Taken from ISC Diary entry - "Security 101: Security basics in 140 characters or [fewer]
|@ChrisJohnRiley||If you can guess where PHPmyAdmin is installed, then so can attackers.|
|@DavidJBianco||You are already pwn3d. The question is, "What will you do about it?"|
|@Keldr1n||Don't leave default passwords on the administrative interfaces of your 3rd party web applications.|
|@Keldr1n||Know your network - and all devices in it - well enough to spot unusual activity.|
|@Keldr1n||Users are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?|
|@averagesecguy||Security 101: If you don't need it, turn it off.|
|@bowlesmatt||Passphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?|
|@bowlesmatt||Patch your systems and disable any unused services to reduce attack surface.|
|@bradshoop||Never trust a host you can't trust.|
|@bradshoop||Computers remember a lot. Even more if you contact security personnel before you reboot.|
|@bradshoop||Dedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.|
|@connellyuni||It's more important to know what you don't know than it is to know what you do know.|
|@cutaway||Try to avoid saying "We are investigating... why equipment that we have a destruction certificate for was... sold online" to the media.|
|@cutaway||Assets using secure authentication are directly and adversely impacted by your assets using plain text authentication.|
|@cutaway||Complacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.|
|@cutaway||Default SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.|
|@cutaway||Don't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.|
|@cutaway||How do you "Find Evil" in your organization? Seriously, go "Find Evil" and report back to me.|
|@cutaway||IT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.|
|@cutaway||If your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.|
|@cutaway||Monitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.|
|@cutaway||Product certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc...|
|@cutaway||Service accounts should adhere to corporate password policies and be monitored for modifications including lockout.|
|@eternalsecurity||Make sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants.|
|@hal_pomeranz||"A backup is not a backup until you do a restore." #sysadminkoan|
|@hy2jinx||Attack vectors and regulatory requirements change. "That's how we've always done it" is a poor and lazy excuse.|
|@hy2jinx||Scanner "infos" can turn up bigger issues than you'd guess. Look at overall results, not just singles.|
|@hy2jinx||Five missing patches across 100 devices does not equal "five vulnerabilities."|
|@hy2jinx||It's cheaper to consult a security professional from conception than mere days before "go live."|
|@hy2jinx||Security professionals should be empowered to point the business towards good decisions and reserve the power of "No" for a last resort.|
|@itinsecurity||In your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.|
|@itinsecurity||Security is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts.|
|@jarocki||"Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking."|
|@jarocki||When it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify.|
|@jimmyzatl||If you don't log "accepts" in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.|
|@jimmyzatl||An encryption algorithm that has to be hid from the public is by definition a weak algorithm...|
|@ken5m1th||That successful PCI DSS Report On Compliance will not save you from Zombies.|
|@kentonsmith||When setting up any new system, Step 1: Change default admin password.|
|@kill9core||Security through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work.|
|@mattdoterasmus||Just because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time.|
|@omegadefence||The attitude that "it won't or can't happen to us" because "we're too small/big/have nothing to offer" is dangerous.|
|@omegadefence||The attitude that "I can't do anything about it so I won't even bother with security or reporting" is also dangerous.|
|@omegadefence||Analyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.|
|@omegadefence||Give only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.|
|@omegadefence||Best: using high-speed trend analysis with custom searches as well as automated reporting AND followup.|
|@rob_bainbridge||Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc...|
|@tccroninv||Those that store passwords in plain-text invite catastrophe.|
|@tliston||"We can't implement strong passwords/two-factor authentication. Our users aren't capable," says more about your competence than theirs.|
|@tliston||Developers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me.|
|@tliston||If you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison.|
|@tliston||If you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong.|
|@tliston||If you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.|
|@tliston||If you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope.|
|@tliston||If your internal security posture is based on,"our employees wouldn't know how to do that," then you're likely already 0wned.|
|@tliston||Remember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it.|
|@tliston||Run scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram.|
|@tliston||Sanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at.|
|@tliston||Security isn't just about preventing compromise. It's about maintaining confidentiality, integrity & availability despite compromise.|
Christopher Stordalen from the Global Programs and Strategy Alliance hosted a demo or AtTask project management software on Friday, September 9th. @tTask is a cloud-based Project Management solution.
