Von Welch, DirectorCraig Jackson, Senior Policy AnalystSusan Sons, Senior Systems Analyst

Naval Surface Warfare Center Crane Division28 August 2015

Outline

1. Overview and History of CACR2. CACR Expertise: Risk Management, Policy,

Compliance3. CACR Activities: CTSC, SWAMP, XSIM,

Education/Internships4. CACR Events: Seminar Series, Summits

2

CACR

Founded by then CIO Michael McRobbiein 2003

“...university-wide research center that would bridge our operational strengths and practical experience with our academic units [and] bridge technical specialties in cybersecurity with business, law and the behavior disciplines.”

3

Cybersecurity @ IUCACR’s IU Partner Organizations

•REN-ISAC

•SOIC (Master’s Degree in Cybersecurity)

•University Information Security Office

•University Information Policy Office

•Maurer School of Law

•Kelley School of Business

•IUPUI School of Science

•Pervasive Technology Institute Research Center

4

IU’s NSA/DHS Designations

Indiana University designated as a National Center of Academic Excellence in Information Assurance / Cyber Defense through academic year 2021.

5

CACR is External Facing

Base funding from OVPIT, President’s Office, but primarily grant-funded applied research.

Since its origination in 2003, over $16 million in external funding from: Lilly Endowment, Inc., the National Science Foundation, the Department of Energy, the Department of Homeland Security, the National Institutes of Health, and others.

External partners: CMU/PSC, U. of Illinois/NCSA, U. of Wisconsin,

U. of Wisconsin-Milwaukee, Morgridge Institute for Research.

6

Applied Research

CACR’s mission is to advance the state of cybersecurity practice, interdisciplinary research, and understanding in order to serve Indiana University, the state of Indiana,

and our national and global communities.

Some guiding principles:

● Stay grounded: CACR takes on operational cybersecurity responsibilities.

● Real-world problem-oriented research in collaboration with funding partners.

● Tackle all aspects of problem: technical, policy, legal, social.

● Draw on Indiana University’s wide range of scholarly expertise in computer science, informatics, accounting and information systems, criminal justice, law, organizational behavior, public policy, and other disciplines.

7

Cybersecurity Historically

Firewalls, IDS,

encryption, logs,

passwords,...

8

Cybersecurity is an Interdisciplinary Challenge today

9

http://www.bankinfosecurity.com/

Cybersecurity as a Risk Management Tool

Cybersecurity supports the organization by

managing risks to its business mission.

Must understand what is critical to business mission and apply resources appropriately.

Must balance resources between prevention, detection, and response to risks.

10

CACR Expertise: Risk Management, Policy, Compliance

11

Risk Management & Resilience

● Familiarity w/ many frameworks: FISMA / NIST RMF, NIST Framework for Improving Critical Infrastructure Cybersecurity, HIPAA, ISO, MITRE’s resilience work

● Assist organizations in navigating and applying these frameworks, conducting risk assessments, balancing prevention, detection, response, fight thru, and recovery; evaluating their information security programs

● Experience applying risk management to novel environments and particular missions where one-size-fits-all doesn’t cut it

● We know the pitfalls: effort / resources; failure of orgs and auditors to understand risk acceptance

12

Policy & Law

Policy: provide leadership, guidance, and a convening function on national and international levels; often bringing people together who otherwise would never talk

policy: assist organizations

in creating, navigating, enforcing,

and educating personnel on

the detailed policies and laws

that both limit and enable our missions

13

Image credit: Bob Cowles

Compliance

• FISMA and HIPAA

• Establish NIST-based Risk Management Framework (RMF) at IU

• Use it to align IU’s central systems with HIPAA & FISMA

• Assist IU biomedical researchers to tackle HIPAA

• Develop compliance resources for IU

• Education

• Provide HIPAA and FISMA training locally and nationally

• Outreach

• Provide cyber compliance assistance to other academic and research institutions

• Provide national leadership on compliance issues in research and academia

14

Key CACR Projects

15

16

Image credit: NSF/K. Thompson

17

TrustedCI.org:Center for Trustworthy Scientific Cyberinfrastructure

Providing leadership and addressing cybersecurity challenges for the NSF community.

CTSC’s Accomplishments

● Engaged with >20 NSF science projects to provide cybersecurity leadership.

