OCIO Newsletter issue 16

Page 1

OCIONEWSLETTER Issue 16 • JUL 2014

SPOTLIGHT TAG and MADG project sharing series (III):

DEC Technology Adoption Grants for Teaching Innovation Series Angel Lu In part 3 of this series, we highlight two impressive projects that received funding from the DEC “Technology Adoption Grants for Teaching Innovation” (TAG). The first project was led by Dr. Sylvia Kwok Lai Yuk-ching from the Department of Applied Social Studies (SS) called “Technology Application in the Analysis of Group Dynamics and Group Work Skills.” The second was led by Terence C.H. Cheung from the Department of Information Systems (IS) called “Using Mobile Technology to Promote Intelligence, Social and Mobile Learning.” These projects demonstrate the positive influences brought about on students’ teaching and learning via technology adoption.

Improving group dynamic and interaction via recording It is not a matter of what the gadgets are, but how they are applied that brings out their effective powers. Dr. Kwok transforms a video handset into an efficacious reflection device to encourage

“Videotaping does help me and students provide more detailed and meaningful feedback,” Dr. Kwok noted appreciatively.


2

OCIO NEWSLETTER

INDEX SPOTLIGHT 1

DEC Technology Adoption Grants for Teaching Innovation Series

FEATURE 3

CityU ITSM (ISO 20000) Project Update

7

Canvas Extended Pilot

9

IET/MATE Hong Kong Underwater Robot Challenge 2014

19

Security Information and Event Management (SIEM) Phase 3 Upgrade: More Than Just Service Monitoring

BRIEF UPDATES 12

Migration of Staff Email System from MS Exchange to MS Office 365 Exchange Online

16

A Quick Glance at Computer Courses that Keep Our Staff and Students Abreast of IT Knowledge

18

Prof. Cranor’s Security Blanket

FYI 11

Safe Mode in Android

IT SECURITY AWARENESS SERIES BY JUCC 14

Information Security Updates

STATISTICS AT A GLANCE 22

Central IT Fast Facts (2013-2014)

GLOSSARY CORNER 23

Heartbleed

24

Heartbleed explained by xkcd (comic)

student engagement. In a typical practice session, students are split into individual groups with assigned roles, either as a social worker or members. The roleplaying and group performances are recorded via the video handsets. Afterwards, the videos will then be uploaded onto Blackboard and reviewed by all students. In class, iPads come in handy to provide playback which facilitates more meaningful and detailed discussions among the groups. As a result, not only does the social worker in the group benefit from a host of feedback and suggestions aggregated from Blackboard and other classmates, but all the other members also gain knowledge of commenting on group dynamic and worker’s skills. Practices make perfect, especially in the area of social studies that emphasize on group dynamic and interaction. However, what Dr. Kwok aims is further than mere practice. During the course, students are encouraged to

“Nowadays, I would like my students to stand up from the C-L-O-U-D (delivery of computing and content over network), as well as the crowds,” remarked Dr. Cheung.

carry out a real-life project with positive themes. Those genuine clients, including primary school children, help create a vivid but practical learning experience. These valuable sessions are, undoubtedly, recorded and shared among all of the students. Thus, the recordings are being turned into a collaboration tool for the mutual growth of students.

Collaboration on information sharing and e-portfolios Technology is always everchanging like the speed of a lightning bolt while textbooks usually fall behind the pace due to their constraints. Dr. Cheung takes a proactive approach to employ new ideas from the project on teaching. Rather than waiting passively, students are motivated to attend at least one industrial seminar during his course to obtain the latest information and share immediately via Twitter. In return, students from the class of about 140 can acquire new information and tweet what they learnt from seminars promptly. Students are responsible to summarize and share their information as a reflection report on Blackboard. Hence, through exchanging the most updated industrial information, students and speakers of the seminars, instead of instructors, act as their facilitators to construct the knowledge collaboration platform. Pragmatism has always been the core value of Dr. Cheung, as well as a requirement for students to follow. Dr. Cheung cultivates his students to see beyond the classroom. Therefore, another indispensable component of the project is to have students


Issue 16 • July 2014

take part in authentic projects offered by real companies. Every mark is counted during these projects to foster pragmatism. In reality, most supervisors are reluctant to offer outstanding appraisals to subordinates so it is challenging for students to obtain their desired grades. The intention of the project is to mold students’ attitude and abilities for their future careers. Coincidentally, companies can take the chance to overview and select ideal candidates from the apprenticeships which make one stone killing two birds in turn! Competing for an internship is only part of the beginning. One of the most significant features of the project is the digital CV or Smart CV which retains students’ academic footprint, as well as competition results, intern and working experience, exchange experience, community services, etc... In addition, a one-minute self-introduction clip will be logged into the system and open to the public. Thanks to the widespread of Internet, students enjoy an advantage of establishing their web identities and enhance their online presences, which become increasingly crucial in this ITera. Thus, potential employers will now have an authentic source to identify their desired talents while fresh graduates’ employability can also be improved and targeted.

Students as their own facilitators Even though the two projects began with different aims, they share the same joy of success of encouraging active participation of students. Upon receiving the splendid assessment scores from her students, Dr. Kwok smiled proudly not because of the magnitude of the scores, but the recognition from the students. Her future goal will be spending more time on commenting and modifying those recordings so that more students can benefit from the digitalized reflections. Dr. Cheung’s ideas from the project, on the other hand, are adopted as a compulsory subject in the Department of Information Systems. He also hopes that in the future there will be better social media functions and features integrated to university platform so that he wouldn’t have to keep multiple social media accounts and record participations manually so as to centralize student learning achievements and grade student works conveniently. With the wise application of technology, students no longer take a passive role, but evolve as their own facilitators in the process of effective learning and teaching.

