CTSC is pleased to announce our successful completion of a six month engagement with the DKIST Data Center. The DKIST Data Center (NSF AST-0946422), located in Boulder on University of Colorado’s east campus, serves as the operations data management and processing center for the Daniel K. Inouye Solar Telescope (DKIST). When construction completes in 2019, DKIST will be the largest and most precise solar telescope to date, capable of “zooming in” on the sun to an area roughly the size of a county. Data volume is expected to average around 9 TB/day, spiking up to 64 TB/day during ideal viewing conditions. These scientific measurements and images will be continuously streamed from the telescope’s site in Haleakala on Maui, Hawai’i, to the DKIST Data Center. Recognizing their importance in protecting the integrity, availability, and confidentiality of the data and services supporting the telescope’s critical science mission, the DKIST Data Center reached out to CTSC for an engagement focused on kickstarting their newly-forming cybersecurity program.
After discussion about its needs, the DKIST Data Center staff and CTSC decided to focus primarily on the development of written policies and procedures, and secondarily on recommendations for staffing and discussions about security training resources. CTSC recommended developing, implementing, and maintaining written policies based on the CTSC Guide templates available on the CTSC website at https://trustedci.org/guide. These were used as a starting point after a review of the existing policies.
As a project of the National Solar Observatory (NSO), which is managed by the Association of Universities for Research in Astronomy (AURA), the DKIST Data Center is subject to policies inherited from two parent organizations. Further, as a tenant at the University of Colorado, the Data Center must also comply with all of the university’s security policies. During the engagement, CTSC reviewed security policies from all three organizations in order to advise the Data Center on how to meet the requirements. CTSC offered guidance on how to navigate conflicting policies, as well as advice on when to adopt parent policies as-is versus when to adopt a stricter stance.
During the engagement, the CTSC team had an opportunity to visit the DKIST Data Center offices and facilities. This face-to-face opportunity facilitated communication as we finalized the development process of the security policies and reviewed all the policies written during the term of the engagement. Additionally, CTSC performed a physical review of the data center and a co-located center, provided a tutorial on the risk analysis process, and guided the DKIST staff through a tabletop cybersecurity exercise. DKIST also presented their current network map and demonstrated their current installation and security compliance tools.
Engaging with CTSC early in the creation of their security program allowed DKIST Data Center to develop excellent foundational policies rather than needing to change their operations at a later date. We would like to thank DKIST Data Center staff for their participation in this engagement.
Monday, December 18, 2017
Thursday, December 14, 2017
Save the Date: 2018 NSF Cybersecurity Summit for Large Research Facilities and Cyberinfrastructure - August 21-23, 2018
Please mark your calendar for the 2018 NSF Cybersecurity Summit for Large Research Facilities and Cyberinfrastructure, planned for August 21-23, 2018, in Alexandria, Virginia.
Note that we’re in new location this year.
Stay tuned for more information. We’ll update the website as details develop: http://trustedci.org/summit/.
Regards,
Jim Marsteller - NSF Cybersecurity Summit Program Chair
On Behalf of the Organizing Committee - Diana Borecky, Leslee
Cooper, Ryan Kiser, Mark Krenz, Jim Marsteller, Von Welch
Cooper, Ryan Kiser, Mark Krenz, Jim Marsteller, Von Welch
Wednesday, December 13, 2017
DesignSafe-CI and CTSC Complete Cyber-checkup
CTSC has completed its engagement with DesignSafe-CI (DesignSafe), a component of the Natural Hazards Engineering Research Infrastructure (NHERI) and funded by the NSF under a Cooperative Agreement through the Division Of Civil, Mechanical, and Manufacturing Innovation (CMMI) (NSF-1520817). In a cyber-checkup tailored for DesignSafe’s existing NIST 800-53 based cybersecurity control implementation, CTSC reviewed security documents for DesignSafe, as well as seven experimental facilities (EFs) that DesignSafe governed, and then generated a matrix in order to display the thoroughness of each site’s adherence to best practices in security. Using this observed data, both CTSC and DesignSafe collaborated in identifying opportunities for improvement for each of the sites' existing security programs.
