Training Sessions *August 15* 2017 NSF Cybersecurity Summit

Tuesday, August 15 will feature a full day of training, available to all registrants. All but the WISE Workshop and Federated Identity Management for Research Organizations are half-day offerings. Seating may fill for some or all sessions, and pre-event registration for individual sessions is required to reserve a seat. Please register by August 10 to guarantee seating and help us make final preparations. Direct inquiries to Amy Starzynski Coddens (


Concurrent Morning Sessions


WISE Workshop (Full Day)

Instructors: WISE Community

The WISE (Wise Information Security for collaborating E-infrastructures) community was born as the result of a workshop in October 2015, which was jointly organized by the GÉANT group SIG-ISM (Special Interest Group on Information Security Management) and SCI, the ‘Security for Collaboration among Infrastructures’ group of staff from several large-scale distributed computing infrastructures. All agreed at the workshop that collaboration and trust is the key to successful information security in the world of federated digital infrastructures for research. WISE is an international community with participants spanning North America, Europe, Asia and Australasia.

WISE provides a trusted global framework where security experts can share information on topics such as risk management, experiences about certification processes and threat intelligence. With participants from e-Infrastructures such as EGI, EUDAT, GEANT, PRACE, XSEDE, OSG, NRENs and more, WISE focuses on standards, guidelines and practices, and promotes the protection of critical infrastructure. To date WISE has created four working groups, each tackling different aspects of collaborative security and trust.

The community is currently working on defining a comprehensive security training catalogue (STAA-WG), risk assessment template (RAW-WG), big data best practice guidelines (SBOD-WG) and guidance for assessing an infrastructure against the new version 2 of SCI, the framework established to ease cross-infrastructure information exchange during security incidents (SCIv2-WG).

We invite security representatives from E-Infrastructures to participate. This includes operations security individuals and policy makers.

Additional information can be found at:

Federated Identity Management for Research Organizations

Instructors: Jim Basney (NCSA and University of Illinois/CTSC) and Scott Koranda (Spherical Cow Group/CTSC)

Research Organizations and Collaborations, and especially Virtual Organizations (VOs), come together to solve complex problems leveraging people and resources from multiple institutions, often spanning the world. Expert in their respective domains, VOs rarely have expertise in the identity management aspects of collaboration. Regardless of VO size, properly designed identity management processes and technologies can help facilitate VO research by providing access to collaboration tools and services quickly, and removing that access when it should no longer be granted.

This full-day tutorial will provide an overview of the issues in identity management facing and solutions available to VOs, in order to help them more easily manage access to their resources.

Topics covered will include:

- Understanding the identity management process needs of VOs of any size

- Leveraging Federated and Social Identity to authenticate VO participants

- Understanding the complexities of international federation and collaboration

- Passwords, Certificates, SSH Keys, and other authentication technologies: what works where?

- Participant lifecycle management using open source identity management solutions, including COmanage, Grouper, and Shibboleth

- Application Integration and Provisioning, from the shell to the web to the cloud: how to make apps work with identity management infrastructure

Interactive demonstrations will be used to provide tangible insight into the capabilities of various solutions.

Note: A previous version of this training was given at the 2016 NSF Cybersecurity Summit.

Security Log Analysis

Instructor: Mark Krenz (Indiana University/CTSC)

The goal of security log analysis is to more efficiently leverage log collection in order to identify threats and anomalies in their cyberinfrastructure. I will be presenting a half-day training that will help attendees tie various log and data sources together to provide a more rounded, coherent picture of a potential security event. It will also help attendees understand log analysis as a life cycle (Collection, Event Management, Analysis, Response) that continues to become more efficient over time. It will demonstrate how proper management of these four phases contributes to a security team’s effectiveness. Interactive demonstrations will cover both automated and manual analysis using multiple log sources (network protocols, files, software, intel, etc.), with examples from real security incidents. Lastly, the training will cover how to use lessons learned during each cycle to tune the monitoring and analysis workflow to improve an organization’s operational security footing over time.

Legacy Industrial Control Systems - Secure / Replace / Ignore?

Instructor: Phil Salkie (Jenariah Industrial Automation)

Scientific and technical facilities worldwide incorporate Programmable Logic Controllers (PLCs) and Supervisory Control And Data Acquisition (SCADA) systems into their mix of technologies - often without the knowledge or support of the on-site IT department.  These systems can include decades-old designs, contain firmware which is not (or cannot) be updated or patched, and can have long lists of known vulnerabilities - yet they continue to be placed into network environments throughout the world.  This breakout session will provide a framework for IT department management to inventory, evaluate, triage, and secure their existing controls systems, as well as supplying specification language for use when systems must be replaced with modern, security-aware hardware.

