Tuesday, August 15, 2017

CCoE Webinar August 30th 3pm ET: An overview of CTSC Engagements and the Application Process

CTSC's Von Welch is presenting the talk "An overview of CTSC Engagements and the Application Process," on Wednesday August 30th at 3pm (Eastern). Note: The day and time for this event is not during our regular monthly series. Be sure to add it to your calendar.

Please register here. Registration includes a confirmation email with a calendar file (check your spam filters if you did not receive the email).
One of CTSC's core activities is conducting one-on-one engagements with NSF projects and facilities. CTSC has recently launched its call for applications for engagements in 2018, due October 2nd. This presentation will review the benefits and scope of CTSC engagements, as well as the application process. Webinar attendees are encouraged to attend live to ask questions about their project/application.
More information about engagements and the application can be found at: https://trustedci.org/application
More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, August 14, 2017

2017 NSF Community Cybersecurity Benchmarking Survey -- Please Respond

Please complete the 2017 NSF Community Cybersecurity Benchmarking Survey.  

The goal of the annual survey is to collect and aggregate information over time about the state of cybersecurity for NSF projects and facilities and produce a report that will help the community a richer understanding of the environment and norms, as well as track changes to the security of the scientific cyberinfrastructure. We want to ensure the survey report is of maximum utility to the NSF researchers, projects, and facilities, and encourage a high level of participation. Your responses will help us meet that goal. We have made minor changes from the 2016 survey to clarify both questions and answers. Participation in the 2017 survey is requested whether or not you responded to the 2016 survey. (See the 2016 survey report at http://hdl.handle.net/2022/21355)

Each NSF project or facility should submit only a single response. Completing the survey may require input from the PI, the IT manager, and/or the person responsible for cybersecurity (if those separate areas of responsibility exist). While answering specific questions is optional, we strongly encourage you to take the time to respond as completely and accurately as possible. If you prefer not to respond or are unable to answer a question for some reason, we ask that you make that explicit (e.g., by using “other:” inputs) and provide your reason. Please note that we minimize the amount of project-identifying information we collect and will report responses only in the aggregate and CTSC will release results that we believe provide anonymity to the individual project or facility respondents.

The response period closes November 17, 2017.

CCoE Webinar August 28th 11am ET: Stronger Security for Password Authentication

UC Irvine's Stanislaw Jarecki is presenting the talk "Stronger Security for Password Authentication," on August 28th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

Passwords are an infamous bottleneck of information security: The users choose them badly and then forget them, and the servers store (at best!) a table of password hashes which, in the all-too-common event that the server is hacked, allows the attacker to recover a large fraction of the passwords using the so-called Offline Dictionary Attack. At the same time, we seem to be stuck with passwords because they form the most user-friendly authentication mechanism we know. Our work in the CICI-sponsored project looks at the security vulnerabilities of current password authentication protocols, including Two-Factor authentication protocols, where the user's password is amended by the presence of an Auxiliary Authentication Device, e.g. a cell-phone capable of displaying a short one-time PIN which the user copies onto her terminal in order to authenticate to the server. We show that with modest changes to the authentication infrastructure, involving either the user's client, or the authentication server, or the Auxiliary Device software, we can make password authentication protocols which are as practical as currently used schemes but have much stroger security properties. Most importantly, the schemes we show eliminate the security vulnerability posed by the server storing password hashes, thus eliminating the possibility of the Offline Dictionary Attack in case of server compromise. In other properties, our schemes offer resistance to so-called phishing attacks and, more generally, failures in the Public Key Infrastructure, where the user misidentifies the public key of the authentication server and, which in current password authentication schemes leads to revealing the user's password to the adversary.
In this presentation we will present an overview of our work on strengthening password and two-factor schemes, published in NDSS'14, Asiacrypt'14, EuroSP'16, AsiaCCS'16, ACNS'17, ICDCS'17, as well as future directions.

More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, August 3, 2017

UNH Research Computing Center and CTSC cap off high impact, innovative engagement

Campus research centers play an important role in enabling NSF-supported science projects of all sizes. A recently concluded engagement gave us the opportunity to impact open science at the University of New Hampshire, potentially for years to come.  

CTSC and the University of New Hampshire Research Computing Center (UNH RCC)(funded in part by the NSF CC*DNI program, Grant #1541430) have completed a successful engagement to assess and facilitate the reasonable maturation of UNH RCC’s information security program and positively impact the security of the cyberinfrastructure and trustworthiness of the science UNH RCC supports. Following a period of fact-finding, CTSC delivered a containing specific prioritized recommendations grounded in best practices for maturing the UNH RCC program. As a first time experiment, CTSC performed the site visit more than a month after delivering the report (rather than during fact-finding), giving time to plan and conduct a period of collaborative work in preparation for the site visit where meetings, training sessions, and other activities leveraged the report to build momentum, and maximize the its positive impact.

