Security 101

| No Comments
Taken from ISC Diary entry - "Security 101:  Security basics in 140 characters or [fewer]

@ChrisJohnRileyIf you can guess where PHPmyAdmin is installed, then so can attackers.
@DavidJBiancoYou are already pwn3d. The question is, "What will you do about it?"
@Keldr1nDon't leave default passwords on the administrative interfaces of your 3rd party web applications.
@Keldr1nKnow your network - and all devices in it - well enough to spot unusual activity.
@Keldr1nUsers are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?
@averagesecguySecurity 101: If you don't need it, turn it off.
@bowlesmattPassphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?
@bowlesmattPatch your systems and disable any unused services to reduce attack surface.
@bradshoopNever trust a host you can't trust.
@bradshoopComputers remember a lot. Even more if you contact security personnel before you reboot.
@bradshoopDedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.
@connellyuniIt's more important to know what you don't know than it is to know what you do know.
@cutawayTry to avoid saying "We are investigating... why equipment that we have a destruction certificate for was... sold online" to the media.
@cutawayAssets using secure authentication are directly and adversely impacted by your assets using plain text authentication.
@cutawayComplacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.
@cutawayDefault SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.
@cutawayDon't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.
@cutawayHow do you "Find Evil" in your organization? Seriously, go "Find Evil" and report back to me.
@cutawayIT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.
@cutawayIf your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.
@cutawayMonitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.
@cutawayProduct certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc...
@cutawayService accounts should adhere to corporate password policies and be monitored for modifications including lockout.
@eternalsecurityMake sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants.
@hal_pomeranz"A backup is not a backup until you do a restore." #sysadminkoan
@hy2jinxAttack vectors and regulatory requirements change. "That's how we've always done it" is a poor and lazy excuse.
@hy2jinxScanner "infos" can turn up bigger issues than you'd guess. Look at overall results, not just singles.
@hy2jinxFive missing patches across 100 devices does not equal "five vulnerabilities."
@hy2jinxIt's cheaper to consult a security professional from conception than mere days before "go live."
@hy2jinxSecurity professionals should be empowered to point the business towards good decisions and reserve the power of "No" for a last resort.
@itinsecurityIn your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.
@itinsecuritySecurity is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts.
@jarocki"Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking."
@jarockiWhen it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify.
@jimmyzatlIf you don't log "accepts" in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.
@jimmyzatlAn encryption algorithm that has to be hid from the public is by definition a weak algorithm...
@ken5m1thThat successful PCI DSS Report On Compliance will not save you from Zombies.
@kentonsmithWhen setting up any new system, Step 1: Change default admin password.
@kill9coreSecurity through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work.
@mattdoterasmusJust because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time.
@omegadefenceThe attitude that "it won't or can't happen to us" because "we're too small/big/have nothing to offer" is dangerous.
@omegadefenceThe attitude that "I can't do anything about it so I won't even bother with security or reporting" is also dangerous.
@omegadefenceAnalyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.
@omegadefenceGive only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.
@omegadefenceBest: using high-speed trend analysis with custom searches as well as automated reporting AND followup.
@rob_bainbridgeSecurity teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc...
@tccroninvThose that store passwords in plain-text invite catastrophe.
@tliston"We can't implement strong passwords/two-factor authentication. Our users aren't capable," says more about your competence than theirs.
@tlistonDevelopers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me.
@tlistonIf you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison.
@tlistonIf you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong.
@tlistonIf you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.
@tlistonIf you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope.
@tlistonIf your internal security posture is based on,"our employees wouldn't know how to do that," then you're likely already 0wned.
@tlistonRemember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it.
@tlistonRun scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram.
@tlistonSanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at.
@tlistonSecurity isn't just about preventing compromise. It's about maintaining confidentiality, integrity & availability despite compromise.

AtTask Project Management Software Demo

| No Comments
Christopher Stordalen from the Global Programs and Strategy Alliance hosted a demo or AtTask project management software on Friday, September 9th.  @tTask is a cloud-based Project Management solution.  


Project Management Software Features List - this is a Wikipedia page that lists project management software and main project tracking areas each solution supports.

REASON:  I have found that, while we have an in-house, "home-grown" project management solution that is focused on IT projects, I still use multiple tools and environments to accomplish project management  - Google Sites, Google Documents, Google Calendar, Google Tasks, UThink, OmniPlan, MS Excel, MS Word, etc.  The separation may be by project, but more often by task across projects.  I hear regularly from colleagues that they have the same issue and it "sure would be nice to have a common good project management solution at the University".  