Handling Regulated Government Data, Protected Health Information, and CUI

Instructor: Anurag Shankar (Indiana University)

With cyber threat at unprecedented levels, the May 11th presidential executive order on strengthening the cybersecurity of federal networks and critical infrastructure requires government agencies to examine unmet cybersecurity needs and take appropriate actions to protect the nation and the public at large.  Downstream effects are likely to follow for government subcontractors, especially R&D facilities and academia, already in a difficult position due to insufficient resources, regulatory expertise, and often the presence of both government information subject to FISMA and “Controlled Unclassifed Information” (CUI), for instance HIPAA protected health information (PHI).  Each data type requires adherence to different standards – the NIST Risk Management Framework (RMF) and NIST 800-53 controls for FISMA, the recently released NIST SP 800-171 controls for CUI, and HIPAA Security Rule safeguards for PHI.  This workshop is designed to untangle these different data types, regulations, and requirements, and to provide guidance on how to build and deploy an effective cyber risk mitigation strategy that enables one to handle compliance and bolster cybersecurity in the most cost-effective way.

Digital Forensics / Incident Response

Instructor: Warren Raquel (NCSA and University of Illinois/CTSC)

Digital forensics can provide a deeper understanding of what happened during a Cybersecurity event than what standard incident response measures can provide. If you are considering adding digital forensics capabilities to your Cybersecurity program this program will walk through what you will need to do this. We will discuss how to start small and build up your capabilities. At the end of this program you should understand the pros and cons of a digital forensics program and how to get it off the ground.

Computer incident response is a required capability for any project or activity that is running internet connected services. CTSC would present a half-day tutorial that will provide basic information on setting up an incident response program so that students can prepare their project team or organization for an incident investigation. The initial focus of the tutorial will be on identifying the processes, policies, information, and monitoring services that are required to effectively respond to a security incident. This first section will discuss investigation and analysis tools that might be useful for investigations. The second part of the tutorial will identify a series of questions the incident response team can use to guide them through both the investigation and the mitigation process. The participant should leave the session with an understanding of the basic steps needed to create an incident response program and what to do when an incident occurs.


Concurrent Afternoon Sessions



WISE Workshop (continued)

See full description above.

Federated Identity Management for Research Organizations (continued)

See full description above.

Shared Intelligence Platform for Protecting our National Cyberinfrastructure

Instructor: Alex Withers (NCSA / University of Illinois)

The SDAIA project seeks to advance the security infrastructure available for open science networks, aka Science DMZs. This research is expected to significantly enhance the security of campus and research networks. It addresses the emerging security challenge of open, unrestricted access to campus research networks, but beyond that it lays the foundation for an evolvable intelligence sharing network with the very real potential for national scale analysis of that intelligence. Further it will supply cyber security researchers with a rich real-world intelligence source upon which to test their theories, tools, and techniques. The research will produce a new kind of virtual security appliance that will significantly enhance the security posture of open science networks so that advanced high-performance network-based research can be carried out free of performance lags induced by more traditional security controls.

More than just a VM running CIF, this appliance gives users the ability to build or join a data sharing network with their partners and share potential threat data within seconds. The appliance also provides a framework to stay ahead of threats as events get shared and to act on these events. The training will breakdown the virtual appliance into its individual components by having attendees deploy each component with Ansible. We will cover each component and its role in the appliance: ssh-auth-logger honeypot, zyre/zeromq for p2p sharing, cifv3 for event store and later analysis, bro for honeypot network analysis, bro’s intel framework to stay ahead of potential threats, and components to allow integration into existing security monitoring infrastructure. We will demonstrate how components can be deployed in whole or part and orchestrated to suit an institution’s data sharing needs.

Rebuilding a Plane in Flight: Refactors Under Pressure

Instructor: Susan Sons (Indiana University)

At some point, every engineer or project manager will have to take on a disaster. In these situations, it is easy to go into firefighting mode, trying to keep each new emergency at bay, instead of taking a systematic approach to fixing the underlying problems. This is why disgusting, brittle tangles of hundreds of thousands of lines of insecure spaghetti code stay in place so long. It is why you are inheriting a network of vulnerable SCADA components that the last four people were too afraid to fix.

