Training Sessions *October 15* 2019 NSF Cybersecurity Summit
Tuesday, October 15th will feature a full day of training, available to all registrants. Seating may fill for some or all sessions, and pre-event registration for individual sessions is required to reserve a seat. Please register by Oct. 4th to guarantee seating and help us make final preparations. Direct inquiries to email@example.com.
Concurrent Morning Sessions
Instructors: WISE Community
About WISE: The WISE (Wise Information Security for collaborating E-infrastructures) community was born as the result of a first workshop in October 2015. It was agreed then that collaboration and trust is the key to successful information security in the world of federated digital infrastructures for research. WISE is an international community with participants spanning North America, Europe, Asia and Australia
WISE provides a trusted global environment where security experts from general and research domain-specific Infrastructures can share information on topics such as risk management, experiences about certification processes and threat intelligence. With participants from e-Infrastructures such as EGI, EUDAT, GEANT, EOSC-hub, PRACE, XSEDE, OSG, NRENs and more, the main aim of WISE is to promote best practice in Information Security by developing trust frameworks, template policies and guidelines for e-Infrastructures.
The actual work of WISE is performed in focused working groups, each tackling different aspects of collaborative security and trust. This year we have 3 new working groups which are currently starting their work. While many of the working group activities are performed by conference calls and e-mail, experience has shown that we can make very good progress by holding face to face WISE events. These events, which typically attract between 20 and 40 participants, are held at least twice a year. We have already met once in 2018 in Europe (Abingdon, UK, February), and we propose that this WISE training/workshop at the NSF Cybersecurity summit would be an excellent way of fulfilling the desire for a second event in North America.
We were very happy to be able to run WISE events at previous NSF Cybsecurity summits (2017 & 2018) and propose to build on what were very successful workshops; one of the aims should be to encourage closer collaboration with Trusted CI and the NSF research communities.
The activities/working groups we propose for possible inclusion in the 2019 half-day WISE are:
Security for Collaborating Infrastructures (SCI).
o Policy Development Kit and templates, including the WISE baseline AUP, aimed at meeting the SCI needs.
o An update on the current state of Infrastructures self-assessing themselves against the SCI Trust Framework (V2).
o Comparison of these templates with other such activities (Trusted CI for example) and see what we can learn from each other.
o Discussion and assessment of security issues and risks related to recent developments in the USA, such as SLATE (Service Layer at the Edge) – do we need new security/trust policies for this?
• Operational Security threat intelligence and communication between Security Operations Centres (SOCs).
• Kick-starting collaboration between the Security Communications Challenge Coordination Working Group and members of the NSF facilities and communities. This is a joint activity between WISE and SIG-ISM aimed at coordinating activities related to Security and Communication challenges.
• Risk Management working group (RAW). This working group has produced the WISE Risk Management template and accompanying guidelines, to provide a starting point for e-infrastructures and their member organisations for effectively implementing a risk assessment process.
We will not have time to include all of these and the final choice will depend on which individuals are successful in achieving funding to attend, but we propose to cover 3 of the above topics/sub-topics during the day.
Target Audience for the training: We would invite security representatives from E-Infrastructures and Large-Scale NSF facilities to participate. This includes operational security individuals and policy makers. Some of the topics would be training sessions with hands-on exercises while others would be management/planning/brainstorming sessions, to assist the working groups in the production of new template policies and best-practice documents.
Security Log Analysis Training
Instructor: Mark Krenz (Indiana University/Trusted CI)
The goal of security log analysis is to more efficiently leverage log collection in order to identify threats and anomalies in your organization. This half-day training will help you tie together various log and data sources to provide a more rounded, coherent picture of a potential security event. It will also help you understand log analysis as a life cycle (collection, event management, analysis, response) that continues to become more efficient over time. Interactive demonstrations will cover both automated and manual analysis using multiple log sources, with examples from real security incidents.
Regulated Data Security and Privacy: DFARS/CUI, HIPAA, FISMA, and GDPR
Instructors: Anurag Shankar (Indiana University/CACR), Gabriella Perez (University of Iowa) and Scott Russell (Indiana University/CACR) Erik Deumens (University of Florida)
Growing cyber threats are forcing sponsors, both government and otherwise, to ask research institutions, often hard pressed for resources, to comply with unfamiliar cybersecurity rules and regulations. There has been a slow but welcome accumulation of peers and expertise about the vagaries of compliance in the last few years; however comprehensive sources of information are still lacking. This training session is designed to fill this gap. Aimed at helping those new to the world of compliance, it will cover four primary compliance regimes that affect US research today, namely DFARS/CUI, HIPAA, FISMA, and GDPR. Covered will be the regulations themselves as well as tips on how to cope with them. To those who have attended the session before, it will provide latest news and updates.
