Duke experienced a recent spear phishing attack which is a more targeted means of obtaining confidential information by directing an attack/email to a specific audience. This type of attack can have a high response rate because the emails are highly crafted to look authentic. The best way to avoid being a victim is to be vigilant when responding to emails. Inspect all url text and links, even if the email is from Duke, looking for misspellings which will take a user to an alternate site in hopes of capturing user login data. Finally, enroll in multi-factor authentication to mitigate the consequences of a successful attack.
II. Agenda Items
4:05- 4:15 – Paychecks on DukeMobile, Chris Meyer, Richard Outten, Todd Orr (5 minute presentation, 5 minute discussion)
What it is: DukeMobile has developed web-based information and applications for use on the most common mobile platforms. One of the more recent additions to the DukeMobile suite is the ability for faculty and staff to view both their benefit plans and pay statements.
Why it’s relevant: DukeMobile is providing a convenient way for employees to view paychecks and benefit statements without the need for a computer.
New Functionality: The DukeMobile suite has several new features using SAP FIORI platform:
- My Pay and My Benefits: The links are located under the Duke@Work icon. Employees can check pay statements and plan benefit information.
- Grants Balance: The link is located under the Research Admin icon. Principal Investigators and Grant Managers can look up grant balance information.
Future Functionality: Future functionality will include travel expense approval, exempt employee time off tracking and approval, and Buy@Duke.
Questions and Discussion
Question: Can the web browser user interface look as good as the mobile app interface?
Answer: We eventually will replace the web browser user interface with the mobile interface so that we are only supporting one code base, SAP UI5 (see below).
Question: Will the future functionality for travel expenses include workflow, for example approval of other employees’ expenses.
Answer: It possibly will include workflow functionality but it may be limited.
4:15- 4:35 – IT Strategic Plan Update, Julian Lombardi (15 minute presentation/5 minute discussion)
What it is: Under direction of the Provost, Duke is undertaking its first institution-wide strategic planning effort in about ten years.
Strategic planning around the evolution of IT systems and services, both central and distributed, will help inform the larger University planning process.
Why it’s relevant: Following the model successfully used for the last plan, seven focused IT strategic planning groups have been formed to address specific aspects of IT evolution on campus. To maintain a strong faculty voice in planning efforts and ITAC's role in advising on IT matters, each group is chaired by a faculty member and has at least one ITAC faculty member on it, along with staff bringing appropriate expertise to each group. We will review the seven groups and their charges.
Current Efforts: We are in the process of determining the direction of IT within the University over the next 5 years. Seven working groups are in the process of identifying IT specific activities or projects needed, along with prioritization, timelines and estimated costs. Most of the groups have submitted draft recommendations which were shared with ITAC.
The working groups include:
- Living and Learning
- Research Computing Support
- Communications and Infrastructure
- Administrative and Business Systems
- IT Security
- Support Models, Procurement and Licensing
- Online Presence, Web, Mobile
Still to come: Each of the working groups will determine the benefits, beneficiaries, scope, priority, cost and timeline estimates and use-case scenarios for each of their recommendations. Once the working groups have finalized their reports, they’ll be submitted to the IT Steering Group led by John Board to be consolidated into an IT Strategic Plan Draft. The draft will be submitted to Tracy Futhey, CIO, by early March so that it can be included in the planning of the 2016 University Strategic Plan.
4:35-5:10 – HackDuke, Jesse Hu, Yu Zhou Lee (25 minute presentation/10 minute discussion)
What it is: HackDuke is about collaboration, exploring the intersection between technology and social good and giving back. Undergraduate and graduate students from across the country are divided in to teams of up to 5 and are challenged to merge technology with social tracks of impact. This year’s tracks were Inequality, Energy & the Environment, Health & Wellness, and Education.
Why it’s relevant: HackDuke is not just about building meaningful projects. It’s an open forum to discuss, share and bring to life ideas that aim to make a positive impact on social issues. The annual event challenges students to think beyond the classroom to make a difference in the lives of others by “Coding for Good” Jesse and Yu Zhou will provide an overview of HackDuke 2015.
HackDuke 2015: HackDuke, a student run organization started in 2012, is about ideation, creation, collaboration, innovation, social responsibility and pushing the boundaries of technology use. Seniors Jesse Hu and Yu Zhou presented a short YouTube recap of the recent event ‘HackDuke 2015’ (https://www.youtube.com/watch?v=8kTWjOic4W0(link is external)). There were over 3,000 applications from around the world (400+ student applications from Duke-all were accepted) to attend the event, with a little over 750 accepted overall. The event took place November 2nd -8th and consisted of 4 days of technical workshops geared toward students of any experience level and ended with a 24 hour hackathon. Hack is to make something out of anything, preferably technology but can be about more than just technology, for social good.
During the 24-hour hackathon portion of the event, teams of up to 5 members from Duke and other universities around the world worked together to complete projects that incorporate technology and brings social good. There were four impact tracks that participants could compete in—Inequality, Energy & the Environment, Health & Wellness and Education. The winning team of each track was awarded prize money to donate to a nonprofit of their choice. The entire event was free and included everything needed to complete projects including all hardware.
