Training Sessions *August 21* 2018 NSF Cybersecurity Summit

Tuesday, August 21st will feature a full day of training, available to all registrants. All but the WISE Workshop and Federated Identity Management for Research Organizations are half-day offerings. Seating may fill for some or all sessions, and pre-event registration for individual sessions is required to reserve a seat. Please register by August 14 to guarantee seating and help us make final preparations. Direct inquiries to info@trustedci.org.

 

Concurrent Morning Sessions

 

WISE Workshop (Full Day)

 Instructors: WISE Community

About WISE: The WISE (Wise Information Security for collaborating E-infrastructures) community was born as the result of a first workshop in October 2015. It was agreed then that collaboration and trust is the key to successful information security in the world of federated digital infrastructures for research. WISE is an international community with participants spanning North America, Europe, Asia and Australia.

Full agenda: https://wiki.geant.org/display/WISE/WISE+@+NSF+CyberSecurity+Summit+2018

WISE provides a trusted global environment where security experts from general and research domain-specific Infrastructures can share information on topics such as risk management, experiences about certification processes and threat intelligence. With participants from e-Infrastructures such as EGI, EUDAT, GEANT, EOSC-hub, PRACE, XSEDE, OSG, NRENs and more, the main aim of WISE is to promote best practice in Information Security by developing trust frameworks, template policies and guidelines for e-Infrastructures.

The actual work of WISE is performed in focussed working groups, each tackling different aspects of collaborative security and trust. This year we have 3 new working groups which are currently starting their work. While many of the working group activities are performed by conference calls and e-mail, experience has shown that we can make very good progress by holding face to face WISE events. These events, which typically attract between 20 and 40 participants, are held at least twice a year. We have already met once in 2018 in Europe (Abingdon, UK, February), and we propose that this WISE training/workshop at the NSF Cybersecurity summit would be an excellent way of fulfilling the desire for a second event in North America.

We propose a full-day WISE Community Security Training event at the 2018 NSF Summit. We were very happy to be able to run such an event in 2017 and propose to build on what was then a very successful day. The activities/working groups we propose for possible inclusion in the 2018 one-day WISE are:

  • Security challenges for high-throughput data transfers

  • Operational Security threat intelligence and communication between Security Operations Centres (SOCs), e.g. use of MISP etc.

  • Security for Collaborating Infrastructures

    • A training section to teach Infrastructures how to self-assess against the Trust Framework (V2)

      • Including use of a Policy Development Kit aimed at meeting the SCI needs

  • We would also like to compare our policy kit with other such activities (Trusted CI for example) and see what we can learn from each other

  • How to meet the requirements of EU GDPR in terms of policies and procedures for our e-Infrastructures

    We will not have time to include all of these and the final choice will depend on which individuals are successful in achieving funding to attend, but we propose to cover 3 of the above topics during the day.

Target Audience for the training: We would invite security representatives from E-Infrastructures and Large-Scale NSF facilities to participate. This includes operational security individuals and policy makers. Some of the topics would be training sessions with hands-on exercises while others would be management/planning/brainstorming sessions, to assist the working groups in the production of new template policies and best-practice documents.

 

Industrial Control System Security - Existing Infrastructure and New Designs

 Instructor: Phil Salkie (Jenariah Industrial Automation)

Summary: This breakout session provides an overview of “Industrial ControlSystem” (ICS) and “Supervisory Control and Data Acquisition”(SCADA) equipment, provides a process for managing the security of existing systems in your facility, and discusses the implications of designing in security when new equipment is specified for purchase.

Details: Most large scientific and data processing facilities have a variety of ICS and SCADA systems installed throughout the plant, controlling building systems such as Heating/Ventilation/Air Conditioning, Emergency Power Generation, and Building Security. Often, these systems are poorly understood, do not have data backup/restore plans, and/or fall in a “gray area” domain between Facilities and IT departments. The harm that can be caused to a facility by an ICS/SCADA outage may be orders of magnitude larger than the cost of the entire system, or the budget allocated to securing that system.

In this breakout session, we will become familiar with various forms of legacy and modern ICS and SCADA systems, and discuss the security implications presented by network intrusions by “bad actors” as well as the issues presented by equipment which may have no operational backup, no data backups, and no on-site ability to reload or restore a system which requires replacement or even general maintenance. We will discuss the necessary steps for Management to determine what ICS systems are present, what will be required to protect them properly, and the order to take those mitigations. When systems are slated to be replaced, it is critical for IT to take a role in the specification and design phase in order to ensure that systems are implemented in a way which does not simply make the Design Engineer’s job easiest. Security and Ease-Of-Use face much the same trade-off battle in the ICS/SCADA space as they do in the consumer/user space, but “Designing for Security” in ICS/SCADA is all but unknown. We will look at different methods of securing ICS networks, including compartmentation, firewalling, least privilege, and minimization of control surface - all things which are more work up front, and will likely not be put into a system unless they are specified by someone who has an understanding of computer security issues.

 

Setting up a compliance program for CUI

  Instructor: Erik Deumens (University of Florida)

  Goals:

     1. Provide the context and the background for compliance requirements, including the complete stack from physical security, to training and business processes, to institutional buy-in from the university administration.

     2. Clarify the difference between compliance for federal agencies, and other organizations, universities in particular.

     3. The NIST guidelines for the Risk Management Framework (RMF) call for customization. Participants will be given information and then will be guided to design and plan a compliance program that suits their university, with its specific mission and budget, its specific political and regulatory context, and its administrative culture and climate.