FEATURE

CityU ITSM (ISO 20000) Project Update Chadwick Leung

Project Background In 2012, Central IT initiated a self-improvement project to implement an IT Service Management System (ITSMS) and an Information Security Management System (ISMS) following ISO/IEC 20000 and ISO/IEC 27001 respectively. The Paperless Office Service was selected as the first central service to follow these international standards as it was the most significant mission critical enterprise system under development at that time. ISO/IEC 20000 is a set of governance structure and best practices to ensure the quality of IT service management. On the other hand, ISO/IEC 27001 defines how information shall be protected. For more details about the ISO 20000 and 27001 standards, readers may refer to references material listed under “further readings” at the end of this article. The Paperless Office Service is CityU’s Enterprise Content Management (ECM) system, providing document archives, document management and workflow services, within an environmental-friendly and highly-secured platform. It is part of the University’s sustainability and work simplification initiatives to reduce paper consumption, improve security, and optimize productivity. Major stakeholders and users of the Paperless Office Service include: • University Management, to provide vision and strategy for the Paperless Office Service • Central IT Management, to oversee project development and ISO standardization; • Enterprise Document Management Team (EDMT) within our Enterprise Solutions Office (ESU), to implement and maintain the core Paperless Office Service; • Data Centre Services (DS) Team and Network Services (NS) Team within our Computing Services Centre (CSC), to provide critical service components, such as networking, operating system and database management, which are essential to the operation of the Paperless Office Service;

3


4

OCIO NEWSLETTER

• Information Security Unit (ISU) within the Office of the Chief Information Officer (OCIO), to act as facilitator for the ISO project; • Paperless Office Service’s major users are from our Human Resource Office (HRO) and Financial Office (FO), who provide guidance on the direction of Paperless Office Service, and provide feedbacks to the team. Among these stakeholders, members of the ESU the EDMT, the DS and the NS teams of the CSC are the major practitioners.

Implementation of ISO 20000 The initial plan was to implement both ISO 20000 and 27001 standards at the same time. However, after considering the magnitude of work and scale of transform/ change needed, the plan was revised to first start with ISO 27001 (security management), and then continue with ISO 20000 (service management) after completion of ISO 27001 implementation. Through the hard and dedicated work by all the stakeholders, in May 2013, the Paperless Office Service of the University was successfully assessed and accredited with ISO/IEC 27001 certification by the British Standards Institute (BSI). After a few months to solidify our ISMS best practice, the ISO/IEC 20000 project resumed in October 2013. This article shares our experience and describes the current progress of our ISO 20000 implementation, from planning, building, to execution.

Critical Success Factors for IT Service Management While improving overall IT service quality is our main objective, acquiring the ISO 20000 certificate serves as a very tangible goal for all the stakeholders to work towards. Like any other modern organizational function, the right balance of People, Process and Technology is critical in ensuring IT Service management excellence: • People (Roles, Communications, Accountability, Skills, Training) • Process (Management System, Policies, Standards, Workflows and Integration) • Technology (Tools, Visibility, Measurement, Automation and Repository) The following diagram illustrates the project activities within People, Process, and Technology – the 3 keys to success:

Figure 1 Project Timeline


Issue 16 • July 2014

Prior to 2014 Document and Establish ITSMS Manual and Procedures In 2012, the scope of ISMS and ITSMS implementation within the Paperless Office Service was defined, and the supporting service components were identified. A gap analysis which covers both ISMS and ITSMS maturity was conducted in July 2012 by an external consultant. Based on the result of gap analysis, an improvement plan was prepared. The consultant also provided a set of ITSMS manual and procedure templates which we then customized to meet the particular needs and environment of CityU.

ITSM Tool Selection and Setup of iET ITSM Central IT had been using the “iET Help Desk” platform in handling work request for many years. To save cost and reduce our learning curve, the “iET Service Desk” was also selected to support the implementation and operation of various ISO standard processes and record keeping. In addition, the “iET Service Desk” is aligned with the Information Technology Infrastructure Library (ITIL), a standard set of practice for IT service management.

Figure 2 Example of Change Management Flow

First and Second Quarters of 2014 iET ITSM Configuration and Customization

Customizations

Like any other ITSM platforms, the iET platform required extensive customization and configuring to meet the specific needs and requirements of CityU. For instance, before the iET process flow engine can be used, and the roles, routes and activities of various processes have to be custom defined into the tool. Design efforts were made to enable a practical mode of operation which efficiently meets the ISO 20000 requirements.

During the design of process flows, the data involved in the activities must also be identified, and iET ITSM forms have to be customized for users to manage these data. For example, the screen capture shows the look and feel of the customized iET ITSM change request form.

Implementing Processes There are 13 processes defined in the ISO 20000 standard, including Capacity Management, Change Management, Configuration Management, Release and Deployment Management, and Problem Management, just to name a few. A process flow is a sequence of activities carried out by different roles of people during various stages. Using the Change management process as an example, we have to firstly define the various flows for different situations, such as Normal Change, Standard Change, and Emergency Change. The figure below is the flow for Normal Change. The design of these various process flows requires the collective work by all affected stakeholders. Once the processes and their related flows are defined, they are then implemented within the iET ITSM platform.

Figure 3 Change Management Form

5


6

OCIO NEWSLETTER

Prepare iET ITSM User and Admin Manual Detailed “User and Admin Manual” was also prepared to document the customization and configuration done on iET ITSM, and to facilitate the adoption of iET ITSM.