HIPAA, FISMA, and DFARS/CUI Requirements (NIST 800-171). An introduction to the regulations, including scope, data types covered,
and debunking of common myths.
GDPR. The new EU privacy regulation requiring data controllers and processors worldwide to protect the privacy of data for subjects in the EU.
The NIST Risk Management Framework and NIST 800-53. A dive into the cybersecurity standard the government agencies use themselves to protect data.
Complying. An effective, risk-based approach with included, practical tools.
Updates. The latest version of NIST 800-171, the new NIST 800-171A document, the NIST 800-171B draft, GDPR, new CA privacy law.
Web Security and Automated Assessment Tools - Theory & Practice
Instructors: Barton P. Miller and Elisa Heymann (University of Wisconsin)
This tutorial starts by teaching about a critical class of vulnerabilities, the injection; then follows with a description of software assessment tools that can identify such vulnerabilities in your code; and last, provides an opportunity to get hands-on experience in using these tools to identify and mitigate the vulnerabilities, Specifically XSS (Cross-site Scripting) and CSRF (Cross-Site Request Forgery).
Then we will introduce different types of assessment tools, describe how they work, their output and their limitations. We will talk about control flow and data flow analyses, as they are foundational techniques used by many tools to determine if certain code is safe or not.
The next section of the tutorial explain how to use different commercial and open source tools for C/C++ and Java, and how to process the tools’ output. We will use simple test applications extracted from the NIST/NSA Juliet test suite, where each of these applications contain code with the specific weaknesses and a version of the same code with the weakness fixed.
Then we will move on to the hands-on section of this tutorial. The students will use the Software Assurance Marketplace-SWAMP (https://continuousassurance.org/), an open facility that allows users to scan their software with different tools without the burden of dealing with tool acquisition, installation, and configuration. Through the SWAMP, users can access both commercial and open source software assessment tools. By using the SWAMP, the students will be able to identify problems in the given source code, modify the code, compile it, and submit it to the SWAMP for another assessment.
Catch the Phish: Securing your Organization against Phishing Attacks
Instructor: Rajvardhan Oak
With the pervasive use of the Internet, electronic mail has become the primary means of communication across organizations at every level. Phishing is a kind of social engineering attack in which the adversary masquerades as a known or trusted entity (a friend, the bank, the CEO of the company) via email, and sends out malicious links within the email along with a call to action. An example would be an attacker masquerading as the Head of Security and asking employees to click on a link to reset their password. The link could be a dummy landing page created by the adversary to collect sensitive information.
According to a recent report, security leaders have seen a 25 percent increase in the number of phishing emails that successfully evade security defenses and arrive in users’ inboxes. Therefore, it is the need of the hour to spread awareness about phishing among the general public. Organizations which handle sensitive data or who deal with sensitive issues should especially make sure that their employees are familiar with phishing attacks, and are able to recognize and report them.
Several organizations run internal phishing campaigns to evaluate their employees and ensure that they are well-trained in recognizing phishing attacks. Such periodic trainings are essential to ensure that they do not fall prey to a phishing attack, which could lead to identity theft, loss of data and financial losses.
A high level overview of the session would be as follows:
1. Explain the concepts of Phishing and Spear Phishing and the tell-tale signs of a Phishing Email.
2. Analyze several examples of real phishing emails along with a case study of investigating a phishing attempt.
3. Learn how to operate the open source tool GoPhish for setting up your own Phishing Campaign, including
a. Setting up GoPhish on a server and locally.
b. Adding users, profiles, landing pages and scheduling emails.
c. Analyzing the results from your campaign.
4. Guidelines for drafting your own landing pages and phishing emails. 5. Policy guidance about phishing campaigns.
5. Policy guidance about phishing campaigns.
Concurrent Afternoon Sessions
Instructor: Rick Wagner (Globus) Matthias Bussonnier (University of California, Berkeley), Mark Krenz (Trusted CI, IU CACR), and Ishan Abhinit (Trusted CI, IU CACR)
Description: Jupyter is software that is designed to allow the running of arbitrary code within a web page and facilitates the sharing of so called Jupyter notebooks for the purpose of allowing code to be shared and easily run. In the past few years these Jupyter notebooks have become ubiquitous in the academic and research communities as a method for sharing scientific processes and data. Yet the methods for securing a Jupyter installation may not be reaching those who are installing and managing them. The presenter team has encountered several indications that security information for Jupyter is still difficult to find. A standing policy at a major national lab has been that Jupyter would not be allowed due to high risk. A question posed to an audience at a Jupyter talk at PEARC19 indicated that 0% of the audience had encountered security recommendations on their first install.
This workshop will provide an overview of Jupyter and how it is used before diving into explaining the current best practices for securing a Jupyter installation, explaining the security risks to running Jupyter and sharing Jupyter notebooks as well as how to mitigate those risks. The end of this session will include dedicating an hour to discussing what can be done to improve the security of Jupyter documentation and the Jupyter ecosystem. An additional half day will focus on organizing.
