmental conditions. USAP desires to maximize grantees’ smooth integration of information security planning and implementation into that lifecycle.  

USAP and CTSC have begun an engagement to analyze the processes within the science project lifecycle, and to produce a report. The report will focus on the present integration of USAP’s information security requirements with the funding lifecycle and polar-specific process and project milestones.

The primary long-term goal for this engagement is to positively impact the efficiency and effectiveness with which NSF polar grantees integrate USAP’s information security requirements into their interactions with USAP information resources. The engagement will run through December 2016.

Monday, October 10, 2016

CCoE Webinar October 24th 11am EDT: Science or Security

National Academies of Sciences, Engineering, and Medicine (NASEM)'s Dr. George Strawn will be presenting the webinar, "Science or Security," on October 24th at 11am (EDT).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
In my long career in science-related IT, I've seen security go from a non-issue to a big issue. I'll first relate a few security anecdotes from that career, including founding this series of summits. Then I'll describe some conclusions I've come to about this pesky subject. Finally, I'll outline the security research strategic plan created by the interagency NITRD program's senior steering group for computer security and information assurance.
More information about this presentation and speaker bio are on the event page.

Presentations will be recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

Monday, September 12, 2016

CCoE Webinar September 26th 11am EDT: The Risk of the Commons

Apache Software Foundation's David Nalley will be presenting the webinar, "The Risk of the Commons," on September 26th at 11am (EDT).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
Open Source, as a development methodology has revolutionized how we innovate, how we develop, and how we consume software. Now, any cutting edge technology software is presumed to be open source. So what does software methodology have to learn from 19th century economics of farming? Unfortunately quite a lot. While the open source methodology allows tremendous speed in the rate of innovation; but all too frequently we consume without any idea of how well software is maintained. This has led us to unhappy situations where we find that the most heavily used encryption library in the world, was maintained by 4 people, in their spare time. Or the incredibly important GPG suite of tools - was maintained by two people, one of whom was an intern. Of course these aren't new problems, but how do we solve them without experiencing a tragedy of the commons.
More information about this presentation and speaker bio are on the event page.

Presentations will be recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

Tuesday, August 9, 2016

Situational Awareness

As part of its service to the NSF cybersecurity community, CTSC provides situational awareness of current cybersecurity threats to the cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to CTSC’s mailing lists.

CTSC staff members monitor several sources for possible threats to CI, including:

CTSC staff filter these sources for software vulnerabilities which we believe may be of interest to CI operators and software developers. For those issues which warrant notification to the CTSC mailing lists, we also attempt to provide guidance on how operators and developers can reduce risks and mitigate threats.

CTSC cannot provide a one-size-fits-all severity rating and response recommendation for all NSF CI. Please contact us at http://trustedci.org/help for assistance with assessing the potential impact of a vulnerability in your environment or to provide feedback on our service (for example, on the sources we monitor or on the software of interest to your CI).

Monday, August 8, 2016

CCoE Webinar August 22nd 11am EDT: The Science DMZ as a Security Architecture

Energy Science Network's (ESnet) Michael Sinatra will be presenting the webinar, "The Science DMZ as a Security Architecture," on August 22nd at 11am (EDT). This webinar is an encore presentation of a talk that Sinatra will be presenting at the NSF Cybersecurity Summit earlier in the month. If you are unable to attend the summit, here is your opportunity to see one of the talks.

Please register here.

The Science DMZ architecture proposes a novel method of design for network segments optimized for large­ scale data transfer (LSDT) functionality. LSDT has special requirements, both in the security and functional arenas. Attempts to incorporate LSDT functionality into a more traditional perimeter security model can cause problems both with LSDT functionality, as well as weaken overall campus security. The Science DMZ attempts to solve this problem by segmenting the LSDT function away from the traditional campus security perimeter. However, insufficient attention has been paid thus far as to how the Science DMZ fits into a larger strategy of risk­-based segmentation and functional maximization of campus networks.
This presentation examines typical risk­ and control­-based security approaches and proposes a framework in which the Science DMZ, combined with a larger segmentation approach, actually improves the security of valuable campus information assets, while still maximizing LSDT function and security. It concludes with some examples as to how the security of the research enterprise can be vastly improved with a Science DMZ deployment that is carefully aligned with a segmentation strategy.

More information about this presentation and speaker bio are on the event page.

Presentations will be recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."