Second Gap Analysis In January 2014, after the implementation of ISMS, another gap analysis was conducted and the implementation plan was revised. The gap analysis results showed that the maturity levels of most areas were close to the initial targets, with few targets already reached. Nevertheless, the recommendations showed that there are still some necessary enhancements, documents, change of practices and improvements required in order to meet the ISO 20000 requirements.

ITSMS Orientation In March 2014, an orientation session was conducted to update Central IT stakeholders about the status and progresses of ITSMS implementation. Findings and recommendations from the second gap analysis, and some main features of the ITSM tool were reviewed.

Fourth Quarter of 2014 ITSM System Operation Commencement ITSMS operation will be formally commenced when Process, People and Technology are ready. Performance levels will be monitored through selfassessment. Scoped services will be managed by the developed ITSMS processes, and practitioners will start to follow the established system and procedures while using iET ITSM as an assistant tool. We will need to continuously operate the ITSMS for at least 3 months to accumulate enough records as evidence before the ISO 20000 audit.

First Quarter of 2015 ISO 20000 Internal Audit and External Audit Internal audit will be conducted to assess ITSMS operation and to verify whether expected results were achieved through the planned and implemented improvement actions. Once conformity to the standard is confirmed, BSI, as Certification Body, will conduct a full audit to verify compliance of our ITSMS against ISO 20000 requirements. External audit will be performed in stages include pre-assessment, initial assessment and final assessment.

Third Quarter of 2014 ITSMS Awareness and iET ITSM User Training We plan to organize ITSMS awareness trainings to arise the stakeholders’ understanding on needs and constitution of a reliable ITSMS and the rationale of such a system. Trainings on the using of iET ITSM will also be arranged to gear up practitioners with techniques and knowledge essential for evolving existing service delivery mechanism with new processes and technology.

iET ITSM UAT and Trial Run To reduce the time needed by users to get familiar with iET ITSM, it will be released to practitioners for trial run. Users will gain hands-on experience with the tool before involve in formal UAT and to allow the ISO implementation team to have a deeper understand on the acceptance level and address any not yet considered issues.

Upon completion of external audit with satisfaction, an ISO 20000 certificate will be issued to the ITSMS as recognition to the efforts made by all stakeholders.

Further Readings [1] BS ISO/IEC 20000-1:2011 – Information Technology, Service management – Service Management System – Requirements [2] BS ISO/IEC 20000-2:2012 – Information Technology, Service management – Service Management System – Code of practices [3] BS ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements. [4] The ITIL and ISO 20000 Support Portal, http:// www.15000.net/ [5] itSMF International, http://www.itsmfi.org/ [6] iET ITSM, http://www.iet-solutions.com/en/ products/iet-itsm/


Issue 16 • July 2014

FEATURE

Canvas Extended Pilot Crusher Wong

City University of Hong Kong (CityU) has a long history of Learning Management System (LMS) adoption since 1998. To provide faculties and students with the best education technology, enterprise level LMSs are evaluated and compared on regular basis. The evaluation exercise in 2013[1] identified Canvas by Instructure as the preferred LMS to replace Blackboard as the unified LMS for CityU[2]. With the endorsement from the senior management, an extended pilot of Canvas is being coordinated for the 2014/2015 academic year.

The report of LMS Evaluation 2013 was presented to the Information Strategy and Governance Committee (ISGC) with recommendations in February 2014. Members of the committee acknowledged the advantages of Canvas such as user-friendly interface, integration with third party web services and outcomes assessment capabilities, but concerns on speed and capacity of Canvas to facilitate all users at CityU as cloud service hosted in the US were raised. In response to these concerns, a modified load

Figure 1: Average Response Time (left-side scale) vs Concurrent Users (right-side scale)

test was performed using technology provided by Keynote (http://www. keynote.com/), a global leader in Internet and mobile cloud testing & monitoring. The test results showed consistent and satisfactory average response time[3] (see Figure 1) for a user accessing Canvas in Hong Kong which proved auto provisioning technology could manage serverside resources to cope with high volume access to the system without noticeable delay. After resolving the technical concerns, the preparation of the extended pilot has been back on track.

7


8

OCIO NEWSLETTER

To facilitate courses joining the pilot in Semester A, official launch of Canvas is scheduled on 1 August 2014/15. When most of the faculties and students are enjoying their summer holiday, colleagues in the Central IT will be busy on final preparation of Canvas - configuring dataflow from Banner (our Student Information System), tuning the integration with major e-learning services such as Turnitin, and migrating contents from Blackboard for pilot courses. The workflow is depicted in Figure 2. At this point, 35 colleagues have pledged to join the pilot individually and an academic unit has agreed to adopt Canvas for all courses. If you have courses to teach at CityU in the coming September, please visit our webpage at http://go.cityu.hk/yo0bnt to learn more about Canvas and how you may participate in the pilot. Eventually, over 100 courses and thousands of students are expected to participate in the pilot in Semester A 2014 which

Figure 2: Canvas Implementation Plan

will provide a good basis to confirm the advantages of Canvas. Feedback will be gathered through online surveys, focus group activities and interviews in November 2014. If the collective user experience is satisfactory, we shall seek endorsement from the senior management to replace Blackboard by Canvas as the unified LMS at CityU. At the same time, faculties will be advised to adopt Canvas as much as possible in Semester B 2014/15. In case of smooth running, over 1,000 courses will be on Canvas in Semester B 2014/15 and all online teaching and learning activities will be migrated from Blackboard to Canvas starting Summer Term 2015.