Tuesday, December 12, 2017
CCoE Webinar Series: Looking toward 2018, review of 2017
The 2017 season of the CCoE Webinar series has concluded. We have spent the last few months scheduling presentations for the upcoming year.
The following topics and speakers have been booked for 2018:
(Webinars are scheduled the 4th Monday of the month at 11am Eastern time.)
2017 webinars:
The following topics and speakers have been booked for 2018:
(Webinars are scheduled the 4th Monday of the month at 11am Eastern time.)
- January 29th: Security Program at LSST with Alex Withers
- February 26th: SMARTDATA Blockchain with Murat Kantarcioglu
- March 26th: Data Provenance for Mobile Devices with Leon Reznik
- April 23rd: Creating Dynamic Superfacilities the SAFE Way with Jeff Chase & Paul Ruth
- May 28th: SouthEAST SECURE with Jill Gemmill
- July 23rd: RSARC: Trustworthy Computing over Protected Datasets by Mayank Varia
2017 webinars:
- January: Open Science Cyber Risk Profile (OSCRP) by Von Welch & Sean Peisert (Video)(Slides)
- February: Practical Cybersecurity for Open Science Projects by Susan Sons, Craig Jackson, & Bob Cowles (Video)(Slides)
- March: SDN and IAM Integration at Duke by Richard Biever & Charley Kneifel(Video)(Slides)
- April: HIPAA and FISMA: Computing with Regulated Data with Susan Ramsey & Anurag Shankar (Video)(Slides)
- May: Cybersecurity Research: Transition to Practice with Emily Nichols and Alec Yasinsac (Video)(Slides)
- June: Provenance Assurance Using Currency Primitives with Anthony Skjellum & Richard Brooks (Video)(Slides)
- July: Inaugural Security Program at Internet2 by Paul Howell (Video)(Slides)
- August: Stronger Security for Password Authentication with Stanislaw Jarecki (Video)(Slides)
- August: An overview of CTSC Engagements & Application Process with Von Welch (Video)(Slides)
- September: Demystifying Threat Intelligence with Romain Wartel (Video)(Slides)
- October: Cybersecurity in an Open and Decentralized Network with Aashish Sharma (Video)(Slides)
- December: CTSC's Services and Vision with Von Welch (Video)(Slides)
Friday, December 1, 2017
CPP-CTSC SFS Cyberinfrastructure Security Workshop
On the weekend of October 14th, the California State Polytechnic University Pomona Scholarship for Service program in collaboration with the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) hosted a cyber workshop for Scholarship for Service (SFS) students. 45 Students from 13 different universities traveled to Pomona, CA, to participate despite looming midterms the following week. Students spent all day Saturday and half of Sunday participating in workshops covering topics such as public key infrastructure and deployment, log analysis + Splunk, network security in a Science DMZ, and federated identity and access management.
The Student Attendees
The students at this workshop are participants of the Cybercorps Scholarship for Service (SFS) program, designed by the National Science Foundation to strengthen the workforce of information assurance professionals protecting the government’s critical information infrastructure. The SFS program provides a scholarship to full-time students that typically includes full tuition, related fees, and a stipend. These students then repay the program through public service and employment in a government agency. Agencies and positions qualifiable for the program include both federal and state institutions.
The CPP and CTSC Instructors
The engagement process started in May of 2017, with CPP submitting an application to CTSC requesting assistance in creating a training workshop for the SFS students. Once the engagement started, CPP and CTSC equally shared the task of planning the event. Cal Poly Professors Dr. Mohammad Husain, Dr. Ron Pike, and Dr. Tingting Chen, as well as CTSC security professionals Dr. Jim Basney, Jeannette Dopheide, John Zage, and Kay Avila participated in the coordination. Materials from previous CTSC lectures and training were used as a base for the lessons taught by CTSC, as well as for the creation of new material. Hands-on training was prepared in a single virtual machine from the NSF project SEED base image. The SEED image provides a host of instruction and training materials for Information security projects.