Current Initiatives: Current initiatives include rebranding to expand participation of students who do not have a coding background. Other initiatives include planning for the next educational series, reaching out to communities beyond Duke (Durham Youth Home), targeting freshmen at back-to-school meetings, and facilitating trips to other university hackathons. HackDuke wants to continue to diversify from a gender, race and social circle perspective.
Question: How Can Duke Help?
- Dedicated meeting space is needed (20 people, several days a week). Comment: There might be space in The Foundry.
- Cross-departmental outreach is needed to expand participation beyond coders.
- Sponsorship/financial support/industry relationships are welcome.
- Speakers/experts from departments within Duke are welcome.
- Contact Hackers@hackduke.org(link sends e-mail) or reach out on Facebook to provide help.
Questions and Discussion
Question: Do you need a background in coding to participate?
Answer: All Duke students are accepted even if they do not have coding experience. The remaining participants are selected based on a variety of criteria with a heavy emphasis on diversity. Applications are looked at independently from year to year. Participants can be selected one year and not be selected the following year.
Question: When will the 2016 event take place?
Answer: The date probably will be early November and will be dependent on space availability.
Question: If you are participating in a hackathon do you have to have an idea for a project prior to the event?
Answer: Less than a quarter of the participants have an idea coming into a hackathon.
Question: How has HackDuke engaged alumni?
Answer: Some alumni relationships have been established through Facebook and other channels.
Comment: The Development Office might be able to provide help engaging alumni.
Question: What was the winning idea this year?
Comment: There were winners from each track. One of the winning projects used technology to help blind users navigate unfamiliar surroundings.
Question: Who will take over organizing the events in the future since the current organizers are seniors?
Comment: Future leaders of HackDuke will be selected from current members that really want to make an impact.
5:10-5:30 – CSG Update, Richard Biever, John Board, Tracy Futhey, Charley Kneifel, Mark McCahill (15 minute presentation/5 minute discussion)
What it is: The Common Solutions Group works by inviting a small set of research universities to participate regularly in meetings and project work. These universities are the CSG members; they are characterized by strategic technical vision, strong leadership, and the ability and willingness to adopt common solutions on their campuses.
Why it’s relevant: CSG meetings comprise leading technical and senior administrative staff from its members, and they are organized to encourage detailed, interactive discussion of strategic technical and policy issues affecting research-university IT across time. We would like to share our experiences from the most recent meeting.
Winter 2016 CSG Update: The following is a summary of the 3 half-day workshops attended by select OIT staff at the January 13-15 CSG (Common Solutions Group) meeting that was held at Rice University.
Continuous Delivery/Deployment/Improvement/Integration: Cornell shared the strategies they have developed for the continuous delivery of new functionality within their Kuali Financial System. These included simplifying the deployment of code changes and enhancements made by Kuali along with internal code changes and enhancements that are requested from within Cornell. To simplify and shorten the time between deployments, Cornell has invested in automated testing and has automated the deployment process, shortening the time between releases.
In another presentation, Cornell shared the challenges one department faced maintaining old apps. Rather than hire a developer/operations resource to maintain those apps, a Central IT analyst spent 6 months setting up automated processes that simplified the operational tasks to maintain those apps. Central IT also provided an extensive training program to local IT departments so that they would have the knowledge to support the new infrastructure on their own. As a result, they were able to repurpose the Developer/Operations resource to a new position focused on helping researchers. Additional benefits included more timely releases and the ability to quickly roll back changes if necessary.
Mark McCahill presented how Duke is using Docker containers to rebuild our test environment for our central authentication systems (Kerberos/Shibboleth/LDAP/Radius) every 4 hours. This has allowed for quicker deployment of patches and quicker recovery in case of failure.
Cloud Strategy: Continuing the Conversation: There were a couple key points that were discussed in regard to cloud computing:
- Make sure contract terms specify how quickly you have access to logs. When there are security issues, you want to be able to get to the logs quickly.
- An exit strategy should be designed before contracts are signed.
- Collectively, CSG may have more leverage working with large cloud vendors to make changes to products.
Security and compliance: Several schools shared recent security incidents and shared insights.
- One university deploys phishing attacks directed at its own faculty as a training tool. Faculty are sent to an education site if the attack is successful.
- Begin sharing threat intelligence within the group, perhaps using an automated process.
- One university had their domain redirected to a different site.
NIST SP800-171 Compliance: The new requirements on Controlled Unclassified Information (CUI) that the National Institute of Standards and Technology (NIST) has adopted require organizations to adopt stringent security controls for sensitive research data. Duke University conducts public research only; however, we will soon be required to treat all DOD (Department of Defense) research as classified research data. This topic will be brought before ITAC again when more information is gathered.
Questions and Discussion
Question: Does information contained on research instruments fall into CUI?
Answer: We are still assessing the new requirements. A working group with representation from ITSO, faculty and others will be established to figure out the least intrusive way and least expensive way to meet the requirements.