What You Need to Know
What You Need to Know About Cybersecurity at NERSC
Welcome to the cybersecurity course for NERSC users. This course is designed to remind you of your basic security responsibilities as a user of NERSC resources, and to provide you with actions you can take to protect your scientific work. NERSC is committed to safeguarding its systems and the valuable research materials stored in them. As a user, you can help to ensure the safety and security of these systems.
The Threat Is Real and Significant
As you know, worms, viruses, bots, and hackers are a fact of life. At NERSC, we face all the threats that any business or home user faces, but there are some unique characteristics of our environment you should know about:
Our Network Supports Global Collaborations
To ensure that our researchers can collaborate effectively, whenever and however they need to, we operate a network that is accessible by users from various institutions in the international community. To safeguard the network, you must take special care to ensure that you follow appropriate NERSC and Department of Energy procedures and policies.
Attackers Target NERSC
Both because of our unique computing resources, and simply because we are a government institution, attackers target NERSC systems. In particular, smart attackers who have time and resources have been known to target our systems.
We Are Held to High Standards.
As a Department of Energy supercomputer center, we are held to a high standard of cybersecurity performance. It is critically important that we perform well, so that we can maintain the open computing environment we believe is central to our mission.
Why Would Anyone Care About My Computer?
Computers on the Internet are subject to attacks. There are thousands of worms and viruses that continuously attack indiscriminately. Furthermore, hackers are often simply after your computer as a stepping stone to launch more attacks against other computers, regardless of the information on the computer. The costs of cleaning up a computer security incident, the potential for lost information, and lost productive work time are significant. Also, because our systems are interconnected, the infiltration of one computer significantly increases the potential for successful attacks against other computers connected to the network. Taking reasonable precautions protects all these people, not just you.
Important Policies Concerning Computer Use at NERSC
The primary policies governing system access at NERSC are found at As a NERSC user, you are responsible for following these policies. Following are a few policies of particular importance
Authorized Computer Use
As a reminder, here are some of the prohibited activities for accessing NERSC system:
- Illegal activities (such as fraud, embezzlement, or theft).
- Viewing, storing, or downloading sexually explicit material.
- Downloading, storing, or sharing illegal copies of material such as music or software protected by copyright or other laws. For instance, the downloading of music without the permission of the copyright holder, whether by ordinary client/server techniques such as a web browser, or by peer-to-peer techniques.
- Using software for which you do not have a legal license (You are responsible for managing your software licenses).
- Engaging in for-profit activities such as selling merchandise on a Web site.
- Gambling (including on-line casino betting).
- Attacking or launching a vulnerability scan against anyone else's computer.
- Harassment of any kind, sexual or otherwise.
In addition to these prohibitions, good network citizenship requires that you:
- Use only information and resources for which you have authorized access.
- Don't read or browse through other people's data, and don't login to any computers or accounts without authorization.
- Don't abuse shared resources, including disk space, CPU time, memory, and network bandwidth.
- Cut back on your use of any resource when asked by a NERSC administrator.
If you have any questions about prohibited activities, please contact NERSC at Security@NERSC.gov or Support@NERSC.gov.
Minimum Security Requirements and Best Practices
Below are some of the important rules to remember:
- Computers, software, and communications systems provided by NERSC are to be used only for DOE-sponsored work (as determined by the PI's DOE Program Manager). Use of NERSC resources to store, manipulate, or remotely access any national security information is prohibited. This includes, but is not limited to, classified information, unclassified controlled nuclear information (UCNI), naval nuclear propulsion information (NNPI), the design or development of nuclear, biological, or chemical weapons or of any weapons of mass destruction. Personally identifiable information (PII) and HIPPA data are also prohibited from NERSC user systems.
- The use of NERSC resources for personal or non-work-related activity is prohibited. NERSC systems are provided to our users without any warranty. NERSC will not be held liable in the event of any system failure or loss of data.
- All passwords used on computer systems must meet the DOE and NERSC requirements. Passwords and usernames must NOT be shared under any circumstances. Users who share their passwords or usernames will have their access to NERSC disabled. Users should not leave clear-text passwords in a location accessible to others or secured in a location for which protection is less than that required for protecting the information that can be accessed using the password.