The day before the workshop, the CPP staff led the CTSC team through a tour of the facilities and introduced them to the various cyber student groups on the CPP campus. One of these groups, Students With an Interest in the Future of Technologies (SWIFT), were preparing for a national capture the flag competition, while another group, CPP PolySec Lab, was penetration testing integrated devices. A third group demonstrated their student-run data center, including a small server room with server racks and sensors. This data center provides services to students while providing excellent experience to the students managing the server.
On Saturday, the workshop began with Dr. Mohammad Husain, the director of cyber security programs and Cal Poly Pomona’s SFS Principal investigator, introducing the instructors for the weekend. Following introductions, the day started with CTSC instructors introducing a set of cyberinfrastructure projects currently being worked on, namely HTCondor, DKIST, and OSiRIS.
At the end of the day on Saturday, the students were introduced to a panel of professionals to showcase different career paths for the security profession. The panel consisted of Karl Mattson, the Chief Information Security Officer for City National Bank; Veronica Mitchel, a cyber risk officer for the city of Long Beach, CA; Deronda Dubose, a special agent for the secret service; John W. McGuthry, the Chief Information Officer for Cal Poly Pomona; and Dr. Basney, a CTSC co-PI. Dr. Daniel Manson, a professor and the campus Information Security Officer at Cal Poly, moderated the conversation. Students did a phenomenal job participating in the panel, giving elevator speeches and promoting their extracurricular activities while receiving feedback on their participation from the panel.
Survey results were collected after the workshop, and responses indicate the hands-on sessions were well received, especially the log analysis session. Ninety-five percent of students found the workshop either good or excellent, while sixty-three percent thought they were more likely to pursue a career in cyberinfrastructure security after the workshop. For more information about the workshop, slides, handouts, and videos will be uploaded here.
Monday, November 27, 2017
CCoE Webinar Dec. 11th at 11am ET: State of the CCoE
CTSC's Von Welch is presenting the talk "The State of the Cybersecurity Center of Excellence" on December 11th at
11am (Eastern).
Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
The NSF Cybersecurity Center of Excellence (CCoE) leads the NSF community in addressing the cybersecurity challenges in producing trustworthy science. Beginning as the Center for Trusted Scientific Cyberinfrastructure (CTSC) in 2013, the CCoE, funded by NSF's Division of Advanced Cyberinfrastructure, provides cybersecurity resources and services to NSF projects and facilities, at no fee to them. Examples include webinars, the annual NSF Cybersecurity Summit, one-on-one engagements, training, and best practices in the realms of operations, identity management, and software development. This talk will cover:
More information about this presentation is on the event page.
- The CCoE’s vision for cybersecurity in the NSF community;
- The CCoE’s mission and an overview of services offered by the CCoE to the NSF community to instantiate that vision, highlighting recent initiatives on software assurance and reaching small-to-medium sized projects; and
- Experiences and lessons learned in community engagement and cybersecurity for science over the past four years.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
Monday, October 30, 2017
IAM for Research Organizations at AGU17
CILogon and CTSC are co-organizing a workshop on Identity and Access Management for Research Organizations co-located with the 2017 AGU Fall Meeting. The workshop will provide an overview of identity and access management (IAM) issues including single sign-on (SSO) facing research collaborations and demonstrate IAM solutions available to both large and small collaborations using interactive tutorials. CTSC's Jim Basney and Scott Koranda will present.
The workshop will be held Sunday, December 10 from 9am to 5pm CT at the HIlton New Orleans Riverside. Visit the workshop's Eventbright page to register. There is no registration fee. Space is available for up to 20 attendees.
Workshop topics will include:
The workshop will be held Sunday, December 10 from 9am to 5pm CT at the HIlton New Orleans Riverside. Visit the workshop's Eventbright page to register. There is no registration fee. Space is available for up to 20 attendees.
