Michigan State University and Trusted CI Collaborate to Raise Awareness of Cybersecurity Threats to the Research Community

Ransomware is a form of cybercrime that has risen to the same level of concern as terrorism by the U.S. Department of Justice. The United States suffered more than 65,000 ransomware attacks last year and victims paid $350 million in ransom, with an unknown amount of collateral costs due to lost productivity. Historically, research organizations have been largely ignored by cybercriminals since they do not typically have data that is easily sold or otherwise monetized. Unfortunately, since ransomware works by extorting payments from victims to get their own data back, research organizations are no longer immune to being targeted by criminals.

An event of this nature occurred in the Physics and Astronomy department at Michigan State University (MSU), which experienced a ransomware attack in May 2020. While many organizations attempt to keep the public from finding out about cyberattacks for fear of loss of reputation or follow-up attacks, MSU has decided to make elements and factors of its attack public in the interests of transparency, to encourage disclosure of similar types of attacks, and perhaps more importantly, to educate the open-science community about the threat of ransomware and other destructive types of cyberattacks. The overarching goal is to raise awareness about rising cybersecurity threats to higher education in hopes of driving safe cyberinfrastructure practices across university communities.

To achieve this, the CIO’s office at MSU engaged with Trusted CI, the NSF Cybersecurity Center of Excellence, in a collaborative review and analysis of the ransomware attack suffered by MSU last year. The culmination of the engagement—based on interviews of those involved in the incident—is the report “Research at Risk: Ransomware attack on Physics and Astronomy Case Study,” which focuses on lessons learned during the analysis. The report contains mitigation strategies that other researchers and their colleagues can apply to protect themselves. In the experience of Trusted CI, there was nothing extraordinary about the issues that led to this incident, and hence, we share these lessons with the goal of motivating other organizations to prevent future negative impacts to their research mission.

The engagement ran from January 2021 to July 2021.

Don't Miss Trusted CI at EDUCAUSE CPP Conference

Members of Trusted CI and partner projects will be presenting at the The 2021 EDUCAUSE Cybersecurity and Privacy Professionals Conference (formerly known as the Security Professionals Conference), to be held Tuesday June 8th - Thursday June 10th. The conference "will focus on restoring, evolving, and transforming cybersecurity and privacy in higher education."

Below is a list of presentations that include Trusted CI team members and partners:
 

Regulated Research Community Workshops

Tuesday, June 08 | 12:15p.m. - 12:35p.m. ET

• Anurag Shankar - Senior Security Analyst, Indiana University
• Erik Deumens - Director UF Research Computing, University of Florida
• Carolyn Ellis - Program Manager, Purdue University
• Jay Gallman - Security IT Analyst, Duke University

Supporting institutional regulated research comes with a wide range of challenges impacting units that haven't commonly worked together. Until recently, most institutions have looked internally to develop their regulated research programs. Since November 2020, 30 institutions have been gathering for six workshops to share their experience and challenges working establishing regulated research programs. This session will share the process involved in making these workshops successful and initial findings of this very specialized group.

Big Security on Small Budgets: Stories from Building a Fractional CISO Program

Thursday, June 10 | 2:00p.m. - 2:45p.m. ET

• Susan Sons - Chief Security Analyst, Indiana University Bloomington

No one in cybersecurity has an infinite budget. However, those booting up cybersecurity programs in organizations whose leadership haven't fully bought in to the value of cybersecurity operations, bolting security on to an organization that has been operating without it for too long, or leading cybersecurity for a small or medium-sized institution often have even less to work with: smaller budgets, less training, fewer personnel, less of every resource. Meanwhile, the mandate can seem infinite. In this talk, Susan Sons, Deputy Director of ResearchSOC and architect of the fractional CISO programs at ResearchSOC, OmniSOC, and IU's Center for Applied Cybersecurity Research, discusses approaches to right-sizing cybersecurity programs and getting the most out of limited resources for small and medium-sized organizations. This talk covers strategies for prioritizing security needs, selecting controls, and using out-of-the-box approaches to reduce costs while ensuring the right things get done. Bring your note pad: we'll refer to a number of outside references and resources you can use as you continue your journey.