 

Automated Assessment Tools - Theory & Practice

Instructors: Barton P. Miller and Elisa Heymann (University of Wisconsin)

This tutorial starts by teaching about a critical class of vulnerabilities, the injection; then follows with a description of software assessment tools that can identify such vulnerabilities in your code; and last, provides an opportunity to get hands-on experience in using these tools to identify and mitigate the vulnerabilities.

Injection attacks are always in the top 10 attacks that are commonly exploited and that have serious consequences. Notably, these attacks affect programs written in almost any language. In this tutorial we will present examples of code injection attacks and SQL injection attacks.

Then we will introduce different types of assessment tools, describe how they work, their output and their limitations. We will talk about control flow and data flow analyses, as they are foundational techniques used by many tools to determine if certain code is safe or not.

The next section of the tutorial explain how to use different commercial and open source tools for C/C++ and Java, and how to process the tools’ output. We will use simple test applications extracted from the NIST/NSA Juliet test suite, where each of these applications contain code with the specific weaknesses and a version of the same code with the weakness fixed.

Then we will move on to the hands-on section of this tutorial. The students will use the Software Assurance Marketplace-SWAMP (https://continuousassurance.org/), an open facility that allows users to scan their software with different tools without the burden of dealing with tool acquisition, installation, and configuration. Through the SWAMP, users can access both commercial and open source software assessment tools. By using the SWAMP, the students will be able to identify problems in the given source code, modify the code, compile it, and submit it to the SWAMP for another assessment.

 

 

Developing Cybersecurity Programs for NSF Projects

 Instructors: Kay Avila, Bob Cowles and Craig Jackson

This session will be based on an upcoming restructuring of the cybersecurity planning guide developed several years ago. The original guide was developed to address the information security requirements outlined in NSF cooperative agreements, but both the cybersecurity field and our understanding have evolved. The new version of the guide will be structured around the four pillars of cybersecurity as developed for the upcoming version of the Large Facilities Manual. However, the new guide should also be usable by the thousands of smaller NSF projects in determining their cybersecurity needs. This session will be appropriate both for attendees of last year’s training of the same name, as well as newcomers. Though there will be some overlap, we hope to use the updated presentation as an opportunity to explore areas in greater depth based on participants’ needs.

The four pillars of cybersecurity:

  • Mission alignment (hardware/software inventory and understanding mission-critical processes)

  • Governance (policies and procedures, project leadership, risk management and acceptance, program evaluation)

  • Resources (budget, personnel, 3rd party services, lifecycle considerations)

  • Controls (baseline controls and specialized/alternative controls)

While this session will be instructional in nature, it is also intended to be an interactive session to seek constructive feedback from attendees as we improve the guide. There will be significant opportunities for discussion and Q&A.

Concurrent Afternoon Sessions

WISE Workshop (continued)

See Full Description Above.

 

Software Engineering Guide for NSF Science

 Instructors: Susan Sons

Creating secure software is not simply a matter of coding each line better: it is a confluence of software engineering practice, tooling, and architecture *with* line-level secure coding practice. TrustedCI, the NSF Cybersecurity Center for Excellence, has been working on materials to help science projects which produce software, as well as scientific cyberinfrastructure projects, understand which engineering practices can give them the best return in software security for their effort, without hindering the science mission. An early draft of that material is now available, and this training will give those responsible for software in the NSF ecosystem the opportunity to work with it first. This half-day workshop will walk participants through the new Software Engineering Guide for NSF Science, using it as a basis to choose the software engineering practices that best enable the development of secure and robust software. The program will be primarily lecture, with a couple of short exercises interspersed.

Participants will learn to:

  • Gauge the software engineering and security needs of a particular software development project.

  • Select tools and processes appropriate to a project’s security and reliability needs.

  • Effectively guide user expectations surrounding security of the software.

  • Handle vulnerability remediation.

  • Use tooling and smart architecture to make the software development process itself easier and more reliable, not only increasing security, but reducing the costs of security and development in general.

Compliance 101: HIPAA, FISMA, NIST 800-171 and GDPR

Instructors: Anurag Shankar (Indiana University/CACR), Susan Ramsey (NCAR) and Scott Russell (Indiana University/CACR)

The regulatory burden flowing downstream from the funding agencies is growing ever stronger as a worsening cyber climate forces the government to introduce new privacy and security regulations in response. Ignorance is no longer an option for R&D organizations, including those that lack the necessary expertise and resources to acquire it. This training session is designed especially for them and others newly initiated but is likely to be useful generally. It demystifies HIPAA, FISMA, and NIST 800-171, US regulations that affect research, and GDPR, the new EU privacy regulation. It also offers guidance on ways to tackle the various compliance regimes through practical risk management.

Topics Covered:

  • HIPAA, FISMA, and CUI Requirements (NIST 800-171). An introduction to the regulations, including scope, data types covered, and common misperceptions.
  • GDPR. The new EU privacy regulation requiring data controllers and processors worldwide to protect the privacy of data for subjects in the EU.
  • The NIST Risk Management Framework and NIST 800-53. A dive into cybersecurity standards.
  • Managing Risk.
  • Effective risk management by leveraging standards and practical tools.

 

Security Log Analysis Training

 Instructor: Mark Krenz (Indiana University/Trusted CI)

The goal of security log analysis is to more efficiently leverage log collection in order to identify threats and anomalies in your organization. This half-day training will help you tie together various log and data sources to provide a more rounded, coherent picture of a potential security event. It will also help you understand log analysis as a life cycle (collection, event management, analysis, response) that continues to become more efficient over time. Interactive demonstrations will cover both automated and manual analysis using multiple log sources, with examples from real security incidents.

 

 

CONTACT US

Trusted CI, the NSF Cybersecurity Center of Excellence is supported by the National Science Foundation under Grant ACI-1547272. The views expressed do not necessarily reflect the views of the National Science Foundation or any other organization.