Webinar: Security recommendations for science gateways
- Details
- Published on Thursday, 30 September 2021 12:00
September 29, 2021
Presented by Mark Krenz, Chief Security Analyst, Center for Applied Cybersecurity Research, Indiana University
Trusted CI has recently published a four-page document targeted at small team science gateways. This document provides a prioritized list of security recommendations to help reduce overall security risk. In this webinar Mark Krenz, from Trusted CI, will be providing an introduction and overview of the document, as well as a discussion of the lessons learned from the last few years of providing security consultations for science gateways.
Resources mentioned during the webinar:
- The Trusted CI recommendations report (4 pages with many links) is linked from here: https://www.trustedci.org/
science-gateways (Permanent archive: https://scholarworks.iu.edu/ dspace/handle/2022/26780) - The Trusted CI Cybersecurity Summit (online) starts October 12, 2021, with plenary sessions, trainings, and workshops scheduled over the week: https://www.trustedci.org/
2021-cybersecurity-summit. (Register by October 4.) - Signal: Secure texting at https://signal.org/en/
- Open Web Application Security Project https://owasp.org/ and their top 10: https://owasp.org/www-project-
top-ten/ - Google Drive Security white paper: https://scholarworks.iu.edu/
dspace/handle/2022/26741 - Webinar presentation (August 2021) about the Google Drive security paper is archived here: https://researchsoc.iu.edu/
training/webinars.html - Direct link to the webinar recording: https://www.youtube.com/watch?
v=Z-iGIQqrY88 and slides: https://researchsoc.iu.edu/ doc/webinar-google-drive- security-challenges-and- solutions.pdf
- Webinar presentation (August 2021) about the Google Drive security paper is archived here: https://researchsoc.iu.edu/
- Two ways to monitor/update dependencies
- Dependabot for updating dependencies: https://github.blog/2020-06-
01-keep-all-your-packages-up- to-date-with-dependabot/ - Requires.io keeps your python projects secure by monitoring their dependencies: https://requires.io/
- Dependabot for updating dependencies: https://github.blog/2020-06-
- A few comments on endpoint detection and response monitors (EDR):
- Some campus information security teams will gladly incorporate your group and your systems into their incident response plan, which is one example of report recommendation "O" (Use institutional resources).
- NCSA uses Qualys vulnerability management to scan systems weekly, but this scanning is not a DR solution.
- UChicago uses Crowdstrike widely, including on *nix systems in research services. Globus, in particular, uses it on all of its ubuntu AWS EC2s, and they did some pretty good assessment before proceeding.