Reference [1] Wong, C. (2013, October). LMS Evaluation 2013-2014. OCIO Newsletter [Issue 13]. Retrieved from http://issuu.com/cityuhkocio/docs/newsletter_issue_13 [2] Wong, C. (2014, April). LMS Evaluation 2013 Findings. OCIO Newsletter [Issue 15]. Retrieved from http://issuu.com/cityuhkocio/docs/newsletter_issue_15 [3] Viewing Load Test Summary Reports. Retrieved June 16, 2014, from http:// www.keynote.com/support/tsp_help/testsummary.shtml#445253


Issue 16 • July 2014

FEATURE

IET/MATE Hong Kong Underwater Robot Challenge 2014 L F Yeung (EE)

Background The IET/MATE Hong Kong Underwater Robot Challenge 2014 was an annual event that encouraged students from Hong Kong and around the Asia-Pacific region to learn and apply science, technology, engineering, and mathematics skills as they developed the Remotely Operated Vehicles (ROVs) to complete missions that simulated real-world problems from the ocean workplace. ROVs are tethered underwater robots used in scientific research, ocean exploration, homeland security, offshore oil and gas industry, and other industries. 2014 marked the 9th time that Hong Kong has organized such an event.

(2) collecting microbial samples and measuring the conductivity of the groundwater emerging from a sinkhole, and (3) removing trash and debris from the shipwreck and surrounding area. The competition also inspired students to think of themselves as entrepreneurs and form companies that design, manufacture, market, and sell specialised products and services for shipwreck assessment and remediation. This required them to solve problems in innovative ways, think creatively, work as part of a team, and understand all aspects of business operations—important skills required in the 21st century that will make them competitive in today’s global workplace.

The competition was held on 12 and 13 April 2014, jointly organized with the College of Science and Engineering of the City University of Hong Kong, and the Hong Kong University of Science and Technology.

The Mission The theme for the 2014 competition season was “Exploring the Great Lakes: Shipwrecks, Sinkholes, and Conservation in the Thunder Bay National Marine Sanctuary.” This year’s contest highlighted the role of ROVs in (1) exploring, documenting and identifying an unknown shipwreck recently discovered in sanctuary waters;

Robots from Ranger Group

Trainings In order to get the teams fully prepared, a series of workshops had been held before the competition. At the first workshop, each school was given a kit and shown how to build a simple underwater robot. The second workshop was held at the end of January 2014 to introduce the concepts of waterproofing and using electronics underwater. They were shown how to build an underwater camera and light, as well as how to control the robot motors; again, they could take away the finished items. At the third and final workshop, each school was given a microcomputer project board and shown how to program so as to control the robot’s motors.

9


10

OCIO NEWSLETTER

Further information http://www.rovcontest.hk/

Robots from Ranger Group

The Winners The IET/MATE Hong Kong Underwater Robot Challenge 2014 was one of the 22 regional contests held around the world and managed by the Marine Advanced Technology Education (MATE) Center. The contest’s winning teams were invited to compete in the 13th annual MATE’s international ROV competition, which was held on 26-28 June 2014 at the Thunder Bay National Marine Sanctuary facilities in Alpena, Michigan, USA.

The following teams had registered for the competition: From Hong Kong • Buddhist Wong Fung Ling College • Chinese International School • CMA Secondary School • Ebenezer School • German Swiss International School • HKTA Yuen Yuen Institute No 2 Secondary School • Hong Kong International School • La Salle College • ISF Academy • King George V School • Kwok Tak Seng Catholic Secondary School • Po Leung Kuk Ngan Po Ling College • Renaissance College Hong Kong • Robotics Service Junior • St Paul’s Secondary School • Salesians of Don Bosco Ng Siu Mui Secondary School • Shau Kei Wan Government Secondary School • City University of Hong Kong • Hong Kong University of Science and Technology • Hong Kong Polytechnic University From outside Hong Kong • Concordia International School – Shanghai, China • Macao Pui Ching Middle School, Macau • Singapore American School, Singapore • Sekolah Robot Indonesia, Indonesia • SMA Negeri 28 Jakarta, Indonesia • Nanjing Institute of Technology, China • Universiti Teknologi Malaysia, Malaysia • Zhejiang Ocean University, China

Participants With around 35 teams, Hong Kong Regional Contest was the largest of the regional contests worldwide. Over 30 Hong Kong and 7 overseas schools and universities were participating in the competition. It was noteworthy that we had one team who was visually impaired and had successfully completed the mission.

Sponsors The IET/MATE Hong Kong Underwater Robot Challenge 2014 was supported by local sponsors, including Hongkong Electric Company Limited, MTR Corporation, Hong Kong Internet Registration Corporation Limited, CLP Power Hong Kong Limited, Analogue Group of Companies, RS Components, ISF Academy and Oceanway Corporation. Local technology professionals volunteered as judges for the competition, evaluating the students’ ROVs, poster displays, and engineering presentations.

An advanced robot from Explorer Group


Issue 16 • July 2014

Acknowledgement

FYI

Special appreciation for Professor Robert Li (College of Science and Engineering, CityU), Mr. Paul Hodgson (Oceanway Ltd. Co.), Dr. Robin Bradbeer (IET), and all the volunteers and supporters who had contributed to the success of this event.

Safe Mode in Android Frankie Wong

Did you have apps crashing problem on your Android phone? Sometimes, application’s error may cause your phone running abnormally. Occasionally, you have to reset the system (restore to factory setting) in order to return the phone to normal. However, this causes your personal data being lost, if you have not made backup. This is very annoying.

How to boot into Android Safe Mode For Google Nexus series phone: Ensure your device’s screen is on 1. Press & hold the [Power] button. 2. Touch & hold the [Power off ] option in the dialog box. 3. Touch [OK] in the following dialog to start safe mode.

