Monday, June 14, 2021

Trusted CI webinar: Investigating Secure Development In Practice: A Human-Centered Perspective Mon June 28th @1pm Eastern

University of Maryland's Michelle Mazurek, is presenting the talk,
Investigating Secure Development In Practice: A Human-Centered Perspective,
on Monday June 28th at 1pm (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.

Secure development is not just a technical problem: it’s a human and organizational problem as well. To understand the causes of insecurity, and find effective solutions, we must understand how and why security problems happen, and what barriers stand in the way of fixing them. How can we make it easier for developers to write secure code, even without special training? In this talk, I will report on findings from several recent studies addressing these questions. These include examining the effects of information resources and API design on developers' likelihood of writing secure code; using data from a secure programming contest to explore the kinds of security mistakes developers make; and exploring the benefits and barriers associated with adoption of a secure programming language.

Speaker Bio

Michelle Mazurek is an Associate Professor in the Computer Science Department and the Institute for Advanced Computer Studies at the University of Maryland, College Park, where she also directs the Maryland Cybersecurity Center. Her research aims to understand and improve the human elements of security- and privacy-related decision making. Recent projects include examining how and why developers make security and privacy mistakes; investigating the vulnerability-discovery process; evaluating the use of threat-modeling in large-scale organizations; and analyzing how users learn about and decide whether to adopt security advice. Her work has been recognized with an NSA Best Scientific Cybersecurity Paper award and three USENIX Security Distinguished Paper awards. She was Program Chair for the Symposium on Usable Privacy and Security (SOUPS) for 2019 and 2020 and is Program Chair for the Privacy Enhancing Technologies Symposium (PETS) for 2022 and 2023. 

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, June 10, 2021

Thank you and congratulations to Dana Brunson!

Dana Brunson joined Trusted CI in 2019 as a co-PI and was instrumental in developing and leading Trusted CI’s very successful Fellows program. Her proposal to create a Center of Excellence in workforce development was recently awarded. As a result, she is stepping away from Trusted CI to focus on her role as PI for the new Center of Excellence.

We wish Dana the best of luck with her new Center of Excellence and look forward to identifying opportunities to continue to collaborate.

Von

Trusted CI PI and Director


Wednesday, June 9, 2021

Trusted CI Materials as the Foundation for a University Course at the University of Wisconsin-Madison

Software security is important to the NSF community because it is critical to their support of science. For example, Trusted CI’s Community Benchmarking Survey consistently finds the overwhelming majority of NSF projects and Large Facilities develop software and also adopts both open source and commercial software, whose quality they assess as part of a cybersecurity risk management.  Trusted CI recognises the importance of this issue and has focused the TrustedCI 2021 Annual Challenge on software assurance.

Trusted CI has been developing training materials to teach secure software design and implementation. These materials have been used at conferences, workshops, and government agencies to train CI professionals in secure coding, design, and testing. More recently, they were used at the University of Wisconsin-Madison to develop a new course on software security.  The new course, CS542, Introduction to Software Security (http://www.cs.wisc.edu/~bart/cs542.html), is part of the computer science curriculum at the University of Wisconsin-Madison.  The teaching materials support a blended (flipped) model. Lectures are based on video modules and corresponding text chapters, and the classroom time was used for collaborative exercises and discussions. The videos and text are supplemented by hands-on exercises for each module delivered in virtual machines. The online nature of these materials proved themselves to be of even greater value during the remote learning situation caused by the COVID-19 pandemic.

This new course covers security throughout the various stages of the software development life cycle (SDLC), including secure design, secure coding, and testing and evaluation for security.

These teaching materials are freely available at
https://www.cs.wisc.edu/mist/SoftwareSecurityCourse.

Some of the comments from the students at the end of the last class of the Spring 2021 course, taken from the chat window, include:

“Thank you for such an enlightening course! I had a lot of fun!”
“Thank you for a very insightful and interesting course.”
“Thanks for the semester! This class was very interesting and manageable I appreciate it”
“Is this only taught in the Spring? I'd like to recommend the class to some of my CS friends.”
300 students have benefitted from this course at the University of Wisconsin-Madison.

Tuesday, June 1, 2021

Don't Miss Trusted CI at EDUCAUSE CPP Conference

Members of Trusted CI and partner projects will be presenting at the The 2021 EDUCAUSE Cybersecurity and Privacy Professionals Conference (formerly known as the Security Professionals Conference), to be held Tuesday June 8th - Thursday June 10th. The conference "will focus on restoring, evolving, and transforming cybersecurity and privacy in higher education."

Below is a list of presentations that include Trusted CI team members and partners:
 

Regulated Research Community Workshops

Tuesday, June 08 | 12:15p.m. - 12:35p.m. ET

  • Anurag Shankar - Senior Security Analyst, Indiana University
  • Erik Deumens - Director UF Research Computing, University of Florida
  • Carolyn Ellis - Program Manager, Purdue University
  • Jay Gallman - Security IT Analyst, Duke University
Supporting institutional regulated research comes with a wide range of challenges impacting units that haven't commonly worked together. Until recently, most institutions have looked internally to develop their regulated research programs. Since November 2020, 30 institutions have been gathering for six workshops to share their experience and challenges working establishing regulated research programs. This session will share the process involved in making these workshops successful and initial findings of this very specialized group.


