NSF and IT Security

George O. Strawn

NSF CIO

Outline

• Confessions of a CIO

• Otoh

• NSF matters

• IT security progress at NSF

• IT security progress in the Community

• The future of IT security

Confessions of a CIO

• To a scientist, there are more interesting things in the world than IT security

• Until I became a CIO, I also had little interest in the subject

• I was surprised to find out how much can be done for IT security with today’s tools (ie, we’re not using the tools we have)

• I worry about unfunded mandates, too

But …

• It’s not interesting doing no science on a shut-down-for-scrubbing facility

• Attending to IT security requires a culture change for most people and organizations

• You have to learn what are the elements of a IT security program

• Full cost accounting would show that lost productivity and remediation can exceed the cost of a security program

NSF Matters• NSF makes $5B+ of assistance awards

annually, many to faculty and students at US colleges and universities

• Assistance awards are outside the FARs; they used to be viewed as gifts to HE; now they are viewed as highly orchestrated purchases of research capability

• NSF awardees are bound by terms and conditions, which tend to say what is required, but not how to do it

More NSF context

• NSF support can be approximately divided into $3B for research; $1B for education; and $1B for research tools

• Of the $1B support for research tools, 36 projects are designated as MREFC-class facilities (called large facilities below)

• Most of our large facilities look to the CIO like networked computers with strange I/O devices attached.

• We are focusing on large facility IT security

IT Security at NSF

• Management committed to IT security as a strategic priority

• The staff created and implemented of a comprehensive IT security program

• We have received sustained levels of investment (~10% of IT budget)

• We have performance goals and measures

Security Management at NSF

• Roles and responsibilities (CIO & SISO)

• Policies and procedures (SWG)

• FISMA, including system inventory and Certification & Accreditation (C&A)

• Plan of action and milestones (POAM)

• Security reviews and assessments (contingency planning, DR, Coop)

• Security awareness and training

Security Technology at NSF

• Connectivity standards (and deconn)• External and internal networks• Laptop scanning• Firewall architecture• Vulnerability scans and penetration tests• Anti-virus protection• Patch management• Intrusion detection

Thinking about ITsec

• Consider both risk (possible damage) and vulnerability (possible danger)

• Design security into systems

• Keep hackers out: proactive security

• Detect computer incidents

• Report and remediate: reactive security

Keeping them out

• Firewall(s): shut down all possible ports and open necessary ports by special rules

• Passwords: use strong passwords and change them; consider OTP

• Encrypt wireless net traffic

• Run the latest virus scans constantly

• Patch, patch, patch known vulnerabilities

• Attack your own system

Detection/Reaction

• Intrusion Detection services

• Intrusion Detection techniques

• CIRT (computer incident response team)

• Report to Fed CIRC (federal computer incident report center)

Progress in the Community

• FacSec subgroup of NSF Security Working Group (SWG)

• Large Facility Security Workshop(s)

• Educause Security Task Force/Internet2

• HE moving towards – Separating authentication and authorization– Using stronger authentication– Sharing/bridging authentication

The future of IT security

• Culture changes slowly: management attention and/or incidents can speed it up

• Investment is required

• Next generation IT security products and services may be better

• Next generation hackers will be worse

• Good luck to us all!