nsf and it security george o. strawn nsf cio. outline confessions of a cio otoh nsf matters it...
TRANSCRIPT
![Page 1: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/1.jpg)
NSF and IT Security
George O. Strawn
NSF CIO
![Page 2: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/2.jpg)
Outline
• Confessions of a CIO
• Otoh
• NSF matters
• IT security progress at NSF
• IT security progress in the Community
• The future of IT security
![Page 3: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/3.jpg)
Confessions of a CIO
• To a scientist, there are more interesting things in the world than IT security
• Until I became a CIO, I also had little interest in the subject
• I was surprised to find out how much can be done for IT security with today’s tools (ie, we’re not using the tools we have)
• I worry about unfunded mandates, too
![Page 4: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/4.jpg)
But …
• It’s not interesting doing no science on a shut-down-for-scrubbing facility
• Attending to IT security requires a culture change for most people and organizations
• You have to learn what are the elements of a IT security program
• Full cost accounting would show that lost productivity and remediation can exceed the cost of a security program
![Page 5: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/5.jpg)
NSF Matters• NSF makes $5B+ of assistance awards
annually, many to faculty and students at US colleges and universities
• Assistance awards are outside the FARs; they used to be viewed as gifts to HE; now they are viewed as highly orchestrated purchases of research capability
• NSF awardees are bound by terms and conditions, which tend to say what is required, but not how to do it
![Page 6: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/6.jpg)
More NSF context
• NSF support can be approximately divided into $3B for research; $1B for education; and $1B for research tools
• Of the $1B support for research tools, 36 projects are designated as MREFC-class facilities (called large facilities below)
• Most of our large facilities look to the CIO like networked computers with strange I/O devices attached.
• We are focusing on large facility IT security
![Page 7: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/7.jpg)
IT Security at NSF
• Management committed to IT security as a strategic priority
• The staff created and implemented of a comprehensive IT security program
• We have received sustained levels of investment (~10% of IT budget)
• We have performance goals and measures
![Page 8: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/8.jpg)
Security Management at NSF
• Roles and responsibilities (CIO & SISO)
• Policies and procedures (SWG)
• FISMA, including system inventory and Certification & Accreditation (C&A)
• Plan of action and milestones (POAM)
• Security reviews and assessments (contingency planning, DR, Coop)
• Security awareness and training
![Page 9: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/9.jpg)
Security Technology at NSF
• Connectivity standards (and deconn)• External and internal networks• Laptop scanning• Firewall architecture• Vulnerability scans and penetration tests• Anti-virus protection• Patch management• Intrusion detection
![Page 10: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/10.jpg)
Thinking about ITsec
• Consider both risk (possible damage) and vulnerability (possible danger)
• Design security into systems
• Keep hackers out: proactive security
• Detect computer incidents
• Report and remediate: reactive security
![Page 11: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/11.jpg)
Keeping them out
• Firewall(s): shut down all possible ports and open necessary ports by special rules
• Passwords: use strong passwords and change them; consider OTP
• Encrypt wireless net traffic
• Run the latest virus scans constantly
• Patch, patch, patch known vulnerabilities
• Attack your own system
![Page 12: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/12.jpg)
Detection/Reaction
• Intrusion Detection services
• Intrusion Detection techniques
• CIRT (computer incident response team)
• Report to Fed CIRC (federal computer incident report center)
![Page 13: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/13.jpg)
Progress in the Community
• FacSec subgroup of NSF Security Working Group (SWG)
• Large Facility Security Workshop(s)
• Educause Security Task Force/Internet2
• HE moving towards – Separating authentication and authorization– Using stronger authentication– Sharing/bridging authentication
![Page 14: NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community](https://reader035.vdocuments.us/reader035/viewer/2022072111/56649e9f5503460f94ba2430/html5/thumbnails/14.jpg)
The future of IT security
• Culture changes slowly: management attention and/or incidents can speed it up
• Investment is required
• Next generation IT security products and services may be better
• Next generation hackers will be worse
• Good luck to us all!