Project Management Software Features List - this is a Wikipedia page that lists project management software and main project tracking areas each solution supports.
REASON: I have found that, while we have an in-house, "home-grown" project management solution that is focused on IT projects, I still use multiple tools and environments to accomplish project management - Google Sites, Google Documents, Google Calendar, Google Tasks, UThink, OmniPlan, MS Excel, MS Word, etc. The separation may be by project, but more often by task across projects. I hear regularly from colleagues that they have the same issue and it "sure would be nice to have a common good project management solution at the University".
HISTORY: When searching for software that included a full set of tools to support project management processes and tasks, I had a short list of software. I was really impressed with AtTask because in addition to a full project management feature set, one feature was for connectivity via mobile devices. I had viewed a demo of this software two years ago when in search of a project management solution. My desire was to find something for both work within GPS Alliance IT, but that could be used for all project management and that would hopefully allow for use by teams that are comprised of members from both inside and outside GPS Alliance.
ATTENDEES: The timeframe was quite short for the scheduling the demo - On the Tuesday prior, I scheduled it thinking it would be just me. On Wednesday, I had the idea of inviting some others, and "some others" turned into inviting all PCMC members. We ended up with 6 PCMC members attending the ~45 minute presentation.
DREAM: I revealed my dream to the attendees of the demo that a solution, @tTask or another appropriate solution, could be implemented at the University of Minnesota and that we would be come an "@tTask Enterprise". It could be implemented centrally as a common good service to handle the gamut of projects, allow different access levels across the institution to utilize the system - from upper-level administration viewing reporting across colleges and units, to team members communicating and engaging each other on project tasks and tracking their progress, to project managers being able to see all their staff and all projects that are in the system for which they are responsible. The University could leverage it in any courses focuses on, or that have a component of, project management.
QUESTIONS: A number of questions could not be answered during the demo. The questions and answers are below.
- Are there other Universities using AtTask?
Yes, there are several. A few I was able to come up with right away was Julliard, CUNY, and MacQuarie University. There are more if you want to know.
- Are we able to sync documents from other sources?
No, we don't sync with other sources. But, you mentioned Google Docs, within AtTask you can link to an external site such as Google Docs.
- Can you view a list of projects? Not just the projects assigned to myself?
Yes you would just create a custom report/dashboard to view it this way.
How much time to become acquainted with the tool?
System Admin -
Project Manager - 3 day training course is a must but results in
Project Member -
DEMO NOTES: A demo attendee submitted these notes.
Based on how many hours you have available to each person. Can match who has time to skills and time for a task. Drag and drop.
PRICING: I have asked about educational pricing, but haven't received specifics on that as of yet. Prices below are retail and are per user per year.
Project Manager Enterprise - $650
Project Manager Professional - $395
Team Members - $250
View Only - $150
The difference between the Enterprise and Professional is the Portfolio Management. This would provide you with the ability to see upcoming projects, approval process for projects, and see whether you will have the bandwidth for upcoming projects.
TEST ACCOUNT: AtTask provided us with a test account that will be available until 9/30/2011. If we need a little more time, I can make that request. Please let me know if you are interested and how much time you might need.
Location and Credentials:
Project Management View
You can also find some helpful training tips at https://help.attask.com
My Presentation -
There are so many languages/environments to develop in, and it is tough to decide where to spend time.
In my initial research, I found a good progressive language list suggested to a new programmer.
For cross-platform, it seems C++ and Java are the best options. Or focus development on web-based applications.
Meeting Minutes from 4/5/2011 -
Attendees: Eric Kroetsch, Mary Katherine O'Brien, Molly Portz, Myself
Purpose: Eric and Mary Katherine are leading the Staff Expertise and Research deliverable team with the mission "To explore existing staff expertise and research strengths". Eric contacted me when Gayle had mentioned we in Dean's Office/Dean's Office IT have been working on the GPS Alliance staff database. The deliverable team has developed a survey to administer to GPS Alliance staff and didn't want to duplicate effort if we were going to be surveying for similar information for staff expertise/experience in the staff database. GOOD CALL!
Question: What problem are we trying to solve?
A word about collecting data...