● Organized 2013-15 NSF Cybersecurity Summits for Large Facilities and CI

● Developed and provided training & best practices.● Developed Cybersecurity Program Guide for NSF CI

● Authoring cybersecurity chapter for NSF Large Facilities Manual

18

Software Assurance Marketplace (SWAMP)

We rely increasingly on our software stacks – both the ones we write and others.

Open nature leads to large attack surfaces.

Software integrity is critical.

19

Funded by DHS:

Morgridge Institute for Research (lead)

University of Illinois Urbana Champaign

University of Wisconsin – Madison

Indiana University

20

Explosion of Software

Plus cars, medical devices, Internet of Things….

And where are all those programmers?

21

A Framework for Software Assurance

22

Results

PackagePackagePackage

ToolToolTool

Platform

PlatformPlatform

Current: 396 &bring your own

Current: 8

PerformAssess-ment

ResultViewe

r

ResultViewe

rResultViewer

Current: 2

Current: 700+ Cores

ViewResults

ParseResults

ParsedResults

Current: 9

eXtreme Scale Identity Managementfor Science (XSIM)

Traditional computing with users all managed by data center.

Modern science has large multi-site collaborations.

Funded by DOE/ASCR

23

Image credit: Ian Bird/CERN

Science collaboratory identity management

• Based on interviews with 18 sites and projects.

• Simple model for describing collaboratory IdM.• Identified factors that inhibit and encourage

delegation from computing center to collaboration.

24

Security Matters

A trusted voice for the general public.

Real world practice cybersecurity guidance videos.

http://www.securitymatters.iu.edu/

25

Internships

● Working with students from multiple disciplines: law/policy, computer science, engineering

● Students work alongside CACR Senior Analysts on policy issues, selecting and implementing security controls, providing training, and assessing the security needs of novel technologies and implementations.

● Big attractants: exposure to unusual technologies and environments, opportunities for professional development rather than getting penned in on rote tasks.

26

CACR 2015-16 Seminar Series

Every other Thursday at noon in Law 335.

Free and open to the public. Lunch provided.

27

9/3/15 Stacy Prowell, ORNL

10/1/15 Sadia Afroz, U. Berkeley

10/15/15 Bart Miller, U. Wisconsin

11/5/15 Abhi Shelat, U. Virginia

12/10/15 Kathryn Seigfried-Spellar, Purdue U.

1/21/16 Lujo Bauer, CMU

2/4/16 Serge Egelman, U. Berkeley

2/18/16 Matt Bishop, U. Cal-Davis

3/24/16 LeAnn Miller, Sandia

4/7/16 Yang Wang, Syracuse U.

4/21/16 Adam Slagell, U. Illinois/NCSA

CACR Cybersecurity Summit

2014 Summit

● Featured two senior Homeland Security officials responsible for cyber operations and R&D.

2015 Summit Coming Soon!

● September 15, 2015● Hine Hall, IUPUI, Indianapolis● Featuring Ron Ross, NIST

28

2015 CACR Summit Agenda

• Morning Keynote Address: • Ron Ross, NIST

• Morning Panel: • Enterprise Risk Management

• Merri Beth Lavagnino, Indiana University

• Ron Ross, NIST

• Hans Vargas, Indiana Office of Technology and IN-ISAC

• Lunch Keynote Address: • Harvey Rishikof, Crowell & Moring

• Afternoon Panel: • Privacy, Promises and Shortcomings of Technology

29

2015 CACR Summit Agenda

Cybercrime and Fraud Track• Speaker/Topic: Stephen Reynolds, Stephen Reynolds & Nick Merker - Ice Miller

• “Preventing, Insuring and Surviving Fund Transfer Fraud”

• Speaker/Topic: Mark Villinski, Kaspersky Lab North America• “The Explosion of Cybercrime - The 5 Ways IT May be an Accomplice”

Privacy Track• Speaker/Topic: Nate Anderson, Sears Holding Company

• “Privacy Lessons from the Field”

Governance, Risk Management & Compliance Track• Speaker/Topic: Jeff Foresman, Rook Security

• “Compliance vs. Security – How to Build a Secure Compliance Program”

• Speaker/Topic: Scot Ganow, Esq., CIPP/US, Faruki, Ireland & Cox P.L.L.• “Getting in Shape for Breach Season”

30

2015 CACR Summit

• Registration: https://uits.iu.edu/cybersecurity-summit

• Additional Information: Contact CACR at cacr@indiana.edu

31

Thank you.

Von Welch vwelch@iu.edu

Craig Jackson scjackso@indiana.edu

Susan Sons susstewa@iu.edu

cacr.iu.edu32