Patrick Messer, Director of the UNH Research Computing Center, states,

“The engagement process with CTSC has already had a direct impact on research computing at UNH. Senior level administrative discussions have led to the inclusion of RCC staff on UNH’s Information Security Services bi-weekly team meetings, bi-weekly leadership team meetings, and strategic retreats. Both the site visit and the report recommendations emphasized practical approaches to improving cybersecurity. UNH research computing now has a 12-month plan with realistic deliverables and efforts addressing the report recommendations are underway. The plan will be reviewed annually to address those CTSC recommendations that are longer term. Although the engagement focused on the cybersecurity of NSF projects, this effort can’t help but positively impact the entire UNH science community. I am grateful that UNH was able to participate in the engagement process.”

Engagement Process

CTSC and UNH RCC engaged in ten one-hour video conference calls in the course of the engagement. These calls were primarily in the fact-finding phase of the engagement and were key to clarifying the computing environment at both UNH and UNH RCC. While web searches provided information about the publicly documented environment, a number of additional documents and diagrams were made available to CTSC. The subsequent report comprised three key sections of recommendations. The first section, titled “Recommendations for Pivotal Actions”, contained two recommendations relating to strategic actions to consider about its approach to cybersecurity in the context of the UNH system. The second section, titled “Recommendations for actions best implemented at the university level, but may remain UNH RCC’s responsibility”, contained six recommendations for high impact actions for consideration if UNH RCC maintains the status quo of relative independence from UNH IT and responsibility for its own day-to-day security practices. These recommendations ranged from selecting a cybersecurity framework to patch management and network monitoring. The third and final section, titled “Recommendations best implemented at the research computing center level”, contained seven actions for consideration regardless of the disposition of the pivotal decisions. These recommendations ranged from asset inventory to change control and developing a core information security policy. Throughout the report we made frequent reference to The CIS Critical Security Controls for Effective Cyber Defense, Version 6.1 and also referenced the Australian Signals Directorate's Essential Eight.

UNH RCC organized and facilitated CTSC’s site visit. We met with a wide range of stakeholders, including the UNH SVP for Research and the UNH CIO, the faculty advisory committee (plus interested researchers), general counsel, and the UNH RCC software development team. Many meetings included not only the engagement team, but also representatives from the UNH IT cybersecurity team. Topics for the meetings included: addressing contractual requirements for protecting Controlled Unclassified Information; developing an Acceptable Use Policy; Freedom of Information Act considerations; and both overview presentations and detailed discussions of the recommendations in the report.  CTSC presented new material on selecting cybersecurity frameworks and control sets, and the group delved into implementation details of the Critical Security Controls.

In the wake of this site visit, UNH RCC has prepared a “summary of the plans for implementing cybersecurity recommendations that resulted from a UNH collaboration with the Center for Trustworthy Scientific Cyberinfrastructure (CTSC)”. In addition to meetings at the university level regarding funding and integration with UNH IT, the summary describes plans for implementation in six- and twelve-month timeframes to improve cybersecurity for the three categories of UNH RCC systems. CTSC will track progress via an evaluation questionnaire at those intervals.

Reflection & Acknowledgements

UNH RCC and the UNH information security demonstrated impressive commitment throughout the engagement. There were always 4 to 6 people from UNH on each and every of the ten conference calls. UNH RCC supported the use of Zoom for teleconferencing and of Box for sharing documents, technologies not used in prior CTSC engagements. UNH RCC maximized the effectiveness of the site visit of the CTSC team with meeting schedules with the engagement team plus others on each of the detailed recommendations, and with senior University officials to make the case for the pivotal recommendations.

CTSC wishes to explicitly acknowledge the UNH participants who made this engagement such a success:

  • CTSC/UNH Engagement Team - UNH Participants
    • Brian Dennis Gaon, UNH Information Security Officer
    • Patrick Messer, Director of the UNH Research Computing Center
    • Scott Valcourt, Director of UNH IT Strategic Technology
    • Tucker Hurton, UNH Research Computing Center Security Officer
    • Robert Anderson, Associate Director of the UNH Research Computing Center
    • Grace Wilson Caudill, UNH Cyberinfrastructure Engineer

  • Other Stakeholders - on-site visit:
    • Jan Nisbet, UNH Senior Vice Provost for Research
    • Stan Waddell, UNH CIO
    • Rori Boyce, UNH Information Security Compliance Officer
    • Tony Dumas, UNH Information Security Operations Engineer
    • Shelby Descoteaux, UNH Information Security Operations Technician
    • Louise Griffin, UNH Senior Director for Research & Sponsored Programs
    • Paul DeMello, UNH Director of Program and Project Management
    • Victor Sosa, UNH Director of Contracts and Export Controls
    • Melissa McGee, UNH Compliance Officer
    • Karyl Martin, USNH Associate General Counsel
    • Theresa Ridgeway, UNH Research Computing Center Program Manager
    • Allan Wright, UNH Manager Research Computing Center Software Development Group
      • Software development group
    • Thomas Baker, UNH Research Computing Center Systems Administrator
    • Jennifer Sorrell, UNH Research Computing Center Business Manager
    • Faculty Advisory Committee plus interested researchers