While defining the requirements/specifics of this initiative, all involved in the project need to continually ask themselves "How will the data get used?"
It can be attractive to gather data because it is interesting, but to be fair to the people being asked to provide the data, the people asked to manage the data, the people asked to support the mechanisms that hold the data, etc., there should be defined, active purposes for the data collected.
"We might use it sometime" is not a good rationale. It can be added later if that is the case.
Staff expertise area - not a snapshot, but an ongoing system for displaying growing expertise. Harness the collective research capacity (Molly).
Research Expertise > Work/Education Expertise > Job Function Expertise
How do each of us touch others at the University? Relationship tracking with faculty, staff, students, and in what ways? how we communicate with them? how often do we meet with them?
Bios - explanation of experience, life, etc. (new staff focus?)
How do we organize the data in main areas and what goes underneath?
Do the main areas coincide with central themes, pillars?
Emergency Procedures (contact tree, any automation around emergency situations/scenarios)
Use Strategic Plan Deliverable team survey as a pilot?
After the meeting, Molly and I brainstormed a bit about what a page might look like in the Staff database that would be used for displaying staff expertise/experience information.
Example scenarios of use of "Who do you interact with?"
- Molly gets an inquiry from a faculty member or another institution about who works with faculty on custom programs
- Brook says "I interact with students in the same way Beth Insensee does - she with international students, I with domestic. Why don't we do it together?" This can be self-determined by staff in GPS Alliance if they have the information to connect with each other.
Generating saveable forms that can be emailed once completed by the constituent and either stored by GPS Alliance or forwarded on to a central unit for processing.
The latter includes many financial forms.
Adobe Licensing for Saveable forms:
15.12 Acrobat Pro and Acrobat Pro Extended Feature. 15.12.1 Definitions.
188.8.131.52 "Deploy" means to deliver or otherwise make available, directly or indirectly, by any means, an Extended Document to one or more recipients.
184.108.40.206 "Extended Document" means a Portable Document Format file manipulated by Acrobat Pro or Acrobat Pro Extended Software to enable the ability to locally save documents with filled-in PDF forms.
15.12.2 If the Software includes Acrobat Pro or Acrobat Pro Extended, the Software includes enabling technology that allows you to enable PDF documents with certain features through the use of a digital credential located within the Software ("Key"). You agree not to access, attempt to access, control, disable, remove, use or distribute the Key for any purpose.
15.12.3 For any unique Extended Document, you may only either (a) Deploy such Extended Document to an unlimited number of unique recipients but shall not extract information from more than five hundred (500) unique instances of such Extended Document or any hardcopy representation of such Extended Document containing filled form fields; or (b) Deploy such Extended Document to no more than five hundred (500) unique recipients without limits on the number of times you may extract information from such Extended Document returned to you filled-in by such Recipients. Notwithstanding anything herein to the contrary, obtaining additional licenses to use Acrobat Pro or Acrobat Pro Extended shall not increase the foregoing limits (that is, the foregoing limits are the aggregate total limits regardless of how many additional licenses to use Acrobat Pro or Acrobat Pro Extended you may have obtained).
Explanation: (from http://acrobatusers.com/forum/forms-acrobat/license-limitations-forms in August 2010)
Standard allows you to create forms but only other Acrobat users can fill them in and save the data, and if your users are all working in Acrobat, there are no limits on how many responses you can process.
If you're using Acrobat Pro and are using Reader-extended forms, then to be specific there are (and can be) no limits on the actions of the [/u]user[u] as they're not bound by the Acrobat EULA. An unlimited number of people can open and fill in the form, and an unlimited number of them can submit the data back to you.
[b]However[/b] if the recipient list exceeds 500 people, you are only permitted to extract information from 500 of those replies. If there are less than 500 recipients in total (and you must of course know this in advance) they can each keep sending you the same form data over and over again, which means you could end up with thousands of extracted datasets.
In the context of Acrobat, "extract" means either to reload the FDF data into Acrobat to see the fields populated in your copy of the PDF, or to take the data directly and use them without Acrobat (including human or machine reading of printouts, faxes, etc). Anything whereby you get access to what they typed in the fields.
