Some of the HPC centers do not rely on users in protecting their password. So they implemented what is called One Time Password (OTP) where users are given a small calculator like devices to generate a random key to login to the system. However, that is inconvenient for users, as they have to carry this device all the time with them and also add to the operating cost of HPC systems. Those centers that do not use OTP often limit the failed access attempts to three or four times and restrict access to the account for a period of one or two hours to minimize the brute force attempt to crack user password on the system. Other safeguards HPC centers deploy include running only the necessary applications with administrative privileges that open TCP/IP ports to external network. Even if there is a need to open up Apache port or Database port the connection to these ports are restricted to certain user groups or hosts using Iptables.

The HPC environment also has few privileged account for system administrators and user support staff. These accounts have access to all the resources on the system in the sense that these users can read, write, or delete the contents in any of the accounts. So the account holders of these account needs to take extra caution on all the devices and network they operate. They should access their privileged account from remote machines or untrusted network only after activating a virtual private network (VPN).

Other forms of attacks are little bit more sophisticated in the sense that hackers do a man-in-the-middle attack by making it appear the hacker controlled system to have similar credentials to the system that users are trying to access in that process tricking the users to give away their credentials. In other word hackers are trying to hijack the endpoints. Experienced hackers also try to cover their trails and continue their exploit by installing rootkits, modifying the RPM package repository, turning off or maneuvering the monitoring software and log files. The sophisticated hackers are usually capable of obfuscating their activities and disabling monitoring tools. In such situations system administrators have to rely on secondary effects such as unusual network bandwidth or unusual CPU load to detect the intrusion. It is possible that a sophisticated attack can remain undetected for months.

Phishing is another common way hackers get user credentials by enticing users to visit hacker controlled machines. Users who use popular social networking web sites are usually susceptible for this kind of attack and if they happen to use same password for their HPC accounts then they are inviting the hackers over from social networking sites to HPC systems. Social networking sites are usually good targets for hackers because they get access to the users contacts and access to their friends and continue their exploit. Intercepted e-mails are another source of compromise.

Safeguarding the resource

1. Always run Iptables (firewalls) on the machines with public network connections.
2. Check the operating system logs periodically or have it checked by an application and report any anomalies in user behavior such as logins, source host, network bandwidth, resource usage, time and frequency of login etc.
3. Enforce choice of passwords that contain certain number of characters and combination of alphanumeric characters as well as special characters.
4. Force password change once a year even though most users don’t like to change passwords often.
5. Inactivate expired accounts, unused accounts and accounts of employees when they leave the organization.
6. Turn on Host based authentication if possible. This is almost impossible for HPC systems as the users can be on any host at any time.
7. Advise users not to store private keys such as ssh private keys for passwordless logins on HPC resources because hackers who obtained elevated privilege can use it to access other machines.
8. Allow only authorized machines with known MAC addresses in a network that issue DHCP IP addresses. This is also little bit impossible in today’s world where people use all kinds of mobile devices such as smart phones to access the resources.
9. Use software that use PKI encryption by relying on public and private keys such as grid-ftp.
10. Allow only encrypted protocols such as ssh, sftp or https to access the system.
11. Activate tools such as SELinux that will control the access through predefined roles, but most HPC centers do not activate it as it breaks down the normal operation of the Linux clusters and it becomes harder to debug when applications don’t work as expected.
12. When running a web-based application, add campus Shibboleth based authentication. This will serve at least as a spam filter and can curtail denial of service like attacks.
13. Enforce resource quota such as total storage capacity or compute time when applicable.
14. Issue one time password generating devices if possible.
15. Do not allow any HIPAA complaint research on HPC clusters with lots of users. Isolate any HIPAA type research within restricted networks.
16. Allow research with sensitive data only within restricted networks.
17. Prevent any mobile devices from going back and forth between open networks and restricted networks.
18. Compartmentalize networks so that it is easy to quarantine the compromised part of the network. This is also helpful in zero-day-vulnerability because the developers are still working on possible patches to fix those vulnerabilities.
19. It is not usually necessary to upgrade the OS to the latest because it takes a while for the community to test for various flaws. Upgrade the OS only if necessary.
20. Appoint well-trained staff with operating system and Internet knowledge with awareness of threat conditions and cyber forensic skills.

Cloud and Virtual Environment
Since cloud and virtualization technology became popular in an age when there is a universal awareness of cyber security, the developers of this technology have been under heavy scrutiny to make the technology harder to compromise. In the private cloud environment the resource owners usually have elevated privileges such as root password and the ability to open or close port to public network. The host providers usually don’t have much control on the activities of the virtual host and virtual network, but they do have control on the hosted machines and hosted network. The cloud administrators have sufficient privileges even to examine the virtual instances running on a host machine. In a cloud environment through virtual networking and virtual instances different users are in their own isolated network and compromise on one virtual instance is isolated to only the resources owned by that group. In a way security is little bit better in cloud environment than a HPC cluster where all the nodes have identical set up. It is also easy to discard a compromised image in a cloud environment and build and deploy a new one. Also, it is not necessary to provide public Internet connection to all virtual instances in a private cloud-computing environment.

The security in public cloud environment is less well defined compared to a private cloud environment depending on the service level agreement (SLA). The data is already moved to a public resource where employees of the service provider may have access to the data and if the data is unencrypted, there is a possibility of data getting intercepted during the transfer process. Also, access to data is not guaranteed all the time.

Firewalls at the campus border
A commonly used practice in university environment is network filtering (firewalls) at the campus border as the first line of defense starts there. The campus network administers are continuously monitoring high volume and high frequency traffic for abuse and periodically block the network traffic from those IP addresses until the authenticity of the network behavior is investigated (blacklisting/whitelisting). Network administrators can also block traffic specific to a certain communication protocol and ports if there are known vulnerabilities until mitigation steps have been taken.

Another commonly adopted approach is to block all inbound traffic to a group of compute resources or devices as a matter of policy and punch holes in the filter only to the resources, which needs both inbound and outbound traffic. Where possible private subnets are connected to Internet using network address translation (NAT) methodology, which involves rewriting the source and destination IP addresses when the packet traverses a firewall. This process is called IP masquerade used to hide an entire private subnet from Internet. In this way private subnet can access public network and not vice versa.

Implementing intrusion detection systems (IDS) also results in many false positive alerts because application developers do not follow any strict guidelines and anomalous behavior in one organization may be within the acceptable limits of another organization. Because of this reason many HPC centers do not rely on IDS.