Workshop topics will include:
- Research Identity Management Process Needs
- Federated Identity for Authentication (SAML and OIDC)
- The Complexities of SAML Federation
- Non-Browser Clients and Federated Identity
- Participant Lifecycle Management
- Application Integration and Provisioning
Tuesday, October 10, 2017
Open Science Cyber Risk Profile publications
The Open Science Cyber Risk Profile (OSCRP) is a living document, developed under leadership from CTSC and ESnet, designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. We’re happy to share an update on its usage and appearances.
Richard LeDuc, Director of Computational Proteomics at the Proteomics Center of Excellence, Northwestern University, presented a poster “Protecting Proteomic Data Processing on the TDPortal with the Open Science Cyber Risk Profile” at the 65th ASMS Conference on Mass Spectrometry and Allied Topics. The TDPortal is the front end to research system of the National Resource for Translational and Developmental Proteogenomics (NRTDP) running on high performance computing at Northwestern University. The poster describes the NRTDP’s use of the OSCRP to manage risks for the TDPortal.
Two recent articles also covered OSCRP: the University of California IT Blog published “Helping Scientists Understand Research Cyber Risks,” and it was the subject of an article in IEEE Security and Privacy Magazine.
Monday, October 9, 2017
CCoE Webinar Oct. 23rd 11am ET: Incident Response in an Open and Decentralized Network
Berkeley Labs' Aashish Sharma is presenting the talk " Incident Response in an Open and Decentralized Network" on October 23rd at
11am (Eastern).
Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
This talk presents various aspects and challenges of monitoring and security of a big research network while keeping it open and usable. We focus on issues faced due to following attributes:
We further provide insights into our detection and incident response process using some real world examples and how above attributes influence this process.
- decentralization
- high Speed
- BYOD policy
- openness
More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
Wednesday, September 27, 2017
CTSC welcomes two leading CIOs to its Advisory Committee
We are very pleased to welcome new members to the CTSC Advisory Committee:
Dr. David Halstead is the CIO for the National Radio Astronomy Observatory, a facility of the NSF operated under cooperative agreement by AUI, where his responsibilities are divided between Data Management for the Observatory’s HPC infrastructure in support of the national radio telescopes, and the general IT support for 500+ employees. He has served on multiple SuperComputing Conference committees and is a founding member of the ACM’s SIGHPC Education Chapter. Prior to joining NRAO, he worked in the DOE Scalable Computing Laboratory in Ames Lab, and in the private sector with Celera Genomics.
Dr. Melissa Woo is the Senior Vice President for Information Technology (IT) and Chief Information Officer at Stony Brook University. Prior to joining Stony Brook University, Melissa was the Vice Provost for Information Services and Chief Information Officer at the University of Oregon. Melissa has also worked for the central IT organizations at the University of Wisconsin-Milwaukee and the University of Illinois at Urbana-Champaign leading and supporting a number of areas, including research cyberinfrastructure, enterprise IT services, and IT operations and infrastructure.
David and Melissa join a committee that consists of Tom Barton of the University of Chicago, Neil Chue Hong of the UK Software Sustainability Institute, Nicholas Multari of Pacific Northwest National Lab (PNNL), and Nancy Wilkins-Diehr of the San Diego Supercomputing Center.
Both David and Melissa bring key expertise and experiences to the advisory committee. David, as CIO of NRAO, has the perspective of an NSF Large Facilities and the cybersecurity challenges they face in supporting research. Melissa, as CIO at Stony Brook, brings a wealth of experience in higher education IT and the key role it has supporting research nationally.
We thank both David and Melissa for joining the CTSC Advisory Board and look forward to working closely with them to support research and science cybersecurity challenges.
We also take this opportunity to thank Don Middleton of NCAR for his service on the Advisory Committee and wish him well in retirement.
Thursday, September 21, 2017
Ask CTSC: Questions for leadership to ask when considering handling regulated data.