Big Security on Small Budgets: Stories from Building a Fractional CISO Program

Thursday, June 10 | 2:00p.m. - 2:45p.m. ET

  • Susan Sons - Chief Security Analyst, Indiana University Bloomington

No one in cybersecurity has an infinite budget. However, those booting up cybersecurity programs in organizations whose leadership haven't fully bought in to the value of cybersecurity operations, bolting security on to an organization that has been operating without it for too long, or leading cybersecurity for a small or medium-sized institution often have even less to work with: smaller budgets, less training, fewer personnel, less of every resource. Meanwhile, the mandate can seem infinite. In this talk, Susan Sons, Deputy Director of ResearchSOC and architect of the fractional CISO programs at ResearchSOC, OmniSOC, and IU's Center for Applied Cybersecurity Research, discusses approaches to right-sizing cybersecurity programs and getting the most out of limited resources for small and medium-sized organizations. This talk covers strategies for prioritizing security needs, selecting controls, and using out-of-the-box approaches to reduce costs while ensuring the right things get done. Bring your note pad: we'll refer to a number of outside references and resources you can use as you continue your journey.


SecureMyResearch at Indiana University

Thursday, June 10 | 1:00p.m. - 1:20p.m. ET

  • William Drake - Senior Security Analyst, Indiana University
  • Anurag Shankar - Senior Security Analyst, Indiana University

Cybersecurity in academia has achieved significant success in securing the enterprise and the campus community at large through effective use of technology, governance, and education. It has not been as successful in securing the research mission, however, owing to the diversity of the research enterprise, and of the time and other constraints under which researchers must operate. In 2019, Indiana University began developing a new approach to research cybersecurity based on its long experience in securing biomedical research. This resulted in the launch of SecureMyResearch, a first-of-its-kind service to provide cybersecurity and compliance assistance to researchers and stakeholders who support research. It was created not only to be a commonly available resource on campus but also to act as a crucible to test new ideas that depart from or are beyond enterprise cybersecurity practice. Those include baking security into workflows, use case analysis, risk acceptance, researcher-focused messaging, etc. A year later, we have much to share that is encouraging, including use cases, results, metrics, challenges, and stories that are likely to be of interest to those who are beginning to tackle research cybersecurity. We also will be sharing information and advice on a method of communicating the need for cybersecurity to researchers that proved to be highly successful, and other fresh ideas to take home and leverage on your own campus.


Lessons from a Real-World Ransomware Attack on Research

Thursday, June 10 | 12:25p.m. - 12:45p.m. ET

  • Andrew Adams - Security Manager / CISO, Carnegie Mellon University
  • Von Welch - Director, CACR, Indiana University
  • Tom Siu - CISO, Michigan State University

In this talk, co-presented by the Michigan State University (MSU) Information Security Office and Trusted CI, the NSF Cybersecurity Center of Excellence, we will describe the impact and lessons learned from a real-world ransomware attack on MSU researchers in 2020, and what researchers and information security professionals can do to prevent and mitigate such attacks. Ransomware attackers have expanded their pool of potential victims beyond those with economically valuable data. In the context of higher ed, this insidious development means researchers, who used to be uninteresting to cybercriminals, are now targets. During the first part of the presentation, we will explain the MSU ransomware incident and how it hurt research. During the second part, we will elaborate on mitigation strategies and techniques that could protect current and future academic researchers. Finally, we will conclude with a question-and-answer session in which audience members are encouraged to ask Trusted CI staff about how to engage researchers on information security. Trusted CI has unique expertise in building trust with the research community and in framing the cybersecurity information for them. Trusted CI regularly engages with researchers, rarely security professionals, and has a track record of success in communicating with researchers about cybersecurity risks.


Until We Can't Get It Wrong: Using Security Exercises to Improve Incident Response

Wednesday, June 09 | 2:00p.m. - 2:20p.m. ET

  • Josh Drake - Senior Security Analyst, Indiana University Bloomington
  • Zalak Shah - Senior Security Analyst, Indiana University

Incident response can be challenging at the best of times, and when one is responding to a major incident, it is rarely the best of times. A rigorous program of security exercises is the best way to ensure than any organization is prepared to meet the challenges that may come. The best cybersecurity teams have learned not just to practice until they can get it right, but to practice until they can't get it wrong. They use a regular program of security exercises coupled with pastmortem analysis and follow-up to ensure that the whole team, and all of the technologists and organizational support they work with, get better at handling incidents over time. This session will teach you how to build a security exercise program from the ground up and use it to ensure that your incident response capabilities can be relied on no matter what happens.


Google Drive, the Unknown Unknowns

Wednesday, June 09 | 12:00p.m. - 12:45p.m. ET

  • Ishan Abhinit - Senior Security Analyst, Indiana University Bloomington
  • Mark Krenz - Chief Security Analyst, Indiana University

Every day countless thousands of students and staff around the world use cloud storage systems such as Google Drive to store their data. This data may be classified public, internal, and even confidential or restricted. Although Google Drive provides users with ways to control access to their data, my experiences have shown that users often aren't aware that they are exposing their data beyond their expected trust boundary. In this talk I will briefly introduce the audience to Google Drive, sharing some of my own experiences dealing with security concerns. Then I will provide an overview of the issues that academic and research institutions face when using it. I'll highlight the security threats to your data and how to deal with various situations, such as when someone leaves a project, when data is accidentally deleted, or when data is shared and you don't know it. In the second half of the presentation I'll provide the audience with some solutions to these security issues that are useful to a variety of institutions large and small as well as individual projects and people. Some of these solutions were developed by me and my team to solve our own issues, and so now I'll be sharing these solutions and tools with the community at large.


The full agenda, including the on-demand program, is available online.