Monday, October 31, 2016

Working Group on Open Science Cybersecurity Risks Releases First Document Draft for Public Comment

Over the past several months, ESnet and the NSF Cybersecurity Center of Excellence collaborated with research and education community leaders to develop a risk profile for open science to formally capture and benchmark this expertise, allowing other organizations to apply these best practices more broadly.

Today, the group is releasing its draft Open Science Cyber Risk Profile (OSCRP) and inviting comment from the research community. The OSCRP is designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. The draft document, along with information on how to comment, can be found at http://trustedci.github.io/OSCRP/.

Managing the security risks to scientific instruments, data and cyberinfrastructure is a priority   for creating a trustworthy environment for science. Assessing, understanding and managing concerns of open science to explicitly capture risks to its integrity and availability, and sometimes also privacy issues, involves making judgments on the likelihood and consequences of risks. Deep experience in understanding cybersecurity and the science being supported is needed to achieve these goals.

The group invites comments on the document prior to final publication in early 2017.  Longer-term, the document is intended to be a living, community document, being updated as open science computing evolves, and also as new approaches to security arise.  

About the OSCRP Working Group


About the NSF Cybersecurity Center of Excellence • trustedci.org  

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is funded as the National Science Foundation’s Cybersecurity Center of Excellence. The mission of CTSC is to improve the cybersecurity of NSF science and engineering projects, allowing those projects to focus on their science endeavors. This mission is accomplished through one-on-one engagements with projects to address their specific challenges; education, outreach, and training to raise the state of security practice across the scientific enterprise; and leadership on bringing the best and most relevant cybersecurity research to bear on the NSF cyberinfrastructure research community.

About ESnet • www.es.net


The Energy Sciences Network (ESnet) is an international, high-performance, unclassified network built to support scientific research. Funded by the U.S. Department of Energy’s Office of Science (SC) and managed by Lawrence Berkeley National Laboratory, ESnet provides services to more than 40 DOE research sites, including the entire National Laboratory system, its supercomputing facilities, and its major scientific instruments. ESnet also connects to over 140 research and commercial networks, permitting DOE-funded scientists to collaborate productively with partners around the world.

Thursday, October 27, 2016

Ransomware and Lost Data

It's nearing the end of the work day and you're working through a final batch of emails. You click on the one that was sent from your colleague including a file that you were not expecting. Without a second thought you open the file and click through the annoying pop-up windows that seem to just get in the way of you getting home. Nothing happens and you try to open it again. With no further success you decide to call it the end of the day and head home.

The next morning you come to work and instead of your regular computer desktop you're greeted with a message stating that all of your files—the ones you said you would eventually back up—are encrypted and that if you wanted them back you would have to pay. You frantically check to see if this is some prank and that your files are actually ok, but every one that you try to open just won't open. You check with co-workers and contact IT Support to see what can be done. You try to find solutions on-line to your predicament, but all roads lead to the inevitable fork in the road; either you pay and hope the attacker keeps his word, or you accept the loss and restart from scratch.

Photo by Christiaan Colen / (CC BY-SA 2.0)
Thousands of people have faced this scenario over the last few years in the form of ransomware. This particular form of malware infects systems and attempts to encrypt every file it can get its digital claws on. Not just files on your computer, but any that are on connected devices like flash drives or even network drives. You may have heard of ransomware variants such as Locky, CryptoLocker, or Cryptowall. Many people end up paying to get their files back. A lucky few are informed of alternative ways to reverse the damage, but many more simply accept that their files are gone and struggle to get back to work. There are many others, though, that can, with a little effort, simply clean their systems and restore their files and continue on as if nothing happened.

There are a number of rationalizations that people make to avoid taking a few extra steps to protect themselves:
  • I don't have time for this, it will take too long, I'll get to it eventually.
  • I’m not technical enough to implement these security measures.
  • I'm security conscious, I'm pretty sure I would never fall for something like that.
  • My data is just not that important, so why do I need to bother?
  • I have way too much data to backup, and every solution is really expensive.
Preparing for disaster is far easier than many anticipate and will take less commitment than you think.

Many tips that people will give you include a number of technical steps, which, if you implement them, can help you reduce your chances of becoming a victim of a ransomware attack. They include steps like using anti-virus software and keeping it updated, being mindful of unexpected attachments in email, and implementing safe-browsing practices while exploring the web. All of these are very good suggestions and will help you minimize your exposure. However, none of these can truly prevent the loss of your data in the event of compromise or even unintentional loss through a failed drive, accidental deletion or overwriting of data. The simplest and most effective thing you can do to protect your data is to back it up.

Enterprise level backup solutions are often invisible to the end user. Network file shares should be properly backed up but you can't always assume this. Check with your organization to ensure that they are providing this service if you rely on storing your important data on enterprise hosted network shares. Desktop and laptop backup solutions are other enterprise level options that involve installing a client on your system that will backup files to an organizationally hosted backup service. We encourage you to explore the backup options available at your organization.

If you have no options at your organization for backups or you’re looking to backup your personal systems there are a number of available services that you can utilize. Mac users already have a built-in backup service called Time Machine that you can use with Apple’s ‘Time Capsule’ or any other external storage device that you have available. Windows users have a built-in backup solution as well called ‘File History’ which can also actively backup important files on your computer. Please note: Some of these directly attached backup solutions are being actively targeted by ransomware designers so please make sure to research your selected backup solution for recommendations on proper deployment.

Aside from the built-in solutions on these various operating systems, you can also look into cloud services for storing your information. Services like Box, Carbonite, and other companies offer different types of backup and online data storage services. Make sure you check to ensure that they provide a backup service with access to historical versions, not just current online copies of your data. It is not a true backup service if you are unable to get an original copy of a file before it has been corrupted.