HISTORY: When searching for software that included a full set of tools to support project management processes and tasks, I had a short list of software.  I was really impressed with AtTask because in addition to a full project management feature set, one feature was for connectivity via mobile devices.  I had viewed a demo of this software two years ago when in search of a project management solution.  My desire was to find something for both work within GPS Alliance IT, but that could be used for all project management and that would hopefully allow for use by teams that are comprised of members from both inside and outside GPS Alliance.  

ATTENDEES:  The timeframe was quite short for the scheduling the demo - On the Tuesday prior, I scheduled it thinking it would be just me.  On Wednesday, I had the idea of inviting some others, and "some others" turned into inviting all PCMC members.  We ended up with 6 PCMC members attending the ~45 minute presentation.

DREAM:  I revealed my dream to the attendees of the demo that a solution, @tTask or another appropriate solution, could be implemented at the University of Minnesota and that we would be come an "@tTask Enterprise".  It could be implemented centrally as a common good service to handle the gamut of projects, allow different access levels across the institution to utilize the system - from upper-level administration viewing reporting across colleges and units, to team members communicating and engaging each other on project tasks and tracking their progress, to project managers being able to see all their staff and all projects that are in the system for which they are responsible.  The University could leverage it in any courses focuses on, or that have a component of, project management.

QUESTIONS:  A number of questions could not be answered during the demo.  The questions and answers are below.

- Are there other Universities using AtTask?
Yes, there are several. A few I was able to come up with right away was Julliard, CUNY, and MacQuarie University. There are more if you want to know.

- Are we able to sync documents from other sources?
No, we don't sync with other sources. But, you mentioned Google Docs, within AtTask you can link to an external site such as Google Docs.

- Can you view a list of projects? Not just the projects assigned to myself?
Yes you would just create a custom report/dashboard to view it this way.

How much time to become acquainted with the tool?
System Admin - 
Project Manager - 3 day training course is a must but results in 
Project Member -
Reporting - 

DEMO NOTES:  A demo attendee submitted these notes.

Includes tasks, issues, docs, notes, (sync with data storage), email notification 

Gantt chart looks very clear/easy; can look at who assigned to each task, milestones etc. Can do resource assignments from within Gantt - person gets email and also has their own view. Based on how many hours you have available to each person. Can match who has time to skills and time for a task. Drag and drop.

Exec Reports - they can log in and look a reports. About 90 dashoards available. Can easily see where you're behind... Can schedule a report to be emailed to certain people. Lots of management options for levels of access.

Has status updates at individual level. Can move what you're working on to different priorities. Can log time. 

Seems to really work for someone on one project at a time. Doesn't seem to be a way for an individual to keep up with their multiple projects separately.  ANSWER - Every user can see an overview of all of their projects.

No academic pricing model. Pricing by User (PM, Team, View Only). 

Training sold separately. Plus subscription model.  

How work with Google Docs/Netfiles?  ANSWER - setup external link.  


PRICING:  I have asked about educational pricing, but haven't received specifics on that as of yet.  Prices below are retail and are per user per year.

Project Manager Enterprise - $650
Project Manager Professional - $395
Team Members - $250
View Only - $150

The difference between the Enterprise and Professional is the Portfolio Management. This would provide you with the ability to see upcoming projects, approval process for projects, and see whether you will have the bandwidth for upcoming projects.

TEST ACCOUNT:  AtTask provided us with a test account that will be available until 9/30/2011.  If we need a little more time, I can make that request.  Please let me know if you are interested and how much time you might need.

Location and Credentials:
https://testdrive2.attask.com

Project Management View
username: christopher.mscott
password: user

You can also find some helpful training tips at https://help.attask.com


Technology -

     My Presentation - 
          View in browser
    
  • Suggestions
    • Schedule a day or two each month in each unit to do software updates.
  • Action Items
    • Post Workplan (Gantt Chart) on Knowledge Base
    • Post reports from both Project Management system and Support Request system
    • Work to have both of these move to display via GPS Alliance intranet with data flowing from the databases.
    • Talk to Barbara about the reason system development has not been offered and find out if that has changed.
    • Coffee individually with each Director
Funding
  • Meet with Diane Young about CRM
  • Have Eric Schnell come to Directors meeting to talk about CRM initiative
  • Do we have constituents or relationships we can foster and possibly get funding?
  • Software sales
  • Development for fee for UofM community

Professional Development
  • Work with Barbara Kappler/Molly Portz to design tracking mechanism in Staff Database OR as part of expertise?
Changing the Dynamics
  • GPS Alliance "Cross-Cultural" internship or lunch with colleague
  • How do we get our IT staff more time with Meredith
    • Lunch for all of us
    • Coffee with the Dean
    • Retreat and have Meredith attend/present
    • Staff Meeting (monthly?)

