January, 2018 CIO Update
Happy New Year! For this month’s update, I’d like to share some information from our Information Security Office regarding some new vulnerabilities that have created some challenges. I would also like to introduce a new feature, in which over the coming months, I will have each area of Technology Services provide an overview of its function and structure. For some folks, this might be just a reminder, but for those of us who are new here or are not as familiar with other areas, I hope this will be helpful in fostering a better shared understanding of all that Technology Services does to keep VCU running. In addition, there is a note from our Records Management area I’d like to share.
Meltdown and Spectre – What are these bugs and how can they affect you?
In early January, 2018, two security “superbugs” were reported. Accompanied by their own logos and names, the Meltdown and Spectre vulnerabilities made a big splash in the IT security community, and have been dubbed as the worst bugs of the last two decades.
While some of the reports about these bugs exaggerated their effects, these bugs can potentially harm IT systems and jeopardize the security/privacy of sensitive information. Under the hood, both bugs exploit a feature in modern Central Processing Units (CPUs). In order to maximize the speed and improve the efficiency of performing the rapid calculations of instructions required by applications and programs we run on our computers, modern CPUs use a technique called speculative execution to predict and “pre-compute” future instructions based on the current computed instruction. Both bugs are set to exploit speculative execution by invoking the computation of sensitive instructions and measuring the output results, therefore making it possible to access privileged data. Since these bugs affect the actual CPU, fixes can only be applied through programs and applications in one of two ways. First, programs and applications that use the speculative execution technique can decide to stop using this feature; Alternatively, additional checks and balances can be built into programs and applications to prevent the reading of results that are computed through speculative execution.
Both options have the potential to impact performance in modern CPUs. Initially, various cases of performance degradation were reported by security researchers and IT professionals world-wide. Due to the potential harm to sensitive information, it is important for individuals to patch their systems against this bug. Apple and Microsoft have both issued patches for supported macOS / iOS / tvOS and Windows respectively. Google released patches for Android devices, but due to varying manufacturers and carriers update policies, Android devices that will receive patches vary. If you are using an Android device, you should check with your carrier or the manufacturer of your device to obtain the patching status.
Additionally, due to the potential exploitability of these bugs through a web browser, major web browsers such as Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Internet Explorer / Edge have all released or plan to release patches. For most browsers, these patches will be automatically applied, but will likely require a browser reboot.
Network Services Overview:
Network Services is part of the Technology Services team and is responsible for the wired and wireless data networks and related services. The overall charge of this group is to manage the day-to-day operations of the network while at the same time facilitating growth in order to meet the connectivity needs of today as well as those of tomorrow. Currently, approximately 2,150 network devices (switches, routers, firewalls, etc.) and 3,605 wireless access points are managed by the network team.
Some of the services this group is responsible for include designing, installing, and operating the wired and wireless networks at VCU, Internet connectivity, and all the background hardware and applications needed to make all that work (DNS, DHCP, VPN, network security, load balancer, firewalls, and network traffic analysis). Network Services provides the network layer to support general data access as well as supporting the VCU phone system, IP-based security cameras, access control, building automation, and other critical systems at VCU.
Network Services, which is led by Keith Deane (firstname.lastname@example.org, 804-828-9931), is made up of four distinct but integrated teams.
- Network Engineering, led by Mike Sosnkowski, is responsible for the networks and devices at the data centers including Internet connectivity, VPN, firewalls, DNS, DHCP, and the load balancer. In addition, the wireless and VoIP teams are also part of this group.
- Network Operations, overseen by Kush Patel, has the responsibility of the day-to-day operations of the campus network. This group handles the majority of network trouble tickets, monitoring of the network, conversions to networks such as Mednet and Secnet, engineering resources to support moves, adds, and changes, as well as networking new facilities.
- Network Cabling Installation Services, headed up by Scott Knight, handles all network cable projects from the very smallest to cabling new buildings with hundreds of connections. This group manages our vendor contractor list and is responsible for the cabling standards that are used across the university.
- Project Management and Network Documentation is handled by Bill Jones. End-of-life projects to replace outdated devices as well as architecture and expansion of the fiber plant is in this area.
In addition to their own areas of responsibility, these four teams collaborate on items such as HEETF requests, recommendations to use student tech funding, evaluating new technologies, and overall architecture of the data network.
Now that the Spring semester is well underway, no time is better than the present to do some technology related Spring cleaning. As VCU employees, we are all record custodians and data stewards. This means we are:
- Responsible for ensuring that data and records are:
- retained in accordance with policies: go.vcu.edu/records-management
- preserved when they are of enduring or mandated permanent value
- reported for destruction approval prior to purging
- destroyed within 6 months to 1 year after retention period expires
- Knowledgeable of who the records coordinator is for our department. For a list of coordinators, visit: http://go.vcu.edu/records-ownership
- Actively aiding in the development of procedures that identify our department’s records and where they are stored. For a list of approved data repositories, visit: dms.vcu.edu.
For more information about records management, please visit go.vcu.edu/records-management.
Next month, I will provide an overview of another TS area (and thanks to Keith Deane and his team for providing this month’s inaugural entry). I would also like to thank Dan Han and his team for explaining Spectre and Meltdown as well as thank Barry Lanneau. As always, I am thankful for the work of everyone in TS as well as the work of our colleagues in distributed IT roles at VCU.
Here’s to a great 2018!