Training Sessions *August 16* 2016 NSF Cybersecurity Summit
Tuesday, August 16 will feature a full day of training, available to all registrants. All but the Log Analysis Training with CTSC and Bro and Federated Identity Management for Research Organizations are half-day offerings. Seating may fill for some or all sessions, and pre-event registration for individual sessions is required to reserve a seat. Please register by August 11 to guarantee seating and help us make final preparations. Direct inquiries to Amy Starzynski Coddens (astarzyn@indiana.edu).
Concurrent Morning Sessions
Log Analysis Training with CTSC and Bro (Full Day)
Instructors: Vlad Grigorescu, Warren Raquel, Adam Slagell, Jeannette Dopheide (NCSA)
CTSC is partnering with members of the Bro Project to present a full-day training on log analysis for operations security, providing a detailed walkthrough of the log analysis life cycle with interactive demonstrations using the Bro network analysis software. The training will be applicable to those just starting or those expanding their security logging and monitoring infrastructure. No prior experience with Bro is required. The training will teach lessons that can be generalized to other kinds of system and network logs, whether or not a site is using or plans to use the Bro software.
The goal of security log analysis is to more efficiently leverage log collection in order to identify threats and anomalies in their cyberinfrastructure. This training will help attendees tie various log and data sources together to provide a more rounded, coherent picture of a potential security event. It will also help attendees understand log analysis as a life cycle that continues to become more efficient over time.
The training will cover the four phases of the log analysis life cycle: Monitoring, Event Management, Analysis, and Response. It will demonstrate how proper management of these four phases contributes to a security team's effectiveness. Interactive demonstrations will cover both automated and manual analysis using multiple log sources (network protocols, files, software, intel, etc.), with examples from real security incidents. Lastly, the training will cover how to use lessons learned during each cycle to tune the monitoring and analysis workflow to improve an organization's operational security footing over time.
Federated Identity Management for Research Organizations (Full Day)
Instructors: Jim Basney (NCSA and University of Illinois / CTSC) and Scott Koranda (Spherical Cow Group / CTSC)
Research Organizations and Collaborations, and especially virtual organizations (VOs), come together to solve complex problems leveraging people and resources from multiple institutions, often spanning the world. Expert in their respective domains, VOs rarely have expertise in the identity management aspects of collaboration. Regardless of VO size, properly designed identity management processes and technologies can help facilitate VO research by providing access to collaboration tools and services quickly, and removing that access when it should no longer be granted.
This full-day tutorial will provide an overview of the issues in identity management facing and solutions available to VOs, in order to help them more easily manage access to their resources.
Topics covered will include:
- Understanding the identity management process needs of VOs of any size
- Leveraging Federated and Social Identity to authenticate VO participants
- Understanding the complexities of international federation and collaboration
- Passwords, Certificates, SSH Keys, and other authentication technologies: what works where?
- Participant lifecycle management using open source identity management solutions, including COmanage, Grouper, and Shibboleth
- Application Integration and Provisioning, from the shell to the web to the cloud: how to make apps work with identity management infrastructure
Interactive demonstrations will be used to provide tangible insight into the capabilities of various solutions.
REN-ISAC Cyberthreat Training (30 Minute Introduction to Developing Cybersecurity Programs for NSF Projects)
Instructors: Kim Milford and Todd Herring (REN-ISAC)
Cyber-attacks can be extremely damaging for research organizations. Damages - and costs - include stolen funds, damaged systems, the cost of time while out of service or time to recover, regulatory fines, legal damages, financial compensation for injured parties, loss of business partner trust, and loss of integrity due to compromised digital assets. Being resilient to cyber-risks starts with knowing about the risks to research and academic organizations:
- What are the biggest threats?
- What assets are at greatest risk?
- What are the tactics, techniques and practices (TTPs) used by your adversaries?
- What are the possible scenarios for attack? and
- What is the potential impact to your research?
Insight into cyber-threats allows organizations to develop appropriate risk management and reduce risk exposure through well-balanced cyber-defense Although it's never possible for any organization to be 100% secure, it is entirely possible to use a mix of processes for prevention, detection, and response to keep cyber-risk below an appropriate level and enable an organization to operate with less disruption.
Developing Cybersecurity Programs for NSF Projects
Instructors: Bob Cowles, Craig Jackson, Jim Marsteller, Susan Sons (CTSC)
This instructional session will be based on a cybersecurity planning guide (see trustedci.org/guide) developed with input from the Daniel K. Inouye Solar Telescope (DKIST) project, and in use at a number of NSF facilities and projects. The Guide was developed to address the information security requirements outlined in NSF cooperative agreements, and provide solid guidance, tools, and resources. This session will be appropriate both for attendees of last year's training of the same name, as well as newcomers. Though there will be a good deal of overlap, we will be updating our presentation, and supporting opportunities to explore areas in greater depth based on participants' needs. Some of the topics that will be covered include:
- Building or Improving an Information Security Program
- Unique and Critical Science Requirements, Constraints, and Security Controls
- Information Security Policies and Procedures
- The Role of Project Leadership and Risk Acceptance
- Establishing a Risk Management Approach to Information Security
- Defining, Identifying, and Classifying Information Assets
- The Role of Risk Assessments within the Program Lifecycle
- Baseline Controls and Best Practices
- Topical Information Security Considerations: Third-Party Relationships, Asset Management, Access Control, Physical Security, Monitoring, Logging, and Retention
- Program Assessment and Evaluation
While this session will be instructional in nature, it is also intended to be an interactive session to seek constructive feedback from attendees to further improve the guide. There will be significant opportunities for discussion and Q&A.