We at CTSC field questions from the community about cybersecurity, either send directly to the team or via the ask@trustedci.org email address. To better help a broader portion of the community, we're going to start posting our responses here on the blog so they are available. (Don't worry, if your question is sensitive in some way we'll either answer it privately or work with you to sanitize it). This represents the first of such answers. -Von
Yesterday we received the following question from a member of the community:
What are the key questions that research computing leadership or a VP/VC/Dean of research should be asking themselves if they are considering taking on regulated data?
The question came with "I need this by Friday" plea, so here's our admittedly quick answer. Please chime in with a comment if you have suggestions.
Questions for leadership to ask when considering handling regulated data.
- How can you best be involved at the contract negotiation phase? A number of folks have success negotiating out regulated data terms from contracts.
- How do you track demand and judge when is it time to take the compliance plunge? Sometimes it will be one large project that will justify the cost, other times it will be an aggregation of smaller requests and expectation of future need.
- How do you track the actual need of the researchers? While we tend to think of compliance for infrastructure or projects, the real issue is around the workflows of the researchers from end-to-end. In general you want to implement your compliance infrastructure to satisfy as many workflows, hence projects, as possible.
- When does outsourcing compliance make sense? At the 2017 NSF Cybersecurity Summit, we heard from three major cloud vendors with compliance solutions and it was clear that while they handle key parts of compliance, it is at most a partnership and responsibility still resides with the institution.
- What formal processes and mechanisms will you need to institute to manage regulated data contracts? Ideally, one would have the PI contact the Office of Research Administration, which will then work with the CISO/central IT/research computing/compliance to evaluate needs and provide resources and a security budget for the PI to include in the contract, and help PIs with reporting to the agency (e.g. for FISMA).
- How will you develop regulatory expertise/training? Many campuses with medical schools have HIPAA expertise, but other regulations which contracts will likely include going forward, e.g. CUI/NIST 800-171 and FISMA, have not been a concern in academia.
- How will you manage third parties (e.g. business associates for HIPAA)? This will require assessments of due diligence and possibly additional costs for services.
- How will you handle breach notification?
- How will you get buy-in from all the impacted parties? This will impact a number of groups on across campus. Some schools have used an initial task force composed of stakeholder to plan.
- How will you resource ongoing effort? Expect ongoing leadership to take a significant fraction of a person, with additional contributions by many others. As it ramps up, a full-time leader is not uncommon.
Thank you to Anurag Shankar of IU CACR for contributing to this post.
Monday, September 11, 2017
DesignSafe-CI and CTSC Engage for Cyber-checkup
CTSC has initiated an engagement with DesignSafe-CI (DesignSafe) (NSF-1520817, NSF-1612144, NSF-1612843), a component of the Natural Hazards Engineering Research Infrastructure (NHERI) and funded by the NSF under a Cooperative Agreement through the Division Of Civil, Mechanical, & Manufacturing Innovation (CMMI) (NSF-1520817). The scope of the engagement is to perform a cyber-checkup -- a high-level review of the project’s cybersecurity program. The process tailored to DesignSafe’s needs will constitute a fact-finding exercise that delves into DesignSafe’s security processes, policies and protocols. Due to the maturity of DesignSafe’s existing security program, CTSC anticipates the engagement will be completed by November 2017.
CCoE Webinar Sept. 25th 11am ET: Demystifying Threat Intelligence
CERN's Romain Wartel is presenting the talk "Demystifying Threat Intelligence" on September 25th at
11am (Eastern).
Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
Threat intelligence has become a very popular keyword among security professionals in the recent years. What is this all about? Is this a service for sale or rather an intangible asset resulting from a trust relationship? Every organization is seeking relevant and target intelligence, ideally at little to no cost and yielding no false-positives. What are the myths and realities? Is threat intelligence a worthy investment? Is it more suitable to favor local or global sources? Are there services or tools that can facilitate threat intelligence management. Beyond obtaining information, an often overlooked aspect are the challenges linked with building the ability to take promptly and effectively action based on specific intelligence. Making good use of threat intelligence is what makes its value, but this requires time and efforts. Yet, a well-designed threat intelligence management and flow may in fact be the only realistic and affordable strategy for our community to mitigate sophisticated threats or well-funded attackers on a daily basis.