A robot from the Scout HK group

Figure 1. Boot into Safe Mode

11


12

OCIO NEWSLETTER

Depending on the brand and model of your Android phone, there are different ways to boot into safe mode. If you are using HTC, Motorola, Sony or Samsung Android phone, you may find the steps in the following link: https://support.norton.com/sp/en/us/home/current/ solutions/ v59378086_EndUserProfile_en_us If your phone model is not listed above, you may ask your salesperson, or search on the web.

Characteristics of Safe Mode You may find the characteristics of Safe Mode below: • No third-party apps are loaded when startup. Only the system apps can be loaded. • “Safe Mode” label is shown at the bottom-left corner. • After boot into the Safe Mode, you may uninstall mischievous apps, which cause crashing. • Safe mode will not damage any apps and personal data.

An advanced robot from Explorer Group

In general, malware apps can be removed by uninstalling them. However, some malware apps cannot be uninstalled properly, as it runs at startup and cause the system crash. To solve the above problem, we can boot into Safe Mode, and uninstall the mischievous apps. The steps are shown as follows: 1. Boot into Safe Mode 2. Settings -> Applications 3. Select the apps you want to uninstall 4. Touch [Uninstall] If you want to understand more about mobile security, please refer to “Guideline of Mobile Security” provided by HKCERT.

Reference Boot into Android Safe Mode https://support.google.com/nexus/answer/2852139 Guideline of Mobile Security by HKCERT https://www.hkcert.org/my_url/guideline/13022801

BRIEF UPDATES

Migration of Staff Email Maria Chin

With the successful migration of the University email systems for student and alumni from the on- premises systems to Microsoft Office 365 Exchange Online (“O365”), Microsoft’s cloud solution for educational institutions in early 2013, the Information Strategy and Governance Committee (ISGC) has endorsed the migration of the University email system for staff from the on-premises Microsoft Exchange system (“Exchange”) to O365. O365 feature highlights: • 50 Gigabytes (GB) mailbox quota • Access email, calendars and contacts from anywhere with PC, Mac, and smartphone via web browsers, email clients and apps • Wipe data from mobile device to prevent unauthorized access in case of loss • Full O365 suite including MS SharePoint Online, MS Lync Online, One Drive • Find out more at http://office.microsoft. com/en-001/business/what-is-office-365for-business-FX102997580.aspx The migration of staff mailboxes from Exchange to O365 will be scheduled department by department starting from August 2014. The Computing Services Centre (CSC) will contact departments via their Departmental Network Administrators (DNA) to explain the migration steps and to agree on a time for migration. Staff who will be out of office on the day of migration can connect their mobile devices and off campus PCs to O365 first, then attend to their office PCs any time after they are back in the office, i.e. there is no rush to connect all PCs/devices to O365 in one go right after the migration. Before the migration, staff should ensure that their email clients and email apps on their PCs and mobile device, e.g. MS Outlook, iOS and Android are up-to-date;


Issue 16 • July 2014

System from MS Exchange to MS Office 365 Exchange Online otherwise, they may have problem connecting to O365 that runs on the latest version of MS Exchange. During the migration period, it normally takes less than two hours, and the Exchange mailboxes of the staff scheduled for migration will be temporary inaccessible. After the migration, the staff must reconfigure their email clients and email apps on their PCs and mobile devices for connecting to O365. There is no change to the staff email address on O365, i.e. valid email addresses are EID@cityu.edu.hk, email-alias@cityu.edu.hk, EID@um.cityu.edu. hk, and email-alias@um.cityu.edu.hk. Email sent to all of these email addresses will be received in O365.

Sign-in page of Office 365

More information on the Exchange to O365 migration is available at http://www.cityu.edu.hk/csc/deptweb/support/ faq/email/o365staff/o365.htm. For staff who are still using the old JSMS staff email system which are originally planned for migration to the on premises Exchange, with O365 available now, their mailboxes will be migrated to O365 direct. When all staff mailboxes on the onpremises Exchange and JSMS are migrated to O365, Exchange and JSMS will stop services and be shut down.

13


14

OCIO NEWSLETTER

IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.

Information Security Updates I. General Users Case Study Stanford University Laptop Theft Calls for Proper Data Backup in Enterprises A laptop at Stanford University was stolen in Jun 2008 that contained over 72,000 pieces of personal data. The authority has led a task force to review the University’s policies and procedures for data protection. Thefts of data storage devices are not exceptional. If the theft is taken place in an enterprise, the loss on critical data may create disastrous problems in business operations. Therefore, it is essential to adopt a proper and reliable backup solution in enterprises. Mobile devices, such as laptops, smart phones are portable information systems which are often used to store confidential information, such as contact list, passwords, and personal data. While these devices provide a means for convenient information processing and communication, they also pose a risk of data loss in the event of theft or breaches. Below are some good practice to reduce the risk of data loss for your mobile devices. Dos • Use password management tool on start-up of mobile devices. • Keep your mobile devices in a secure place, especially when not in use. • Install antivirus software and a personal firewall on your mobile devices.

• Use encryption to lock sensitive data on the mobile devices. • Regularly back up data of mobile devices (e.g. PDA) to a PC to prevent damage from PDA-specific viruses and worms. • Remember to remove any memory cards before returning a rented mobile device. Don’ts • Don’t leave a mobile device unattended, even for a moment. • Don’t download or accept programs and content from unknown or untrusted sources. • Don’t allow common wireless connections from unknown or untrusted sources on your device. • Don’t accept unsolicited file transfers from other devices via Bluetooth, SMS, etc.

2.

3.

4.

5.

II. Management 10 Steps to Creating a Campus Security Master Plan Incorporating construction plans, ensuring equipment interoperability and determining future security personnel needs are just some of the measures campuses should incorporate to improve their overall safety and security.

6.