- Passwords must be changed:
- At least every six months.
- Immediately after giving your password to someone else.
- As soon as possible, but at least within one business day after a password has been compromised or after you suspect that a password has been compromised.
- On direction from NERSC staff.
- Your password will be disabled if you have three login failures while entering your password on a NERSC machine.
- Users must ensure that appropriate physical security measures are taken to protect their computers and any portable media from unauthorized access, manipulation, or theft.
Stolen Credentials Are a Significant Threat
The most common security incidents at NERSC are account compromises which are the result of credential theft. Unfortunately, SSH credential theft is a very common occurrence on the Internet today and, with the thousands of accounts on NERSC systems, our exposure to this threat is very high.
SSH credential theft occurs when an unauthorized person (attacker) obtains and uses valid SSH account credentials (username and password) for unauthorized access to a computer. The attacker typically obtains the valid credentials by keystroke logging a previously compromised computer. Once the attacker has gained access to the computer she may perform any number of malicious activities including hosting malicious files, attacking other computers, installing rootkits, or destroying data.
In the example below, a NERSC user is unknowingly using a previously hacked computer. It may be their own computer or it may belong to another institution. In any case, an attacker has installed a keystroke logger and is able to capture everything the user types. When the user authenticates to a NERSC computer system, the attacker is able to steal her credentials. The attacker then logs into the NERSC computer at a later time and can do so from anywhere in the world.
Once the attacker has access to a NERSC system, even as a regular user, they will try a variety of tricks to escalate their privileges and attack other users and systems. For example, they can explore the knownhosts file and test the stolen credential on other systems. If they are able to gain root access, they can install a trojaned SSH daemon to steal credentials from other users. As shown below, once a foothold like this is established, the problem can quickly spread throughout NERSC as well as other institutions with whom we collaborate.
The best way to mitigate this threat is to make sure the systems you login to NERSC from are secure and well maintained. Follow the recommendations throughout this tutorial. Make sure patches are applied diligently. Use antivirus and personal firewall software. If it's a laptop, never leave it unattended in a public space. If others have access to the computer make sure they understand their responsibilities as well.
Encrypting SSH Keys
One very important way of protecting your SSH credentials is with the use of public/private key pairs instead of a regular username and password. This allows you to authenticate yourself without transmitting any password over the network.
To take advantage of this, you simply generate a key pair with the ssh-keygen command and copy the public key to any systems onto which you wish to login. Typically, the public key goes into the file ~/.ssh/authorized_keys.
The linchpin to this mechanism is the private key. The private key must be protected with encryption. Otherwise, it becomes easy pray for credential thieves. ssh-keygen allows you to set a passphrase with which the private key will be encrypted. However, you can bypass this without entering a passphrase leaving the private key unencrypted. This of course, is not recommended and is specifically banned on NERSC systems.
With very few exceptions, all private SSH keys on NERSC systems must be encrypted. There are a few cases where unencrypted SSH private keys are necessary and allowed. However, other steps must be taken to mitigate the risk. The details of this are here(link to policy page).
Using SSH Agent
One way of reducing the number of times you need to type your password is through the use of tools like ssh-agent and the agent forwarding mechanism built into SSH. ssh-agent maintains an unencrypted copy of your private key in memory while you're logged in. This means that whenever you use ssh on that system you won't need to type your passphrase to decrypt your private key as long as ssh-agent is running.
Furthermore, the -A option to ssh allows the forwarding of access to a local ssh-agent. As the diagram shows, this allows you to login among several NERSC systems without repeatedly typing your passphrase and without the need for unencrypted private keys.
- Emails or web links that ask for passwords, Social Security Numbers, credit card numbers or other information. (known as "phishing" scams).
- Email attachments that install "trojan horse" programs onto your computer.
- Scam emails that ask you to send money (usually with some offer of significant return on investment.)
- Unexpected CDs or floppy disks given or sent to you that contain programs designed to infiltrate your computer.