More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
Threat intelligence has become a very popular keyword among security professionals in the recent years. What is this all about? Is this a service for sale or rather an intangible asset resulting from a trust relationship? Every organization is seeking relevant and target intelligence, ideally at little to no cost and yielding no false-positives. What are the myths and realities? Is threat intelligence a worthy investment? Is it more suitable to favor local or global sources? Are there services or tools that can facilitate threat intelligence management. Beyond obtaining information, an often overlooked aspect are the challenges linked with building the ability to take promptly and effectively action based on specific intelligence. Making good use of threat intelligence is what makes its value, but this requires time and efforts. Yet, a well-designed threat intelligence management and flow may in fact be the only realistic and affordable strategy for our community to mitigate sophisticated threats or well-funded attackers on a daily basis.
More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
Tuesday, September 5, 2017
CTSC begins engagement with DKIST Data Center
The DKIST Data Center (NSF AST-0946422) is the operations data management and processing center for the Daniel K. Inouye Solar Telescope (DKIST),
which at the time of its scheduled completion in 2019 will be the
largest solar telescope in the world. The data center team has the
challenge of managing the terabytes of data coming in daily from the
summit in Haleakala, Maui, Hawaii to the data center facility in
Boulder, Colorado. With assistance from CTSC, the DKIST Data Center team
plans to develop a cybersecurity program that will help them focus
appropriately on the Integrity, Availability and Confidentiality of the
data and services in support of DKIST.
Tuesday, August 15, 2017
CCoE Webinar August 30th 3pm ET: An overview of CTSC Engagements and the Application Process
CTSC's Von Welch is presenting the talk "An overview of CTSC Engagements and the Application Process," on Wednesday August 30th at 3pm (Eastern). Note: The day and time for this event is not during our regular monthly series. Be sure to add it to your calendar.
Please register here. Registration includes a confirmation email with a calendar file (check your spam filters if you did not receive the email).
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
One of CTSC's core activities is conducting one-on-one engagements with NSF projects and facilities. CTSC has recently launched its call for applications for engagements in 2018, due October 2nd. This presentation will review the benefits and scope of CTSC engagements, as well as the application process. Webinar attendees are encouraged to attend live to ask questions about their project/application.
More information about engagements and the application can be found at: https://trustedci.org/applicationMore information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
Monday, August 14, 2017
2017 NSF Community Cybersecurity Benchmarking Survey -- Please Respond
Please complete the 2017 NSF Community Cybersecurity Benchmarking Survey.
The 2017 survey: https://goo.gl/forms/oU7QS42WYe4fBsaC3
The goal of the annual survey is to collect and aggregate information over time about the state of cybersecurity for NSF projects and facilities and produce a report that will help the community a richer understanding of the environment and norms, as well as track changes to the security of the scientific cyberinfrastructure. We want to ensure the survey report is of maximum utility to the NSF researchers, projects, and facilities, and encourage a high level of participation. Your responses will help us meet that goal. We have made minor changes from the 2016 survey to clarify both questions and answers. Participation in the 2017 survey is requested whether or not you responded to the 2016 survey. (See the 2016 survey report at http://hdl.handle.net/2022/21355)
Each NSF project or facility should submit only a single response. Completing the survey may require input from the PI, the IT manager, and/or the person responsible for cybersecurity (if those separate areas of responsibility exist). While answering specific questions is optional, we strongly encourage you to take the time to respond as completely and accurately as possible. If you prefer not to respond or are unable to answer a question for some reason, we ask that you make that explicit (e.g., by using “other:” inputs) and provide your reason. Please note that we minimize the amount of project-identifying information we collect and will report responses only in the aggregate and CTSC will release results that we believe provide anonymity to the individual project or facility respondents.