Programming Languages

| No Comments
There are so many languages/environments to develop in, and it is tough to decide where to spend time.  

≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈

In my initial research, I found a good progressive language list suggested to a new programmer.

  1. Python
  2. XHTML (the latest "dialect" of HTML, because you need to be able as a programmer to integrate with internet
  3. Turbo pascal (only because this is the language with most books/tutorials/articles out there and you learn a very structured and meaningful language)
  4. Java (This producers more powerful code)
  5. Perl (is in use all over)
  6. LISP (just for the satisfaction of master it)
  7. C++ (the most powerful and accurate language there is. However you will have to do a lot of debugging, which you will have learnt to master in the previous languages)

After you have mastered these most commonly known programs, you should be able to learn a new one just by learning the syntax in 3-4 days tops

A response to the list above:

"Check out the courses offered from any reputable institution (read college/university NOT Technical Institute) and you will see that the FIRST language they have you learn is...drum roll please...C++. Why? Because C++ allows you to learn in a gradual manner, building upon the procedural roots and previous lessons, until you are able to do object oriented powerful programs (and some quite academic such as traversing a binary tree using doubly-linked lists - something you could not do in any language that does not have pointers and pointer mathematics). You may never need, itrw, to build a system using binary trees and doubly-linked lists, but once you have mastered them you start to see more possibilities when you are given an assignment from you boss."

≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈

Other languages and environments to consider - Django (Python), PHP, SQL, Lasso, Cold Fusion, Ruby on Rails, Visual Basic, DHTML, ASP, C#, Java, XCode, iOS, Android

≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈≈

For cross-platform, it seems C++ and Java are the best options.  Or focus development on web-based applications.

Staff Database - Staff Expertise/Experience Tracking

| No Comments
Meeting Minutes from 4/5/2011 - 

Attendees: Eric Kroetsch, Mary Katherine O'Brien, Molly Portz, Myself

Purpose: Eric and Mary Katherine are leading the Staff Expertise and Research deliverable team with the mission "To explore existing staff expertise and research strengths". Eric contacted me when Gayle had mentioned we in Dean's Office/Dean's Office IT have been working on the GPS Alliance staff database. The deliverable team has developed a survey to administer to GPS Alliance staff and didn't want to duplicate effort if we were going to be surveying for similar information for staff expertise/experience in the staff database. GOOD CALL!

---------------------------------------------------------------------------------
Question: What problem are we trying to solve?
Answer:  
  • Collect and share staff expertise in areas of research, work/education, and job function, allowing for formal and informal synergies to develop across all GPS Alliance units.
  • Collect and share relationships with students, staff, faculty, administration around the University. Define in general terms what that relationship is - what GPS Alliance initiative, project, interest to which it may pertain.

-------------------------------------------------------
A word about collecting data...

While defining the requirements/specifics of this initiative, all involved in the project need to continually ask themselves "How will the data get used?"

It can be attractive to gather data because it is interesting, but to be fair to the people being asked to provide the data, the people asked to manage the data, the people asked to support the mechanisms that hold the data, etc., there should be defined, active purposes for the data collected.

"We might use it sometime" is not a good rationale. It can be added later if that is the case.

----------------------------------------------------
Notes:

Staff expertise area - not a snapshot, but an ongoing system for displaying growing expertise.  Harness the collective research capacity (Molly).

Research Expertise > Work/Education Expertise > Job Function Expertise

How do each of us touch others at the University?  Relationship tracking with faculty, staff, students, and in what ways?  how we communicate with them?  how often do we meet with them?

Bios - explanation of experience, life, etc. (new staff focus?)

Educational Experience

Language Experience

Global Experience

Work Experience

Funding

Research

Publishing

Teaching

How do we organize the data in main areas and what goes underneath?
Do the main areas coincide with central themes, pillars?

Basic Bio/Demo
Emergency Contact
Emergency Procedures (contact tree, any automation around emergency situations/scenarios)

Use Strategic Plan Deliverable team survey as a pilot?