7. 1. Assemble Your Committee - Build momentum in the development of a physical security program is to create a physical security committee, which consists of members in strategic positions of

influence, such as administration, IT, operations, safety, security, risk and planning. Determine What Must be Protected - Understand what concerns, risks or fears may exist on campus and why. The responses are often constructive and enlightening. Think About Your Long-term Needs - The security master plan’s development should also include long-term system compatibility, communication infrastructure, product obsolescence and growing demands on the security staff. Find Out What Works, What Doesn’t - The committee should survey current operational risk mitigation measures and determine their effectiveness. Incorporate Campus Construction Plans - Understand how new buildings, parking lots, garages, walkways and other projects will affect the current physical security master plan. Can Legacy and New Security Technology Mix? - With the convergence of new physical security technologies, the integration of existing security hardware into new security platforms can be a challenge. Determine Security Personnel Needs - Documenting responsibility, service and deliverables will assist in setting the groundwork of the return on investment (ROI) and temper the overall approval process.


Issue 16 • July 2014

8. Upgrade Your Security Operations Centre - The increase in response, consistency and accuracy can make the difference in a variety of situations throughout the campus. 9. Don’t Forget About Your Infrastructures - Critical infrastructures are areas within the campus that rely on the continuous, reliable operation of a complex set of interdependent infrastructures: electric power, gas, transportation, water, communications and more. 10. Regularly Audit and Assess Your Plan - to validate the operation and consistency of the security systems, security processes and protection of assets.

III. IT Professional Best Practice for Firewall Organizations should be as concerned with the origins and kinds of Internetdirected traffic as they are with incoming requests. Below are some good practice that organizations can improve their risk profile by implementing traffic filtering. Limit the addresses allowed to send traffic to Internet destinations by configuring policies such as these: • Only allow source addresses from the IP network numbers you assign to trusted segments behind your firewall(s), including DMZ networks. • Apply appropriate subnet masks to trusted networks, i.e., masks that are sufficiently long to identify only that fragment of the IP network number that you are using.

• Block broadcasts from traversing the firewall’s interfaces. While most broadcasts will not pass across LAN segments, take measures to ensure this is especially true for Internetbound packets - or packets destined for any untrusted segment. • Block outbound traffic from VLAN workgroups or entire network segments that have no business establishing client connections to Internet servers. Limit the destination ports on Internetdirected traffic in the following ways: • Allow outbound connections only to those services your security and acceptable use policies allow for client hosts. • If you operate an HTTP proxy, or a proxy system that performs some form of web URL or content filtering, only allow outbound connections through your firewall from the proxies. • If you provide DNS internally, or use a split DNS, use internal servers as forwarders for your trusted network, and only allow outbound DNS requests from your DNS servers so configured. • Unless your firewall is participating in routing, block routing protocols at your firewall. This is important for entities which use a firewall to exchange and negotiate PPP over Ethernet (PPPoE). • Certain network and security vendors use unique ports for proprietary (and secure) management access. Permit these ports only from hosts used by the administrators of such equipment.

Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong

15


16

OCIO NEWSLETTER

BRIEF UPDATES

A Quick Glance at Computer Courses that Keep Our Staff and Students Abreast of IT Knowledge Joe Lee

In 2013-14, the CSC received more than 3,300 applications from students for 77 classes on 14 distinct computer courses in its Student Computer Literacy Programme, covering Windows 8, computer security, Office 2013, Flash CS6, Photoshop CS6 and others. The following table depicts the planned courses in Semester A, 2014-15. Computer Courses in Student Computer Literacy Programme 2014-15 Course

Run

Date

Time

Internal

20-08-2014 (Wed)

10:00-13:00

Introduction to Photoshop CS6

Training

20-08-2014 (Wed)

14:00-17:00

MS Expression Web 4

319

21-08-2014 (Thu)

10:00-13:00

MS Expression Web 4

21-08-2014 (Thu)

14:00-17:00

Introduction to PowerPoint 2013

22-08-2014 (Fri)

10:00-13:00

Introduction to Word 2013

320

22-08-2014 (Fri)

14:00-17:00

Introduction to Access 2013

23-08-2014 (Sat)

10:00-13:00

Introduction to Flash CS6

23-08-2014 (Sat)

14:00-17:00

Introduction to Excel 2013

25-08-2014 (Mon)

10:00-13:00

Chinese Input Method - Chang Jie

25-08-2014 (Mon)

14:00-17:00

Introduction to Photoshop CS6

26-08-2014 (Tue)

10:00-13:00

Introduction to Windows 8

26-08-2014 (Tue)

14:00-17:00

Introduction to Excel 2013

27-08-2014 (Wed)

10:00-13:00

Introduction to Flash CS6

27-08-2014 (Wed)

14:00-17:00

How to secure your computer

28-08-2014 (Thu)

10:00-13:00

Introduction to Access 2013

28-08-2014 (Thu)

14:00-17:00

Advanced Word 2013

29-08-2014 (Fri)

10:00-13:00

Advanced PowerPoint 2013

29-08-2014 (Fri)

14:00-17:00

Advanced Excel 2013

30-08-2014 (Sat)

10:00-13:00

MS Expression Web 4

30-08-2014 (Sat)

14:00-17:00

Advanced to Photoshop CS6


Issue 16 • July 2014

Course

Run

Date

Time

321

01-09-2014 (Mon)

19:00-22:00

Introduction to Excel 2013

322

02-09-2014 (Tue)

19:00-22:00

Introduction to Photoshop CS6

03-09-2014 (Wed)

19:00-22:00

Introduction to Word 2013

04-09-2014 (Thu)

19:00-22:00

Introduction to Windows 8

05-09-2014 (Fri)

19:00-22:00

MS Expression Web 4

06-09-2014 (Sat)