The response period closes November 17, 2017.
CCoE Webinar August 28th 11am ET: Stronger Security for Password Authentication
UC Irvine's Stanislaw Jarecki is presenting the talk "Stronger Security for Password Authentication," on August 28th at
11am (Eastern).
Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
Passwords are an infamous bottleneck of information security: The users choose them badly and then forget them, and the servers store (at best!) a table of password hashes which, in the all-too-common event that the server is hacked, allows the attacker to recover a large fraction of the passwords using the so-called Offline Dictionary Attack. At the same time, we seem to be stuck with passwords because they form the most user-friendly authentication mechanism we know. Our work in the CICI-sponsored project looks at the security vulnerabilities of current password authentication protocols, including Two-Factor authentication protocols, where the user's password is amended by the presence of an Auxiliary Authentication Device, e.g. a cell-phone capable of displaying a short one-time PIN which the user copies onto her terminal in order to authenticate to the server. We show that with modest changes to the authentication infrastructure, involving either the user's client, or the authentication server, or the Auxiliary Device software, we can make password authentication protocols which are as practical as currently used schemes but have much stroger security properties. Most importantly, the schemes we show eliminate the security vulnerability posed by the server storing password hashes, thus eliminating the possibility of the Offline Dictionary Attack in case of server compromise. In other properties, our schemes offer resistance to so-called phishing attacks and, more generally, failures in the Public Key Infrastructure, where the user misidentifies the public key of the authentication server and, which in current password authentication schemes leads to revealing the user's password to the adversary.
In this presentation we will present an overview of our work on strengthening password and two-factor schemes, published in NDSS'14, Asiacrypt'14, EuroSP'16, AsiaCCS'16, ACNS'17, ICDCS'17, as well as future directions.
More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.
Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."
Thursday, August 3, 2017
UNH Research Computing Center and CTSC cap off high impact, innovative engagement
Campus research centers play an important role in enabling NSF-supported science projects of all sizes. A recently concluded engagement gave us the opportunity to impact open science at the University of New Hampshire, potentially for years to come.
CTSC and the University of New Hampshire Research Computing Center (UNH RCC)(funded in part by the NSF CC*DNI program, Grant #1541430) have completed a successful engagement to assess and facilitate the reasonable maturation of UNH RCC’s information security program and positively impact the security of the cyberinfrastructure and trustworthiness of the science UNH RCC supports. Following a period of fact-finding, CTSC delivered a containing specific prioritized recommendations grounded in best practices for maturing the UNH RCC program. As a first time experiment, CTSC performed the site visit more than a month after delivering the report (rather than during fact-finding), giving time to plan and conduct a period of collaborative work in preparation for the site visit where meetings, training sessions, and other activities leveraged the report to build momentum, and maximize the its positive impact.
Patrick Messer, Director of the UNH Research Computing Center, states,
“The engagement process with CTSC has already had a direct impact on research computing at UNH. Senior level administrative discussions have led to the inclusion of RCC staff on UNH’s Information Security Services bi-weekly team meetings, bi-weekly leadership team meetings, and strategic retreats. Both the site visit and the report recommendations emphasized practical approaches to improving cybersecurity. UNH research computing now has a 12-month plan with realistic deliverables and efforts addressing the report recommendations are underway. The plan will be reviewed annually to address those CTSC recommendations that are longer term. Although the engagement focused on the cybersecurity of NSF projects, this effort can’t help but positively impact the entire UNH science community. I am grateful that UNH was able to participate in the engagement process.”