SecureMyResearch at Indiana University

Thursday, June 10 | 1:00p.m. - 1:20p.m. ET

• William Drake - Senior Security Analyst, Indiana University
• Anurag Shankar - Senior Security Analyst, Indiana University

Cybersecurity in academia has achieved significant success in securing the enterprise and the campus community at large through effective use of technology, governance, and education. It has not been as successful in securing the research mission, however, owing to the diversity of the research enterprise, and of the time and other constraints under which researchers must operate. In 2019, Indiana University began developing a new approach to research cybersecurity based on its long experience in securing biomedical research. This resulted in the launch of SecureMyResearch, a first-of-its-kind service to provide cybersecurity and compliance assistance to researchers and stakeholders who support research. It was created not only to be a commonly available resource on campus but also to act as a crucible to test new ideas that depart from or are beyond enterprise cybersecurity practice. Those include baking security into workflows, use case analysis, risk acceptance, researcher-focused messaging, etc. A year later, we have much to share that is encouraging, including use cases, results, metrics, challenges, and stories that are likely to be of interest to those who are beginning to tackle research cybersecurity. We also will be sharing information and advice on a method of communicating the need for cybersecurity to researchers that proved to be highly successful, and other fresh ideas to take home and leverage on your own campus.

Lessons from a Real-World Ransomware Attack on Research

Thursday, June 10 | 12:25p.m. - 12:45p.m. ET

• Andrew Adams - Security Manager / CISO, Carnegie Mellon University
• Von Welch - Director, CACR, Indiana University
• Tom Siu - CISO, Michigan State University
  

In this talk, co-presented by the Michigan State University (MSU) Information Security Office and Trusted CI, the NSF Cybersecurity Center of Excellence, we will describe the impact and lessons learned from a real-world ransomware attack on MSU researchers in 2020, and what researchers and information security professionals can do to prevent and mitigate such attacks. Ransomware attackers have expanded their pool of potential victims beyond those with economically valuable data. In the context of higher ed, this insidious development means researchers, who used to be uninteresting to cybercriminals, are now targets. During the first part of the presentation, we will explain the MSU ransomware incident and how it hurt research. During the second part, we will elaborate on mitigation strategies and techniques that could protect current and future academic researchers. Finally, we will conclude with a question-and-answer session in which audience members are encouraged to ask Trusted CI staff about how to engage researchers on information security. Trusted CI has unique expertise in building trust with the research community and in framing the cybersecurity information for them. Trusted CI regularly engages with researchers, rarely security professionals, and has a track record of success in communicating with researchers about cybersecurity risks.

Until We Can't Get It Wrong: Using Security Exercises to Improve Incident Response

Wednesday, June 09 | 2:00p.m. - 2:20p.m. ET

• Josh Drake - Senior Security Analyst, Indiana University Bloomington
• Zalak Shah - Senior Security Analyst, Indiana University

Incident response can be challenging at the best of times, and when one is responding to a major incident, it is rarely the best of times. A rigorous program of security exercises is the best way to ensure than any organization is prepared to meet the challenges that may come. The best cybersecurity teams have learned not just to practice until they can get it right, but to practice until they can't get it wrong. They use a regular program of security exercises coupled with pastmortem analysis and follow-up to ensure that the whole team, and all of the technologists and organizational support they work with, get better at handling incidents over time. This session will teach you how to build a security exercise program from the ground up and use it to ensure that your incident response capabilities can be relied on no matter what happens.

Google Drive, the Unknown Unknowns

Wednesday, June 09 | 12:00p.m. - 12:45p.m. ET

• Ishan Abhinit - Senior Security Analyst, Indiana University Bloomington
• Mark Krenz - Chief Security Analyst, Indiana University

Every day countless thousands of students and staff around the world use cloud storage systems such as Google Drive to store their data. This data may be classified public, internal, and even confidential or restricted. Although Google Drive provides users with ways to control access to their data, my experiences have shown that users often aren't aware that they are exposing their data beyond their expected trust boundary. In this talk I will briefly introduce the audience to Google Drive, sharing some of my own experiences dealing with security concerns. Then I will provide an overview of the issues that academic and research institutions face when using it. I'll highlight the security threats to your data and how to deal with various situations, such as when someone leaves a project, when data is accidentally deleted, or when data is shared and you don't know it. In the second half of the presentation I'll provide the audience with some solutions to these security issues that are useful to a variety of institutions large and small as well as individual projects and people. Some of these solutions were developed by me and my team to solve our own issues, and so now I'll be sharing these solutions and tools with the community at large.