--------------------------------------------------------------------
Wireframe:
After the meeting, Molly and I brainstormed a bit about what a page might look like in the Staff database that would be used for displaying staff expertise/experience information.

GPSStaffDatabase_StaffExpertise_Wireframe_v1_7inch.jpg



Example scenarios of use of "Who do you interact with?"

- Molly gets an inquiry from a faculty member or another institution about who works with faculty on custom programs

- Brook says "I interact with students in the same way Beth Insensee does - she with international students, I with domestic.  Why don't we do it together?"  This can be self-determined by staff in GPS Alliance if they have the information to connect with each other.

Adobe Saveable Forms

| No Comments
Problem:
Generating saveable forms that can be emailed once completed by the constituent and either stored by GPS Alliance or forwarded on to a central unit for processing.

The latter includes many financial forms.

Solutions:
  • Traditional non-saveable forms that are written on and faxed back to GPS Alliance or directly to central unit.
  • Web form that sends form contents in an email to a pre-determined email address. 
  • Web form that connects to database, which stores information for processing and manipulation
  • Saveable PDF that will allow forms to be saved by the constituent and emailed to GPS Alliance or central unit (500 extractions - any usage of the data - allowed)
  • Workflow software (currently GPS Alliance is involved in the Workflow Consortium using WorkflowGen) which takes much more work than Adobe products, but allows for web forms to be built, backed by a database, integrated UofM authentication, and routing for all appropriate parties to the form process.


Adobe Licensing for Saveable forms:

http://www.adobe.com/products/eulas/pdfs/Gen_WWCombined-20080205_1329.pdf

15.12 Acrobat Pro and Acrobat Pro Extended Feature. 15.12.1 Definitions.
15.12.1.1 "Deploy" means to deliver or otherwise make available, directly or indirectly, by any means, an Extended Document to one or more recipients.
15.12.1.2 "Extended Document" means a Portable Document Format file manipulated by Acrobat Pro or Acrobat Pro Extended Software to enable the ability to locally save documents with filled-in PDF forms.
15.12.2 If the Software includes Acrobat Pro or Acrobat Pro Extended, the Software includes enabling technology that allows you to enable PDF documents with certain features through the use of a digital credential located within the Software ("Key"). You agree not to access, attempt to access, control, disable, remove, use or distribute the Key for any purpose.
15.12.3 For any unique Extended Document, you may only either (a) Deploy such Extended Document to an unlimited number of unique recipients but shall not extract information from more than five hundred (500) unique instances of such Extended Document or any hardcopy representation of such Extended Document containing filled form fields; or (b) Deploy such Extended Document to no more than five hundred (500) unique recipients without limits on the number of times you may extract information from such Extended Document returned to you filled-in by such Recipients. Notwithstanding anything herein to the contrary, obtaining additional licenses to use Acrobat Pro or Acrobat Pro Extended shall not increase the foregoing limits (that is, the foregoing limits are the aggregate total limits regardless of how many additional licenses to use Acrobat Pro or Acrobat Pro Extended you may have obtained).


Explanation: (from http://acrobatusers.com/forum/forms-acrobat/license-limitations-forms in August 2010)

Standard allows you to create forms but only other Acrobat users can fill them in and save the data, and if your users are all working in Acrobat, there are no limits on how many responses you can process.

If you're using Acrobat Pro and are using Reader-extended forms, then to be specific there are (and can be) no limits on the actions of the [/u]user[u] as they're not bound by the Acrobat EULA. An unlimited number of people can open and fill in the form, and an unlimited number of them can submit the data back to you.

[b]However[/b] if the recipient list exceeds 500 people, you are only permitted to extract information from 500 of those replies. If there are less than 500 recipients in total (and you must of course know this in advance) they can each keep sending you the same form data over and over again, which means you could end up with thousands of extracted datasets.

In the context of Acrobat, "extract" means either to reload the FDF data into Acrobat to see the fields populated in your copy of the PDF, or to take the data directly and use them without Acrobat (including human or machine reading of printouts, faxes, etc). Anything whereby you get access to what they typed in the fields.

Remember that this is a per-document limit; so if you send out ten different surveys, you could process responses from 5000 users in total (some of whom can overlap) - which is the typical way people will handle things like a PDF form on a website (when your 500th user emails in their data, delete it, upload a new form and start again from zero).

We know the wording of 15.12 is ambiguous, so there is opportunity for interpretation; however to work beyond the 15.12.3 limits on a unique document you would need to purchase the server-based Adobe LiveCycle product.

