Trusted CI Webinar: CIS Controls, August 22nd @11am EST

Trusted CI's Shane Filus and Mark Krenz will be giving a presentation on CIS Controls on Monday, August 22nd at 11am (Eastern).

Please register here.

The Trusted CI Information Security Office (ISO) team will be presenting a webinar on the CIS Controls. This will include background and information on the CIS controls, our recent experiences using the controls to assess Trusted CI’s own cybersecurity program and operations, and how that can be applied to your own project.

Topics include:

• Who Trusted CI is and why we have a cybersecurity program.
• Background on the CIS controls and what an assessment is.
• What led us to perform a CIS assessment. 
• Overview and discussion of our results. 
• Differences between control versions 7.1 and 8. 
• Discussion on methodology and tools that can be used in assessments.

Speaker Bios:

Shane Filus serves as a Senior Security Engineer at the Pittsburgh Supercomputer Center, and works with Trusted CI, XSEDE/ACCESS, and HuBMAP projects on all aspects of cybersecurity; from operations, to incident response, to policy, and everything in between.

Mark Krenz serves as Chief Security Analyst at Indiana University’s Center for Applied Cybersecurity Research. Mark’s focus is on cybersecurity operations, research and education. He has more than two decades of experience in system and network administration and has spent the last decade focused on cybersecurity. He serves as the CISO of the ResearchSOC and the Deputy CISO of Trusted CI.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Recommendations for reducing cybersecurity risk while working remotely

You're probably aware of the COVID-19 / coronavirus pandemic. As the pandemic continues to unfold, our research and security communities will be increasingly impacted.  Numerous conferences have been canceled, and it has already been made public that two people who attended the cybersecurity conference, RSA, tested positive for coronavirus. Many institutions are now recommending or even requiring students and employees to work from home. While you may already be prepared to deal with one or two staff members working remotely or being out sick, most organizations are unprepared for the majority of their staff suddenly being in these categories.  Thus, Trusted CI would like to share some critical risks that we think are relevant to this situation and provide recommendations for how to mitigate them over the coming weeks.  Here are some questions to help you consider these risks.

Do you have all the passwords you need?
As people switch to working from home or go on extended leave, they may take passwords with them that other staff do not have. Do they normally keep the superadmin password on a sticky note on their monitor and now can't access it? This is a good opportunity to quickly review who has access and that they will have the necessary credentials for working remotely. We recommend the use of password managers (such as KeePass, 1Password, LastPass, etc.) to keep passwords securely stored and readily accessible through online means.

How will backups be handled?
Backups may require physical presence to change disks or tapes, but may be difficult to manage remotely. Still, these backups are essential for being able to make a proper recovery from a security incident. You may first want to check with your institutional IT group to see if they have the ability to manage these backups for you to reduce the need to travel to work.

Is your regular office environment's physical space being monitored and access controlled?
Reduced staffing at your facility may increase the risk of unauthorized/unmonitored physical access to your systems and information. Locking doors is recommended and checking with your institutional security for their practices will help you understand what is being monitored and how unauthorized access is determined.  Consider letting your custodial staff know your plans as normal security procedures such as locking doors may lapse during crisis mode and become a problem. On the upside, the chances of tailgating happening in the next few weeks is near zero.

Are you leaving unpatched workstations running?
Some staff may need to leave desktop or workstation systems in an unattended office for a long period of time. If these systems are not running services required for normal operation, it is recommended that these systems be turned off to avoid them becoming a liability if a critical vulnerability is released while away. Upon returning to the office, you should enforce an immediate vulnerability scan on these systems and patch as necessary. Check with your local institutional IT staff to make sure this would not interfere with their operations as they may expect systems to be kept running to remotely backup and patch computers.

Do you have enough redundancy of staff?
Redundancy of staffing is always important, but with the coronavirus threat, there is an increased chance of redundant staff being affected as well, leading to lack of coverage. We recommend designating additional staff to be prepared to act in a maintenance or security role, if needed, as an additional redundancy.

Do you have a secure channel to communicate?
When direct interpersonal communications are no longer possible for sharing of sensitive  information, the need for having a secure online communication channel increases. We recommend that identifying a secure channel that can be used (for example, Signal, SMIME, PGP/GPG, or another one recommended by your institution) and testing this channel with your staff in advance of any need to use it.  This becomes especially important when you forgot to share an important password with other staff and have no way of securely communicating it.

Will you be able to meet without your normal teleconferencing?
Demand for videoconferencing is expected to be at an unprecedented high as online classes and meetings begin to utilize it. It is possible that your normal video conferencing meetings will be disrupted or unavailable for a period of time. It is recommended that you identify an auxiliary method of holding such meetings. Also, if you are not doing so already, set a password on your teleconferencing meetings if possible and test that it works to prevent unauthorized access.

Can you perform all the steps in an incident response remotely?
Now would be a good time to review your security incident response plan to ensure that all the steps can be performed remotely, and if not, come up with an alternative approach.

Do you have enough VPN licenses?
One common method of providing remote access for employees is through a virtual private network (VPN).  However, the increased remote activity could mean a shortage of VPN licenses, so now would be a good time to check the number of available licenses and ensure that it matches with the expected load over the next few weeks.