10:00-13:00

Introduction to PowerPoint 2013

06-09-2014 (Sat)

14:00-17:00

Chinese Input Method - Chang Jie

10-09-2014 (Wed)

19:00-22:00

How to secure your computer

11-09-2014 (Thu)

19:00-22:00

Advanced PowerPoint 2013

12-09-2014 (Fri)

19:00-22:00

Advanced to Photoshop CS6

13-09-2014 (Sat)

10:00-13:00

Advanced Excel 2013

13-09-2014 (Sat)

14:00-17:00

Advanced Word 2013

In 2013-14, the CSC received more than 700 applications from staff for 58 classes on 28 distinct computer courses for staff development, covering Windows 8, Use of Mobile Devices, Computer Security, Office 2010, Illustrator CS6, Dreamweaver CS6, SharePoint 2010 and others. The following table depicts the planned courses in Semester A, 2014-15. Staff Computer Courses 2014-15 Course

Date

Time

04/09/14 & 11/09/14

09:30-17:15

Microsoft Access 2013 - Introduction

18/09/14

09:30-17:15

Adobe Dreamweaver CS6 - Introduction

25/09/14 & 3/10/14

09:30-17:15

Microsoft Access 2013 - Advanced

09/10/14

09:30-17:15

Adobe Dreamweaver CS6 - Advanced

16/10/14

09:30-17:15

Microsoft Outlook 2013 and Exchange

23/10/14

09:30-12:30

Effective Use of iPhone & iPad

23/10/14

14:15-17:15

Introduction to Windows 8.11

30/10/14

09:30-17:15

Getting Started with Power Query for Excel

06/11/14

09:30-17:15

Adobe Illustrator CS6 - Introduction

13/11/14

09:30-17:15

Adobe Acrobat

20/11/14

09:30-17:15

Adobe Illustrator CS6 - Advanced

27/11/14

09:30-17:15

Microsoft Word 2013 - Advanced

04/12/14

09:30-12:30

Introduction to Windows 8.11

04/12/14

14:15-17:15

Social Networks and Mobile Security

11/12/14

09:30-17:15

Microsoft Excel 2013 - Introduction

18/12/14

09:30-17:15

Microsoft Outlook 2013 and Exchange

23/12/14

09:30-17:15

Microsoft Excel 2013 - Advanced

30/12/14

09:30-17:15

Microsoft PowerPoint 2013 - Advanced

08/01/15

09:30-12:30

Effective use of Android Mobile & Tablet

08/01/15

14:15-17:15

Introduction to Windows 8.11

17


18

OCIO NEWSLETTER

BRIEF UPDATES

Prof. Cranor’s Security Blanket Andy Chun

The above is an image of a quilt art work (63.5”x39”) called “Security Blanket” created by Prof. Lorrie Faith Cranor, Associate Professor at CMU and Director of the CyLab Usable Privacy and Security Laboratory (CUPS). The art work was derived from her research on password security. The quilt shows the top 1000 most popular passwords out of the 32 million passwords that were stolen from the RockYou site by hackers and made public. Passwords are like our “security blankets” unfortunately Prof. Cranor found that most of them are not

really secure. Hope you do not see your password in the quilt! Prof. Cranor explains her work on the “Security Blanket” in her blog: http://lorrie. cranor.org/blog/2013/08/12/securityblanket/ She also gave an interesting TED talk recently titled “What’s wrong with your pa$$w0rd?”: http://www.ted.com/talks/lorrie_faith_ cranor_what_s_wrong_with_your_pa_w0rd


Issue 16 • July 2014

FEATURE

Security Information and Event Management (SIEM) Phase 3 Upgrade: More Than Just Service Monitoring Alex Lam

In 2011, CSC implemented and deployed HP’s ArcSight Express solution (hereafter “Express SIEM solution”) as CityU’s central Security Information and Event Management (SIEM) system. Subsequently, in 2013, the Express SIEM solution was further enhanced with the ArcSight Logger solution, allowing extended retention of access, security and system logs. Since then, several hundreds of our central servers as well as network and security devices have been feeding their access and security logs to this Express SIEM solution. This represents a core service that supports daily network and service operational monitoring as well as forensic analysis of security incident. With the success of the Express SIEM deployment, we decided to extend the benefits of the SIEM solution by consolidating all central IT systems with their system and security log files to the SIEM platform. To enable this, we upgraded our SIEM solution from Express to the ArcSight Enterprise SIEM solution in early 2014. For more information on the Express SIEM implementation, please refer to our previous articles in this OCIO Newsletter: • Overview of Security Information and Event Management (SIEM) Part 1 http://issuu.com/ cityuhkocio/docs/newsletter_issue_9 • Overview of Security Information and Event Management (SIEM) Part 2 http://issuu.com/ cityuhkocio/docs/newsletter_issue_10 In this article, we will discuss the features that are implemented during the 2014 Enterprise SIEM upgrade project.

1. Enhancing overall event processing capacity As mentioned earlier, the major goal of the SIEM upgrade is to support the processing of events sent from all central IT services. Hence, the new Enterprise SIEM solution must meet the performance requirements of this task. The following areas were enhanced during the SIEM upgrade exercise.

a. Licensed event processing capacity (license limit) The licenced event processing capacity was expanded from 1000 events per second (EPS) to 5000 EPS. This dramatic increase enables the new SIEM solution to handle the increased eventfeeds from all central IT systems. In addition, the total supported devices increased from 500 to 1500.

b. Upgrade the server hardware and storage capacity (hardware limit) Different from the Express SIEM solution which was prebuilt and ran in a relative low-end server appliance, the new Enterprise SIEM solution is software-based. This means systems can be installed and deployed in any supported server hardware platform and be scaled up according to performance needs. To maximize processing capacity, we deployed the Enterprise SIEM systems as virtual machines (VMs) supported by high-end servers with sufficient storage capacities. This way, besides changes in VM allocation, we still have expansion capability to flexibly scale up the processing power of the SIEM solution just by enhancing the server hardware such as CPU, memory, storage, etc., or even adding physical servers to the infrastructure that supports the VM as needed to cater for future growth.