Remember that this is a per-document limit; so if you send out ten different surveys, you could process responses from 5000 users in total (some of whom can overlap) - which is the typical way people will handle things like a PDF form on a website (when your 500th user emails in their data, delete it, upload a new form and start again from zero).
We know the wording of 15.12 is ambiguous, so there is opportunity for interpretation; however to work beyond the 15.12.3 limits on a unique document you would need to purchase the server-based Adobe LiveCycle product.
1. Had problems installing Visual Studio Pro 2010. After downloading all four files from the OIT downloads page (https://download.software.umn.edu/download), the instructions say
"Due to the size of this product, this package has been divided into four files. You will need to download all four files to the same directory. Then click on the file named C5E-00657.zip. This will extract all of the files from the entire package. *You will not need to click on parts 2-4*. You may need WinZip 9.0 or higher."
Using Windows 7. Whether I clicked on .zip file as stated or WinZip or 7-zip, the same directory of files appeared, but did not result in either an extraction (or what I expected from an extraction process - actually, it seemed as though the first file was already extracted, but no instructions on how it interacts with the other three files...) or any indication of an installation of any kind.
1:28 - It seems an indication in instructions to double-click the 'auto run' application file in the "C5E-00657" folder/directory would have saved me a lot of time...
I have been a member of the Workflow consortium for 2 years now and am looking forward to GPS's first project going live for the Judd Fellowship applications, and quickly followed by Global Spotlight funding applications, and International Travel Grant applications.
I have been thinking about how GPS units may use this, but I have also grasped on to some thoughts I have had for years about automating central form submission processes and now am formalizing these thoughts. What kind of benefits can we realize centrally at the UofM? I believe that the Workflow Consortium needs to "shop" the WFG tool to some central units that will affect a large base of users.
Purchasing Card documentation
Access Request Forms for PeopleSoft, Data Warehouse, etc.
After the most recent GPS Directors Meeting, it has become aware that there is a need for a data collection tool to manage information gathered regarding the initiatives of the 2010 GPS strategic planning effort.
There are numerous areas where this is immediately apparent. It is still early and I will be gathering requirements and fleshing out a Statement of Work.
How do we track the overall decisions on how to address the initiatives?
OIP Staff Expertise (this can be next phase of GPS Staff Database)
Contact Info (First Name, Last Name, Title, Institution, Phone, Email, Address)
Category (Funding, Educational, etc.)
Relationship Category (Alumni, NGO, etc.)
STUDENT AND SCHOLAR
FACULTY AND STAFF
How to Use Moodle:
1. Notifying participants (UofM and non-UofM) not already added to Learning Abroad Online Orientations Moodle Course
Manual emails to students informing them of URL to visit regarding explanation of and access to online orientations.
2. Adding participants
Enrollment by central UofM Moodle support: CLICK HERE for instructions on requesting a bulk list of participants not currently in Moodle be added by OIT Moodle support staff.
Self-Enrollment by participants: CLICK HERE for instructions on setting up a course to allow participants to self-enroll. The instructions can be found under the second main heading half-way down the page.
LAC staff can add students one by one. This happens in the "Assign Roles" function.
3. Moving presentations into Moodle
CLICK HERE to link to the instructions for uploading presentations. Use option 2.
4. Moving presentations with quizzes into Moodle
CLICK HERE to link to the instructions for uploading presentations with quizzes so quiz scores may be tracked in the Moodle Gradebook. Use option 3.
5. Monitoring participants' required orientation completion and reminders
This will happen through the Gradebook and logs. More automated functionality will be in Moodle 2.0 version that will be available Summer 2011.
Reminders will be manual emails that the orientation coordinator must manage.
1. If we can have the orientations be an academic course of linked to one, we can operate like we used to in UMConnect and register participants. How do we go about this? What academic course could we attach this to?
06/28/2010- working with Emily Mraz and Sarah Groskreutz to get current appropriate LAC staff assigned as instructors to these courses so we can use them to manage participant registration in Moodle.
ANSWER - can't change/use instructors. There's no one course or small number of courses that all participants "take". Moreover, the timing of assigning the courses happens too late for orientation. (via Sarah Groskreutz)
2. How many LAC orientations should be in Moodle?
3. How to deal with different terms of participants? Groups? Sections? New Course?