The full agenda, including the on-demand program, is available online.

Michigan State University Engages with Trusted CI to Raise Awareness of Cybersecurity Threats in the Research Community

Cybersecurity exploits are on the rise across university communities, costing valuable resources, and loss of productivity, research data, and personally identifiable information. In a DXC report, it was estimated that an average ransomware attack can take critical systems down for 16 days, and the overall worldwide cost of ransomware in 2020 was predicted to cost $170 billion.   Additional reputational impacts of cybersecurity attacks, although hard to measure, regularly weigh in the minds of scientists and researchers.

An event of this nature occurred at Michigan State University (MSU), which experienced a ransomware attack in May 2020. While many organizations attempt to keep the public from finding out about cyberattacks for fear of loss of reputation or follow-up attacks, MSU has decided to make elements of its attack public in the interests of transparency, to encourage disclosure of similar types of attacks, and perhaps more importantly, to educate the open-science community about the threat of ransomware and other destructive types of cyberattacks. The overarching goal is to raise awareness about rising cybersecurity threats to higher education in hopes of driving safe cyberinfrastructure practices across university communities. 

To achieve this, the CIO’s office at MSU has engaged with Trusted CI, the NSF Cybersecurity Center of Excellence, in a collaborative review and analysis of the ransomware attack suffered by MSU last year.  The culmination of the engagement will be a report focusing on lessons learned during the analysis; these ‘Lessons Learned’ would then be disseminated to the research community.  We expect the published report to be a clear guide for researchers and their colleagues who are security professionals to help identify, manage, and mitigate the risk of ransomware and other types of attacks.

CCoE Webinar Oct. 23rd 11am ET: Incident Response in an Open and Decentralized Network

Berkeley Labs' Aashish Sharma is presenting the talk " Incident Response in an Open and Decentralized Network" on October 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

This talk presents various aspects and challenges of monitoring and security of a big research network while keeping it open and usable. We focus on issues faced due to following attributes: 

1. decentralization
2. high Speed
3. BYOD policy
4. openness

We further provide insights into our detection and incident response process using some real world examples and how above attributes influence this process.

More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

CTSC Staff Present One-Day Training at GPN-GWLA All Hands Meeting

On June 2nd, CTSC’s Warren Raquel and Mark Krenz presented a one-day training workshop at the Great Plains Network & Greater Western Library Alliance annual All Hands Meeting in Kansas City. The training was a two-part presentation on Computer Incident Response and Security Log Analysis. The training was at the request of GPN, and we welcome such invitations in the future.

Warren began the training with a presentation on Computer Incident Response. He walked the attendees through the steps to take when preparing for security incident, how to detect and analyze the incident, and finally how to contain, eradicate, and recover machines and data. He ended the presentation by applying these steps to four different case studies of real security incidents. Warren said the case studies really helped reinforce the main points he wanted the attendees to learn and apply to their IR programs.

Mark presented the afternoon session on Security Log Analysis. He began with the security log analysis life cycle (collection, event management, analysis, and response) and provided examples of real attacks using Bro logs, Apache, Postfix, and more. The presentation gave the attendees ideas on how to improve their security, learn real command-line examples to apply at their organizations, as well as new methods to connect events across logs. Mark said the open Q&A format of the presentation was very rewarding. In one example, the group discussed their shared frustrations with a well known Wordpress plugin vulnerability that allows file systems to be “walked”. Mark then demonstrated a command (shown below) that could be used to detect these attempts to walk the filesystem in Bro and Apache logs.

grep -E "wp-admin.*\.\./.*\” 200 " access_log

While In Kansas City, Mark also had a chance to meet up with followers of his Command Line Magic (@climagic) Twitter account.