On a final note, be mindful of the type of data you are intending to backup as well. Protected data like HIPAA, PHI, et al, have strict regulations on where that data can be stored. If you work with any kind of sensitive data you should seek consultation on the best course of action for storing this information.

Thursday, October 20, 2016

CTSC Set to Work with HUBzero

HUBzero, a NSF funded, open source software platform for building powerful Web sites and Science Gateways that support scientific discovery, learning, and collaboration, has requested CTSC expertise in help securing their operational processes.


As HUBzero moves forward, strengthening its software assurance process and its expansion into AWS in order to improve hub instantiation time, adaptability, and to accommodate more projects through lower-cost hub offerings, CTSC will engage with HUBzero to maintain a high level of operational security around hubs, and improve the quality of the underlying HUBzero framework and their content management system (CMS).


CTSC is excited to work with HUBzero in achieving the goals set forth within the engagement, including: developing a Master Information Security Policy and Procedures document in order to define and communicate a coherent, effective security strategy across all of HUBzero's new organizational structure, drafting a Software Assurance and Testing Policy for HUBzero’s developed and/or maintained software, generating a risk-aware workflow for HUBZero’s R&D process, facilitating on-site training to HUBzero staff for secure software engineering, and providing teleconferencing consultation to support HUBzero in their migration to AWS cloud services.

The engagement is scheduled to run until the end of the year.  Upon completion, it is CTSC’s expectation that the processes developed, as well as the insights gained in this engagement will benefit HUBzero directly, improving the quality of the platform for the science that relies upon it.  Additional benefits reaped during the six month period should provide models for dealing with similar challenges now and in the future across many other cyberinfrastructure projects.

Wednesday, October 12, 2016

CTSC-Wildbook Engagement Summary

In the first half of 2016, members of the Center for Trustworthy Scientific Cyberinfrastructure (trustedci.org) and Wildbook (ibeis.org) projects collaborated on the development of a role-based access control (RBAC) prototype for the next generation Wildbook platform. The goal of the collaboration was to establish an RBAC design to support the variety of image gathering, curation, and analysis workflows across multiple ecological communities (studying Grevy's Zebras, Sea Turtles, Geometric Tortoises, Whale Sharks, Humpback Whales, Dolphins, etc.) while maintaining animal privacy (e.g., protection from poaching/trafficking).

CTSC and Wildbook (formerly called IBEIS) implemented an RBAC prototype using the open source wso2.com software, which implements the System for Cross-domain Identity Management (SCIM) and eXtensible Access Control Markup Language (XACML) standards. This prototype defined multiple roles and access policies:

Roles
Media Asset Contributors
Annotation Contributors
Data Curators
Data Managers
Organization Members (Users)
Organization Administrators
Platform Administrators
Policies
Create/Read/Update/Delete
media assets, annotations, encounters, etc.
Assign roles to users
Share org A data with org B
Access to APIs



The prototype demonstrated the ability to implement access policies using the XACML Subject-Resource-Action pattern. For example:

Subject (Role) Resource Action
Organization Member Media Asset Create/Read
Data Curator Annotations Create/Read/Update/Delete
Organization Administrator Organization Policy Create/Read/Update/Delete
Platform Administrator Organization Create/Read/Update/Delete

Tanya Berger-Wolf (Wildbook) and Jim Basney (CTSC) presented the results of the collaboration at the July 2016 International Conference on Computational Sustainability (http://www.compsust.net/compsust-2016/).


The next step will be to schedule a follow-on engagement to take the lessons learned from the prototyping exercise to deploy XACML-based RBAC in the online Wildbook system.

To learn more about Wildbook/IBEIS, watch the livestream at 8:45am EDT on Thursday, October 13 (or the recording to be published after) of Professor Tanya Berger-Wolf presenting at The White House Frontiers Conference: http://frontiersconference.org/tracks/national

To apply for a one-on-one engagement with CTSC, visit: http://trustedci.org/application/

Tuesday, October 11, 2016

United States Antarctic Program Begins Engagement With CTSC

The United States Antarctic Program (USAP) supports polar research by providing or managing, among other things, physical, communications, and information infrastructure.  Within NSF's Division of Polar Programs (PLR), the Antarctic Infrastructure and Logistics Section (AIL) manages the USAP.  NSF polar grantees (whether large or small in budget or complexity) interact with a proposal, funding, and logistical lifecycle that is complex due to, among other things, the relative isolation in harsh environmental conditions. USAP desires to maximize grantees’ smooth integration of information security planning and implementation into that lifecycle.  

USAP and CTSC have begun an engagement to analyze the processes within the science project lifecycle, and to produce a report. The report will focus on the present integration of USAP’s information security requirements with the funding lifecycle and polar-specific process and project milestones.

The primary long-term goal for this engagement is to positively impact the efficiency and effectiveness with which NSF polar grantees integrate USAP’s information security requirements into their interactions with USAP information resources. The engagement will run through December 2016.

Monday, October 10, 2016

CCoE Webinar October 24th 11am EDT: Science or Security

National Academies of Sciences, Engineering, and Medicine (NASEM)'s Dr. George Strawn will be presenting the webinar, "Science or Security," on October 24th at 11am (EDT).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
In my long career in science-related IT, I've seen security go from a non-issue to a big issue. I'll first relate a few security anecdotes from that career, including founding this series of summits. Then I'll describe some conclusions I've come to about this pesky subject. Finally, I'll outline the security research strategic plan created by the interagency NITRD program's senior steering group for computer security and information assurance.
More information about this presentation and speaker bio are on the event page.

Presentations will be recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."