Attempting to untangle a disaster that cannot be taken out of service is terrifying. Eventually, it must be done, but often no one wants to take responsibility for the project until it is almost too late. However, there is method to the madness. Susan Sons shares a high-level approach to safely refactoring software and other complex systems while supporting production deployments that may themselves be complex and varied, drawing from her experience refactoring life-critical software and cyber-physical systems (ICS/SCADA). While these methods were forged working on some critical systems and software, they apply just as well to a web application hairball or a DevOps nightmare.

Topics include:

- Project management concerns: Resourcing, outside communication, and

staging changes

- Technical and architectural strategy: Supporting toolchains, triage,

systems architecture, and refactor strategies

- Balancing response to immediate security and stability concerns

against long-term vulnerability reduction and maintainability

Developing Cybersecurity Programs for NSF Projects

Instructors: Bob Cowles, Craig Jackson & Jim Marsteller (CTSC)

This instructional session will be based on a cybersecurity planning guide (see, developed with input from the Daniel K. Inouye Solar Telescope (DKIST) project, and in use at a number of NSF facilities and projects. The Guide was developed to address the information security requirements outlined in NSF cooperative agreements, and provide solid guidance, tools, and resources. This session will be appropriate both for attendees of last year’s training of the same name, as well as newcomers. Though there will be a good deal of overlap, we will be updating our presentation, and supporting opportunities to explore areas in greater depth based on participants’ needs.  Some of the topics that will be covered include:

·         Building or Improving an Information Security Program

·         Unique and Critical Science Requirements, Constraints, and Security Controls

·         Information Security Policies and Procedures

·         The Role of Project Leadership and Risk Acceptance

·         Establishing a Risk Management Approach to Information Security

·         Defining, Identifying, and Classifying Information Assets

·         The Role of Risk Assessments within the Program Lifecycle

·         Baseline Controls and Best Practices

·         Topical Information Security Considerations:  Third-Party Relationships, Asset Management, Access Control, Physical Security, Monitoring, Logging, and Retention

·         Program Assessment and Evaluation

While this session will be instructional in nature, it is also intended to be an interactive session to seek constructive feedback from attendees to further improve the guide.  There will be significant opportunities for discussion and Q&A.

Automated Assessment Tools - Theory & Practice

Instructors: Barton Miller & Elisa Heymann (University of Wisconsin / CTSC)

Software assurance tools – tools that scan the source or binary code of a program to find weaknesses – are the first line of defense in assessing the security of a software project. These tools can catch flaws in a program that can affect both the correctness and safety of the code. This tutorial is relevant to anyone wanting to understand how those tools work, and learn how to use these automated assessment tools to minimize security flaws in the software they develop or manage.

Description of the class:

We will introduce the different types of analysis tools, how these tools work, their output and their limitations. We then talk about control flow analysis and data flow analysis, as they are the tools’ core to answer if certain code is safe or not.
The next section of the tutorial explain how to use different commercial and open source tools for C/C++ and Java, and how to process the tools’ output.  For that we use simple test applications extracted from the NIST/NSA Juliet test suite, where each of these applications contain specific weaknesses, and the version of the same code with the weakness fixed.  The weaknesses we address are drawn from a collection of the most commonly occurring ones in real code, such as Relative Path Traversal, OS Command Injection, Cross-Site Scripting (XSS), Improper Neutralization of Script in an Error Message Web Page, Integer Overflow, Sensitive Information Uncleared Before Release, Uncaught Exception, and Use of Hard-coded Password.
Then we will move on to the hands-on section of this tutorial.  The students will use the Software Assurance Marketplace-SWAMP (, which is an open facility that allows users to scan their software with different tools without the burden of dealing with tool acquisition, installation, and configuration.  Throughout the SWAMP users can access both commercial and open source software assessment tools.  By using the SWAMP the students will be able to identify problems in the given source code, modify the code, compile it, and submit it to the SWAMP for another assessment.

To attend this tutorial, you will need to:

  1. Bring your own laptop.
  2. Have VirtualBox installed on your machine.
    1. Go to and download VirtualBox for your platform.  
    2. Execute the program downloaded.
    3. Check that you are able to run VirtualBox.
  3. For the class exercises, we will use two virtual machines images.  

Please download them from: (4.02 GB)
and (4.3 GB)

Save them on the local disk of the machine you will be using for the tutorial. If you have problems downloading these images, we will have copies at the class.

If you have any questions before the tutorial, please contact