Engagement Process
CTSC and UNH RCC engaged in ten one-hour video conference calls in the course of the engagement. These calls were primarily in the fact-finding phase of the engagement and were key to clarifying the computing environment at both UNH and UNH RCC. While web searches provided information about the publicly documented environment, a number of additional documents and diagrams were made available to CTSC. The subsequent report comprised three key sections of recommendations. The first section, titled “Recommendations for Pivotal Actions”, contained two recommendations relating to strategic actions to consider about its approach to cybersecurity in the context of the UNH system. The second section, titled “Recommendations for actions best implemented at the university level, but may remain UNH RCC’s responsibility”, contained six recommendations for high impact actions for consideration if UNH RCC maintains the status quo of relative independence from UNH IT and responsibility for its own day-to-day security practices. These recommendations ranged from selecting a cybersecurity framework to patch management and network monitoring. The third and final section, titled “Recommendations best implemented at the research computing center level”, contained seven actions for consideration regardless of the disposition of the pivotal decisions. These recommendations ranged from asset inventory to change control and developing a core information security policy. Throughout the report we made frequent reference to The CIS Critical Security Controls for Effective Cyber Defense, Version 6.1 and also referenced the Australian Signals Directorate's Essential Eight.
UNH RCC organized and facilitated CTSC’s site visit. We met with a wide range of stakeholders, including the UNH SVP for Research and the UNH CIO, the faculty advisory committee (plus interested researchers), general counsel, and the UNH RCC software development team. Many meetings included not only the engagement team, but also representatives from the UNH IT cybersecurity team. Topics for the meetings included: addressing contractual requirements for protecting Controlled Unclassified Information; developing an Acceptable Use Policy; Freedom of Information Act considerations; and both overview presentations and detailed discussions of the recommendations in the report. CTSC presented new material on selecting cybersecurity frameworks and control sets, and the group delved into implementation details of the Critical Security Controls.
In the wake of this site visit, UNH RCC has prepared a “summary of the plans for implementing cybersecurity recommendations that resulted from a UNH collaboration with the Center for Trustworthy Scientific Cyberinfrastructure (CTSC)”. In addition to meetings at the university level regarding funding and integration with UNH IT, the summary describes plans for implementation in six- and twelve-month timeframes to improve cybersecurity for the three categories of UNH RCC systems. CTSC will track progress via an evaluation questionnaire at those intervals.
Reflection & Acknowledgements
UNH RCC and the UNH information security demonstrated impressive commitment throughout the engagement. There were always 4 to 6 people from UNH on each and every of the ten conference calls. UNH RCC supported the use of Zoom for teleconferencing and of Box for sharing documents, technologies not used in prior CTSC engagements. UNH RCC maximized the effectiveness of the site visit of the CTSC team with meeting schedules with the engagement team plus others on each of the detailed recommendations, and with senior University officials to make the case for the pivotal recommendations.
CTSC wishes to explicitly acknowledge the UNH participants who made this engagement such a success:
- CTSC/UNH Engagement Team - UNH Participants
- Brian Dennis Gaon, UNH Information Security Officer
- Patrick Messer, Director of the UNH Research Computing Center
- Scott Valcourt, Director of UNH IT Strategic Technology
- Tucker Hurton, UNH Research Computing Center Security Officer
- Robert Anderson, Associate Director of the UNH Research Computing Center
- Grace Wilson Caudill, UNH Cyberinfrastructure Engineer
- Other Stakeholders - on-site visit:
- Jan Nisbet, UNH Senior Vice Provost for Research
- Stan Waddell, UNH CIO
- Rori Boyce, UNH Information Security Compliance Officer
- Tony Dumas, UNH Information Security Operations Engineer
- Shelby Descoteaux, UNH Information Security Operations Technician
- Louise Griffin, UNH Senior Director for Research & Sponsored Programs
- Paul DeMello, UNH Director of Program and Project Management
- Victor Sosa, UNH Director of Contracts and Export Controls
- Melissa McGee, UNH Compliance Officer
- Karyl Martin, USNH Associate General Counsel
- Theresa Ridgeway, UNH Research Computing Center Program Manager
- Allan Wright, UNH Manager Research Computing Center Software Development Group
- Software development group
- Thomas Baker, UNH Research Computing Center Systems Administrator
- Jennifer Sorrell, UNH Research Computing Center Business Manager
- Faculty Advisory Committee plus interested researchers