These scams are designed to look as legitimate as possible, often using the names of well-known companies or organizations and compelling "stories" in their deception. Here are some general guidelines to avoid being caught like a "phish".
- Don't open attachments you aren't expecting! If you have any doubt, don't click! If in doubt, send your inquiry to Security@NERSC.gov or call 800 66-NERSC.
- Knowing the sender of an email is not proof that the email is legitimate. The name of the sender is often forged into the email. If you get unexpected email from someone you know and the content seems out of character, contact them to see if it is real.
- If you get a warning about a new virus that doesn't come from a trusted NERSC source, don't forward it --- it's almost certainly a hoax. Report the incident to Security@NERSC.gov or call 800 66-NERSC.
- Don't fall for phishing! NERSC will never ask you for your password via email or on the phone --- neither will any other reputable company. Always look at the URL of the link in the email, make sure it directs you to the site you expect.
- Don't use "free" CDs or other media, including USB memory sticks, unless you are sure they came from a legitimate source. Remember, many computers 'autorun' CDs, so even putting CD into the computer can spread an infection.
- Be cautious when using computers other than your own. Every machine you enter your password on is a possible means by which your password will be stolen. Be especially aware of using shared-use computers in places like university computer labs, cyber cafes, conferences, and hotels. If you have any doubt, change your password when you return or refrain from entering it on untrusted systems.
Some examples of sophisticated social engineering techniques that have been directed at DOE labs include:
- CDs sent by mail that contained the DOE logo and promised information about DOE Policies and Procedures --- and actually contained sophisticated malicious code.
- PDF files that appeared to come from site publications offering the chance to be featured in a site newsletter. They actually exploited an Acrobat vulnerability.
- Attempts to gain password information by contacting employees by email or by phone and pretending to be local help desk personnel.
If you ever suspect that you have been targeted by an attack like this, immediately report it to Security@NERSC.gov or call 800 66-NERSC. Err on the side of caution. If you're ever in doubt about the authenticity of anything you receive and you can't just safely delete it, then ask for help.
Managing Private Information
NERSC takes seriously the responsibility to protect the information it is entrusted with. However, there are certain kinds of information That must not be stored on NERSC user systems because its' protection would require costly and burdensome security controls. This data includes:
- Classified Information: Information to which access is restricted by law or regulation to those holding a formal security clearance.
- Personally Identifiable Information: Including Social Security Numbers, bank account, or credit card information.
- Health Information: Including that which is protected by HIPAA (Health Insurance Portability and Accountability Act).
- Information protected by contract: Information agreed to be protected as part of a CRADA, non-disclosure agreement, or WFO agreement, or proprietary contractual information.
- Prudent to Protect Information: Other information that should not be exposed to the general public, such as specific information that relates to the physical or cyber security of NERSC, or to the operation of key safety or financial systems.
If you believe a computer you are using has been infected or hacked, it is a requirement that you report it as quickly as possible. If you have a local system administrator who manages your computer, contact them immediately. Ensure they also do one of the following: Email Security@NERSC.gov or call 800 66-NERSC.
NERSC is susceptible to natural disasters, a serious earthquake being one of the most threatening. While this training cannot comprehensively cover issues relating to disaster recovery, a few reminders are useful:
- Backups, especially offsite backups, are critical to recovery after a disaster. NERSC does not do offsite backups of user data. It is your responsibility to ensure that critical data is stored at a location other than NERSC.
- After a major disaster, it's likely you won't be able to quickly access the NERSC systems. Plan ahead for record retrieval.
- Have a plan for communications within your workgroup that establishes how you will communicate with your collaborators after a disaster and gather phone numbers and cell phone numbers, know how to text message using your cell phone, and assume that some or all of the communication channels you normally rely on, including email, will be unavailable.
Resources for Assistance and Education
You have completed the NERSC cyber security tutorial.
Below is a recap of the online resources that spell out the NERSC cybersecurity policies and procedures for accessing computational and storage systems.
- General Computer Policy: NERSC Computer Use Policies Form.
- NERSC System Access: Connecting to NERSC.
Thanks for taking this opportunity to review your cybersecurity responsibilities.