Is there a bastion host you can use for remote access?
Those who use SSH, RDP or similar for accessing servers remotely may want to consider the use of a bastion host to provide a control point. This is a safer alternative than opening up direct remote access ports on internal systems. However, rather than rushing to set up a new bastion server, instead look for an existing one that has been provided by your institutional IT or ask for their recommendations.

Do you have a secure working space at home?
For many, the next couple weeks may mean sharing your working space with family who are also working or attending school remotely. It's important to consider the potential for sensitive information in meetings to be overheard across meetings happening simultaneously. If you haven't already, it would be a good idea to find or setup an isolated space in your home for holding such meetings.

Be aware of new phishing tactics and scams.
There have been reports that attackers are taking advantage of the fear and demand for information about COVID-19 to spread malware. One such attack is the "Coronavirus map", which "had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser".

There are also additional resources that we've found online for raising your awareness about cybersecurity issues during the coronavirus threat that we're including in the list below:

• The World Health Organization's cybersecurity advice
• REN-ISAC: Maintaining IT Services During a Health Incident
• Coronavirus and the Cybersecurity Threat Landscape
• EDUCAUSE's COVID-19 resources page
• CDC's recommended steps to prevent illness

An Open Science Cybersecurity Program Framework

In 2014, Trusted CI published a “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects,” also known simply as “the Guide”. Since its creation, Trusted CI has received tremendous community feedback attesting to its usefulness, including half of the respondents in the most recent Community Survey adopting it as a form of guidance for shaping their cybersecurity programs. As we observed the open science community’s interaction with the original document, it became apparent that improvements and revisions could make it more maintainable and thus more readily kept up-to-date, more applicable to a wider range of science projects, and more approachable to scientists and PIs, all without losing any of its technical value.

Based on our experience interacting with engagements, lively training sessions, the Summit, and the benchmarking survey, we knew we needed to spell out the basic realities of building a cyber program in a way that addressed the variability we’ve observed in the community. During a substantial revision of the training on the Guide for PEARC’18, it became clear that what was needed was not just a guide, but a framework for establishing and maintaining an open science cybersecurity program at any project scale and stage in a project’s lifecycle. Such a framework would be useful even for projects having significant compliance requirements (e.g., FISMA, HIPAA, NIST SP 800-171) in that it provides a starting point for evolving a cybersecurity program rather than hundreds of pages dense with unprioritized requirements. Work on revising the Guide into a framework and addressing the above goals began in earnest earlier this year and builds on efforts assisting NSF in drafting a cybersecurity section for the Large Facilities Manual. The current schedule calls for a first draft to be available in November 2018, and version 0.9 to be available in January 2019, with the publication of version 1.0 in March 2019. An additional blog posting and announcement will be made at those milestones and community feedback is strongly encouraged. We need your feedback to help us get this right!

Preview of the Framework

Trusted CI’s framework is built around four pillars: Mission Alignment, Governance, Resources, and Controls. Like the pillars supporting any structure, all are vital and required for an efficient and effective cybersecurity program.

Mission Alignment:

Cybersecurity programs ultimately exist to improve productivity by protecting the interests of the project’s mission. The program must center on appropriate protection for the information assets vital to the project’s mission. The information assets that are critical will change over a project’s life cycle, so the accuracy of the information asset inventory is a basic requirement. To simplify understanding the protection requirements of the information assets, an information classification scheme allows for conceptually grouping assets by the kind of protection required. External requirements may also play a role in the level and type of protection.

Governance:

Cybersecurity is not just the responsibility of a few but involves project leadership, administrators responsible for information assets, project personnel, and external users. Policies must clearly define the roles and responsibilities for all these contributors to the cybersecurity program. Additional policies are required to address a range of issues from appropriate use to incident handling. Periodic evaluation of the cybersecurity program is necessary to validate that the allocation of resources to controls is effective and efficient for the appropriate protection of project information resources.

Resources:

People, budgets, tools, and services are all required to operate a cybersecurity program. Finding and retaining people with cybersecurity expertise can be challenging. In addition to technical skills, important traits include the abilities to teach, communicate, and negotiate. Smaller, stand-alone projects without a supporting infrastructure typically spend a higher percentage of the IT budget on cybersecurity due to economies of scale. The actual money might be in a separate cybersecurity budget, but often it is part of some other organizational budget (e.g., the IT budget). Tools and third-party services can help fill gaps in the program but have to be used with care since they can easily place additional strain on both the budget and the need for experienced personnel to effectively use them.

Controls:

Controls are the safeguards and countermeasures to ensure the appropriate protection of an information asset according to the asset’s information classification. Control selection and implementation are ongoing processes in any cybersecurity program due to technical or organizational changes and the dynamic nature of threats and vulnerabilities. The Center for Information Security (CIS) Controls are widely regarded as an authoritative, reasonable, and prioritized. The first six of these controls are the basic, minimal set that each project must either provide or ensure are provided by a supporting infrastructure. Additional controls enhance the protection for mission-critical systems and data, and systems or data requiring specialized controls (e.g., SCADA systems, software repositories, critical or high-speed scientific data flows).