The first session is expected to last 3 hours. The first 30 minutes will be devoted to explaining what Jupyter is and how it’s used. The next hour to hour and a half will be devoted to how Jupyter can be secured as well as the security issues to be aware about.
The second session is also expected to last 3 hours and is to provide a dedicated forum for involved parties and those interested in participating to help organize a more formal team for addressing Jupyter’s security concerns going forward. Input from the attendees will be used as a needs assessment for developing Jupyter security best practices guide.
Operational Fundamentals: Next Level Incident Response, Security Exercises, and Cybersecurity Operational Metrics for Science Projects
Instructors: Susan Sons
This training will introduce three areas of operational cybersecurity practice: incident response planning, security exercises, and selecting and using operational cybersecurity metrics. Staff from the NSF-funded Research Security Operations Center (ResearchSOC) will walk participants through these three areas of operational cybersecurity practice where Major Facilities, Midscale Facilities, and the long tail of science have the opportunity to make significant gains in protecting the integrity and continued progress of scientific research right now.
This training is suitable for PIs, for technical management, and for IT and security personnel working on science and CI projects who may be involved in incident response, security exercises, or other security operations. Participants whose projects don’t yet have a cybersecurity program in place would benefit from attending the TrustedCI Cybersecurity Program Guide training or at leas reading in https://trustedci.org/guide, prior to this training.
"ICS Security Landscape - Getting Better, Getting Worse"
Instructor: Phil Salkie, Managing Partner - Jenariah Industrial Automation
This breakout session provides an overview of "Industrial Control System" (ICS) and "Supervisory Control and Data Acquisition" (SCADA) equipment, discusses the variety of secure and insecure communications protocols in use, and looks at the changes in the ICS/SCADA Cybersecurity landscape which have occurred over the last year, including the large increase in "Industrial Internet of Things" (IIOT) devices and the increased attack surface they present.
Most large scientific and data processing facilities have a variety of ICS and SCADA systems installed throughout the plant, controlling building systems such as Heating/Ventilation/Air Conditioning, Emergency Power Generation, and Building Security. Often, these systems are poorly understood, do not have data backup/restore plans, and/or fall in a "gray area" domain between Facilities and IT departments. The harm that can be caused to a facility by an ICS/SCADA outage may be orders of magnitude larger than the cost of the entire system, or the budget allocated to securing that system.
In this breakout session, we will become familiar with various forms of legacy and modern ICS and SCADA systems, and investigate the numerous options available for ICS systems to communicate with each other and with supervisory SCADA systems. Most ICS protocols were designed with ease of implementation in mind, and have few or no security options available. We will look at methods to secure and improve these communications channels, including dedicated firewall devices, standalone VPN tunnelling hardware, and cloud hosting systems.
A Cybersecurity Program Framework for Science Projects and Facilities.
Instructors: Craig Jackson, Kay Avila, Bob Cowles
This half-day training covers practical information security for science projects by describing the foundational elements of a cybersecurity program necessary to provide a secure and safe environment for science. The training will be based on the emerging Trusted CI Framework which is the evolution of the Trusted CI “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects“ and emphasizes four pillars of such a program:
Alignment to Mission - identification of critical resources and processes.
Governance - roles and responsibilities, risk management and acceptance, policies.
Resources - money, people.
Controls - selecting a good baseline control set and will include guidance on maintaining and evaluating an established cybersecurity program.
The training includes a number of interactive surveys to promote discussion in areas of active audience interest, so participants are strongly encouraged to bring laptops.
Social Engineering Workshop
Instructors: Aunshul Rege, Associate Professor; Rachel Bleiman, Undergraduate Student, Trinh Nguyen, Graduate Research Assist.
Social engineering (SE) is defined as any act that influences a person to take an action that may or may not be in his or her best interests and is the method of utilizing human behaviors to engage in cybercrime. This workshop will introduce attendees to the SE topic, tactics and persuasion techniques used, SE playbooks, and relevance to cyberattacks and cybersecurity. The workshop will share case studies on shoulder surfing, pretexting, open source intelligence (OSINT), and privacy. Attendees will also engage in a safe, ethical, and fun hands-on social engineering activity in teams and then share their experiences. The workshop will end with an interactive discussion where attendees will share thoughts on possible SE prevention and mitigation measures, implementing SE training and education at their respective organizations, the role of ethics in training and education, and a Q&A session with workshop organizers.
CONTACT US A Cybersecurity Program Framework for Science Projects and Facilities
Trusted CI, the NSF Cybersecurity Center of Excellence is supported by the National Science Foundation under Grant ACI-1547272. The views expressed do not necessarily reflect the views of the National Science Foundation or any other organization.