Building a NIST Risk Management Framework for HIPAA and FISMA Compliance
Instructor: Anurag Shankar (Indiana University)
Every federal agency and its subcontractors are required by law to comply with the Federal Information Security Management Act (FISMA). With cyberattacks and cybercrime now an increasingly integral and permanent part of the cyber landscape, funding agencies are beginning to require FISMA compliance from their R&D subcontractors such as large facilities. In other cases, protected health information (PHI) subject to the federal Health Insurance Portability and Accountability Act (HIPAA) is beginning to leak into organizations that handle for instance emerging areas such as genomics, big data and analytics. In both cases, the most formidable challenge when facing regulatory compliance for the first time is a complete lack of bearing. Often, peers cannot be easily found and a lonely and steep learning curve must be scaled. A common reaction in such cases is to reply on technical controls alone such as firewalls, etc. with the mistaken assumption that they will keep the bad actors out. Not carefully considering the effectiveness of controls in mitigating risk results in both inadequate security as well as misdirected effort.
FISMA requires the adoption of cybersecurity guidelines developed by the National Institute of Standards and Technology (NIST). NIST provides a comprehensive and flexible risk management framework that can be customized to fit any organization or environment, irrespective of FISMA. NIST also provides an all-inclusive catalog of practically every conceivable security control to choose from. The NIST guidelines are also considered as a cybersecurity standard today and adopted by a wide variety of organization within and outside the government. They allow one to comply not only with FISMA but with other rules and regulations such as HIPAA. This workshop will familiarize the participant with both HIPAA and FISMA and provide guidance on how to build and deploy a NIST based risk management framework to both handle compliance and to gain a deeper understanding of cybersecurity and how to manage it.
Topics Covered:
- HIPAA and FISMA Regulations: An introduction to the regulations, common misperceptions, where and how they apply.
- The NIST Risk Management Framework. A dive into risk management and security controls covered by NIST special publications 800-30 and 800-53.
- Building Your Own Risk Management Framework. Scoping, planning, controls, initial risk assessment, risk mitigation, documentation, ongoing risk management, reviews and training.
Secure Coding Practices and Automated Assessment Tools
Instructors: Prof. Barton P. Miller and Prof. Elisa Heymann (University of Wisconsin / CTSC)
This tutorial is relevant to anyone wanting to learn about minimizing security flaws in the software they develop or manage. We share our experiences gained from performing vulnerability assessments of critical middleware. You will learn skills critical for software developers and analysts concerned with security.
Software assurance tools - tools that scan the source or binary code of a program to find weaknesses - are the first line of defense in assessing the security of a software project. These tools can catch flaws in a program that can affect both the correctness and safety of the code. This tutorial is also relevant to anyone wanting to learn how to use these automated assessment tools to minimize security flaws in the software they develop or manage.
This tutorial starts by presenting basic concepts related to threats, weaknesses and vulnerabilities. We will also show how to think like an attacker. Then we will present coding practices that lead to vulnerabilities, with examples of how they commonly arise, techniques to prevent them, and exercises to reinforce your skills in avoiding them. Examples come from a wide variety of languages, including Java, C, C++, C#, Perl, Pythos, and Ruby, and come from real code belonging to Cloud and Grid systems we have assessed. The new addition to the tutorial covers software assurance tools work, so that the student can understand the capabilities and limitations of such tools. We then focus on a selection of both commercial and open source tools for C/C++ and Java, and demonstrate how to apply them to sample programs with known flaws.
Concurrent Afternoon Sessions
Log Analysis Training with CTSC and Bro (continued)
See full description above.
Federated Identity Management for Research Organizations (continued)
See full description above.
Securing Legacy Industrial Control Systems
Instructor: Phil Salkie (Jenariah Industrial Automation)
Scientific and technical facilities worldwide incorporate Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems into their mix of technologies - often without the knowledge or support of the on-side IT department. These systems can include decades-old designs, contain firmware which is not (or cannot) be updated or patched, and can have long lists of known vulnerabilities - yet they continue to be placed into network environments throughout the world. This breakout session will explore a range of devices and techniques which are available to IT departments and network engineers to isolate, monitor, and protect these often mission-critical Industrial Control System (ICS) networks without replacing older devices nor obtaining access from vendors to proprietary controller software.
Building the Modern Research Data Portal Using the Globus Platform
Instructor: Steve Tuecke (University of Chicago)
New Globus REST APIs, combined with high-speed networks and Science DMZs, create a research data platform on which developers can create entirely new classes of scientific applications, portals, and gateways. Globus is an established service that is widely used for managing research data on XSEDE, DOE, and campus computing resources, and it continues to evolve with the addition of data publication capabilities, and enhancement of the core data transfer and sharing functions. Over the past year we have added new identity and access management functionality that will simplify access to Globus using campus logins, and facilitate the integration of Globus, XSEDE, and other research cyberinfrastructure services into web and mobile applications can leverage Globus and Science DMZs to provide a broad range of researchers with access to advanced data management capabilities using existing organizational credentials. A combination of presentation and hands-on exercises will result in attendees learning how to build and run a simple, yet fully functional, web application that can be leveraged their own applications.
Secure Software Engineering Best Practices
Instructors: Randy Heiland and Susan Sons (CTSC)
This interactive training session will introduce participants to a broad range of tools and methodologies for promoting secure software development throughout the software life cycle. Learn how software repositories, testing, static analysis, vulnerability management process, release/delivery management methods, integrated development environments (IDEs), and documentation can enhance or impair the security of the software that is written and released by any team. Participants are encouraged to follow along on their laptops for the most hands-on experience, but this is not required.