19


20

OCIO NEWSLETTER

2. Enjoying the benefits of enterprise grade VM environment One of the major benefits of the Enterprise SIEM solution is the support of VM environment. By installing the Enterprise SIEM solution within the University’s standard VM infrastructure, the new SIEM system can directly enjoy all the benefits of our private cloud, such as:

a. Dynamically scaling the performance and storage capacity of the SIEM systems as needed b. Leverage existing VM backup and restore procedures VM is well known in its support of flexible and efficient backup and restore. The SIEM systems can immediately follow the wellestablished procedures and use the equipment currently deployed in the VM infrastructure of the University data center.

3. Enhancing the protection and isolation of the raw system and security event resources The Enterprise SIEM solution provides granular role and user rights assignment in the access of authorized events and security log. This has the following benefits: • As sensitive information are stored within our logs, this security feature enhances the protection and isolation of the raw system and security logs, allowing us to follow the “need-toknow” principle of security protection requirement in assigning access privileges. • The side effect of the access right restriction is the tremendous reduction in log volume and access time in retrieving relevant event logs.

This greatly improves the efficiency and effectiveness in performing security and forensic analysis.

4. Enhancing service dashboard deployment The SIEM project also created a framework to present the service level and health status of an IT service that is dependent of other sub-services. This provides a bird’s eye view of the status of different services using “traffic light” presentation. With the advance and massive deployment of virtual machine (VM) technology in central IT services, we have enhanced the service dashboard framework to support the redundancy features of VM technology. A sample of the service dashboard is shown as follows.

By adopting standard procedures and using existing backup equipment, SIEM operation is more cost effective and lowers its total cost of ownership (TCO).

c. Improving server redundancy under VM infrastructure Although the SIEM system do not support the automatic failover to different ESX/I hosts, we can still enjoy the manual VM image migration feature which can restore/ recovery to different ESX/I host in case there is any hardware failure or handling problem during major software changes. This provides a “redundancy” solution to the SIEM systems and is easy to draw its disaster recovery plan (DRP).

Figure 1. Sample of a Service Dashboard – Provide an Eye-Catching view of service status


Issue 16 • July 2014

5. Consolidating the SIEM systems with standard event processing framework

performing daily event handling as well as security and forensic analysis.

From our experience in using and customizing the SIEM systems, we found that many event handling procedures are generic and are defined repeatedly. We have consolidated and defined those commonly used event handling workflows as a standard event handling framework in the new SIEM solution. The use of this standard framework provides consistency and is more effective for different administrators when creating new system or security event handling procedures. The benefits will be even more noticeable when more services are deployed using these standard framework.

Furthermore, having service statuses available, the new SIEM provides a basic service dashboard. Instead of correlating many different monitoring graphs to get service statuses, the new dashboard provides a “bird-eye” view of service status with its service level represented as simple as “Red-YellowGreen” traffic-light. This creative idea provides a pin-pointed, eye-catching and easily understandable service dashboard in a single view.

Summary This paper described how we extended the benefits from the successful Express SIEM implementation in 2011 to the current Enterprise SIEM in 2014. One of the major goals of the upgrade is to enhance the SIEM systems with sufficient processing and storage capacity to handle the event and security processing needs to support all central IT services. Although the total event volume size has increased, with the fine-tuned roles and responsibilities defined in the new Enterprise SIEM solution, administrators only access events and resources that they are authorized to view. This greatly reduces administrators’ time when working with event logs. In addition, with the deployment of a standard event handling framework that captures common workflows, this improves the consistence and effectiveness in

With the above new features and innovative ideas, the new Enterprise SIEM solution is truly a unified, transparent and scalable platform for event and security monitoring for central services. With all the flexibility and creative ideas built into the solution, we have transformed our SIEM solution from just a service monitoring and threat management tool to become an important and core component in the University’s enterprise service governance framework.

21


22

OCIO NEWSLETTER

STATISTICS AT A GLANCE


Issue 16 • July 2014

GLOSSARY CORNER

IT Security from Wikipedia Andy Chun (ed.)

Heartbleed is a security bug in the OpenSSL cryptography library. OpenSSL is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited whether the party using a vulnerable OpenSSL instance for TLS as a server or a client. Heartbleed results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, the heartbeat being the basis for the bug’s name. The vulnerability is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed. A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”. Forbes cybersecurity columnist Joseph Steinberg wrote, “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.” A British Cabinet spokesman recommended that “People should take advice on changing passwords from the websites they use... Most websites have corrected the bug and are best placed to advise what action, if any, people need to take.” On the day of disclosure, the Tor Project advised anyone seeking “strong anonymity or privacy on the Internet” to “stay away from the Internet entirely for the next few days while things settle.” As of May 20, 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed.

This article uses material from Wikipedia. The Author(s) and Editor(s) listed with this article may have significantly modified the content derived from Wikipedia with original content or with content drawn from other sources. The current version of the cited Wikipedia article may differ from the version that existed on the date of access. Text in this article available under the Creative Commons Attribution/ShareAlike License.

23


24

OCIO NEWSLETTER

GLOSSARY CORNER

Heartbleed explained by xkcd Creative Common comic from xkcd.com Original webpage: http://xkcd.com/1354/

Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mrs. W K Yu (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Ms. Kitty Wong (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email csc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.