Workflow - WorkflowGen - Getting Started

| No Comments
Issues:
1.  Had problems installing Visual Studio Pro 2010.  After downloading all four files from the OIT downloads page (https://download.software.umn.edu/download), the instructions say

  "Due to the size of this product, this package has been divided into four files. You will need to download all four files to the same directory. Then click on the file named C5E-00657.zip. This will extract all of the files from the entire package. *You will not need to click on parts 2-4*. You may need WinZip 9.0 or higher." 

Using Windows 7.  Whether I clicked on .zip file as stated or WinZip or 7-zip, the same directory of files appeared, but did not result in either an extraction (or what I expected from an extraction process - actually, it seemed as though the first file was already extracted, but no instructions on how it interacts with the other three files...) or any indication of an installation of any kind.

1:28 - It seems an indication in instructions to double-click the 'auto run' application file in the "C5E-00657" folder/directory would have saved me a lot of time...


Workflow software at the University

| No Comments
I have been a member of the Workflow consortium for 2 years now and am looking forward to GPS's first project going live for the Judd Fellowship applications, and quickly followed by Global Spotlight funding applications, and International Travel Grant applications.

I have been thinking about how GPS units may use this, but I have also grasped on to some thoughts I have had for years about automating central form submission processes and now am formalizing these thoughts. What kind of benefits can we realize centrally at the UofM?  I believe that the Workflow Consortium needs to "shop" the WFG tool to some central units that will affect a large base of users.

Employee Reimbursement 
Purchasing Card documentation
Access Request Forms for PeopleSoft, Data Warehouse, etc.
Vacation and Sick Leave routing 
Childcare and Medical Expense Reimbursement requests
Regents scholarship routing 
Student facing forms (Examples:  student forms on One Stop)



Data Collection for the GPS Strategic Planning Initiatives

| No Comments
After the most recent GPS Directors Meeting, it has become aware that there is a need for a data collection tool to manage information gathered regarding the initiatives of the 2010 GPS strategic planning effort.

There are numerous areas where this is immediately apparent.  It is still early and I will be gathering requirements and fleshing out a Statement of Work. 

How do we track the overall decisions on how to address the initiatives?

Initial Ideas:
INFORMATION
OIP Staff Expertise (this can be next phase of GPS Staff Database)

EXTERNAL RELATIONSHIP
Contact Info (First Name, Last Name, Title, Institution, Phone, Email, Address)
Location
Category (Funding, Educational, etc.)
Relationship Category (Alumni, NGO, etc.)


STUDENT AND SCHOLAR

FACULTY AND STAFF

Moodle Online Orientations

| No Comments
How to Use Moodle:


ISSUES/PROCESS STAGES:
1.  Notifying participants (UofM and non-UofM) not already added to Learning Abroad Online Orientations Moodle Course

Manual emails to students informing them of URL to visit regarding explanation of and access to online orientations.

2.  Adding participants

Enrollment by central UofM Moodle support:  CLICK HERE for instructions on requesting a bulk list of participants not currently in Moodle be added by OIT Moodle support staff.

Self-Enrollment by participants:  CLICK HERE for instructions on setting up a course to allow participants to self-enroll.  The instructions can be found under the second main heading half-way down the page.

LAC staff can add students one by one.  This happens in the "Assign Roles" function.

3.  Moving presentations into Moodle

CLICK HERE to link to the instructions for uploading presentations.  Use option 2.

4.  Moving presentations with quizzes into Moodle

CLICK HERE to link to the instructions for uploading presentations with quizzes so quiz scores may be tracked in the Moodle Gradebook.  Use option 3.

5.  Monitoring participants' required orientation completion and reminders

This will happen through the Gradebook and logs.  More automated functionality will be in Moodle 2.0 version that will be available Summer 2011.
Reminders will be manual emails that the orientation coordinator must manage.


OUTSTANDING QUESTIONS
1.  If we can have the orientations be an academic course of linked to one, we can operate like we used to in UMConnect and register participants.  How do we go about this?  What academic course could we attach this to?  

06/28/2010- working with Emily Mraz and Sarah Groskreutz to get current appropriate LAC staff assigned as instructors to these courses so we can use them to manage participant registration in Moodle.

ANSWER - can't change/use instructors.  There's no one course or small number of courses that all participants "take".  Moreover, the timing of assigning the courses happens too late for orientation. (via Sarah Groskreutz)

2.  How many LAC orientations should be in Moodle?  

3.  How to deal with different terms of participants?  Groups?  Sections?  New Course?