Mark’s and Warren’s presentations, as well as many more training materials, can be found on CTSC’s website. To contact us about presenting a training at your event, submit a request to our contact form.

About the GPN & GWLA

The GPN is a non-profit consortium of networks in the Midwest and Great Plains for the purpose of collaboration, cyberinfrastructure, and research. The GWLA is a non-profit consortium of libraries across the central and western US for the purpose of sharing technologies and programs related to scholarly communication and information sciences.

CTSC Training at GPN/GWLA Annual Meeting

The Great Plains Network and the Greater Western Library Alliance Annual Meeting will be held in Kansas City on May 31st through June 2nd. CTSC will be providing an Incident Response and Log Analysis workshop during the conference. For more information on the conference please refer to the link below. Details for the workshop are on the Schedule page.

http://conferences.k-state.edu/gpn-gwla/

Being Ready for Zero-Days, a Badlock Example

Being ready for the eventuality of zero-days is something all organizations should integrate into their security plans. This means knowing your environment and knowing how to respond quickly to critical threats. Let's take the latest 'Badlock' announcement as an example.

Last week SerNet issued a notification of a potentially critical bug that is present in Windows and Samba. They have named the vulnerability the Badlock bug. Their notification stated that patches for this issue will be released on April 12th. If a critical issue does exist, the large lead time before patch availability does give malicious actors some time to identify the bug and exploit it before patches are available. We currently have no information as to the actual severity of this issue, however, you should take this time to perform the following actions:

• Identify all existing CIFS/Samba servers on your network.
• Review firewall rules and processes for issuing rule changes.
• Ensure that your monitoring tools are updated and working as expected.
• Review your patching procedures and plan for the possibility of emergency patching on April 12th.

Identify all existing CIFS/Samba servers on your network.

It's important to be aware of all existing services on your network in order to properly address new vulnerabilities that threaten your infrastructure. To identify CIFS/Samba servers on your network you can use a number of different methods. Even if admins self-identify services their systems provide, they may not be cognizant that this service was enabled automatically.

• Port scanning your address space using tools like nmap or masscan
• Check network flows for connections to local hosts on port 445 using tools like bro or netflow collectors like nfsen or argus.

Review firewall rules and processes for issuing rule changes.

If you are utilizing firewalls rules either at your network border or directly on the host, you should make sure they are configured correctly and that you know the process to enable rules both technically and procedurally. Limiting network access can also be accomplished through utilizing private address space that is not accessible outside of your local network. If you have services that are exposed to the public internet that should not be publicly accessible, consider moving these services to such internal private networks.

Ensure that your monitoring tools are updated and working as expected.

Proper monitoring of your environment will help you identify services on your network and anomalous activity like attacks against your network or individual systems. Tools like Bro can help identify services on your network that you may not have been aware of. Bro and other tools like Snort/Suricata can help identify active threats against your network and can even help actively respond to such attacks. As potential threats like Badlock become actual, ensure that you know how to update your monitoring tools to identify these specific attacks.

Review your patching procedures and plan for the possibility of emergency patching on April 12th.

SerNet is suggesting that immediate patching is needed to address this vulnerability when it is released, thus the need for a pre-release announcement. It's possible this is a non-event, however, in any event you should be prepared should the need arise to mitigate this issue. This means blocking and/or monitoring network traffic and on-host activity for vulnerable hosts and patching affected systems. If you manage these systems, you should consider planning for emergency patching on April 12th and what that may entail including downtime of services, affected users, software compatibility and reconfiguration of monitoring policies.

Regardless of Badlock or the next named vulnerability down the road, these steps should always be considered in order to proactively address potential threats against your infrastructure. You need to know your environment, understand your internal procedures for mitigation methods, keep your monitoring up-to-date, and have a plan for system patching.

Nice incident response case study by U. Michigan

The University of Michigan has published a nice case study on an incident with their social media early this month. Publishing case studies such as this are a good way to disseminate our experiences and learn from each other.

(Image credit: http://socialmedia.umich.edu/blog/hacked/)