PSC Cybersecurity Group Uses Technology, User Savvy,to Guard Supercomputing Resources Nationwide
Luckily, the woman was smart.
When a waiter brought her a phone, saying her credit card company was calling her, she smelled a rat. The caller, claiming to be from her credit card company, asked for her card number “to verify her information.”
She refused, which was good. The call was from a scammer. He knew her location, because he’d read the Yelp review she’d posted of the restaurant earlier that day mentioning she’d be having lunch there. Far removed from the workings of a high- performance computing center and network? Possibly, but it does illustrate an important point. The creativity of scammers, hackers and crackers is boundless, and whether you’re protecting a personal credit account or a $20-million supercomputer, you need to be on your guard. Humans will always be the weakest link in any security system.
“I’ve not previously heard of a scam using this technique to try to obtain information from a victim like that,” says Jim Marsteller, PSC security officer. “But we’re probably going to see more of that sort of thing. Being aware of and understanding how all these pieces of information can be connected and how that information can potentially be used is the best strategy for avoiding making ourselves vulnerable.”
With Shane Filus, PSC information security engineer, Marsteller runs PSC’s Cybersecurity Group, protecting the Pittsburgh center’s systems and the larger National Science Foundation XSEDE network of computing centers from unauthorized users. Marsteller is co-lead for Cybersecurity and Incidence Response among XSEDE resources across the country, with Brandy Butler at the National Center for Supercomputing Applications at the University of Illinois. He’s also co-principal investigator for the Center for Trustworthy Scientific Infrastructure, an NSF-funded effort to help researchers protect their projects and data.
FACING THE THREATS
The threat is real. Some foreign governments use cyberespionage to try to steal government, industrial and research data. “Hacktivists” may try to access, steal or corrupt data generated by scientists whose results they dislike. And organized crime has gone digital, by compromising networking and computational resources for Bitcoin mining and spam generation and delivery, as well as other unauthorized uses.
Paired with the threat posed by these bad guys is a mission that says the good guys—the scientists trying to understand the Universe and answer important practical questions—do what they do best when they can share and use information openly. “In a business environment, Information Technology access controls are more restrictive,” Marsteller says. “You know who your customers are and have greater control over the infrastructure. Our field, on the other hand, is one of the most challenging just from the aspect that we’re open, we really want to foster collaboration.” Balancing the need for access with the need for cybersecurity is a big priority in any academic research enterprise. To achieve that goal, the PSC group employs some of the most sophisticated tools available—and measures as simple as user education.
TOOLS OF THE TRADE
Defense against cyberintruders requires a lot of system monitoring. Such intrusion detection takes two forms: signature based and heuristic based. “In signature-based detection, we know that a certain type of unauthorized activity has identifiable characteristics,” Marsteller says. “For example, it uses a certain type of protocol and communicates on port ‘X.’ As the system monitors network traffic … it can then flag these signatures and say, ‘This is malicious.’” Heuristic-based detection, on the other hand, tries to identify patterns of unusual activity that stand out from normal use of a system. It then notifies administrators, who can examine the activity in more detail. Signature-based detection helps guard against known types of cyber-attack; heuristic-based detection helps catch attacks that haven’t been seen before.
But users’ good practice is the first and best line of defense, they both agree. “User education is the best way to prevent intrusions,” Filus says. The great majority of security incidents the group deals with stem from compromised user accounts. Users’ cybersecurity “hygiene,” and common sense, is therefore a key approach to keeping interlopers out. (“Cybersecurity Top 8 Dos and Don’ts”)
“The more we can do to make them more aware and to get them to understand how critical they are in this whole security ecosystem, the better,” Marsteller adds.
Cybersecurity Top 8 Dos and Don’ts
Don’t
use children’s birthdays, nicknames, the word “password,” and the like for passwords: Did you really need to hear that again?
Do
understand the level of threat: Your bank account needs greater protection than your Gmail account. So does your XSEDE account. Give the higher-value accounts unique, and more sophisticated, passwords.
Don’t
share: laptops, accounts, passwords.
Do
use a password management tool: It lets you generate random passwords that are much harder to crack and helps to securely (and easily) manage the many accounts we have today.
Don’t
trust random software, particularly if it’s free: Is it sharing your data with the world? And do you really need it on your work computer?
Do
find a “cybersecurity buddy”: Whether it’s an IT caseworker or just a savvy coworker, it helps to have a second pair of eyes look at that link before you click on it.
Don’t
trust unexpected emails, particularly those warning you of security risks: Is the address after “@” different from the company’s Web address? Are there obvious grammar errors?
Do
trust your first reaction: Often we see the risk, then rationalize ourselves into ignoring it.