CA Community

Ajusting the Project Portfolio to Survive Turbluent Times

Pradeep Bhanot — Fri, 03 Jul 2009 15:26:00 GMT

Today I came across an article at itpro.co.uk that discusses the severe impact on the airline industry of the current recession. This is a good example of balancing the business portfolio to better address the margin pressure being imposed by the current business climate. British Airways is not alone in this situation; many industries are deferring cash hungry projects with long lead times to value in favor of projects that promise faster returns that are needed now, as that can help carry them through the current economic turbulence. In this case BA cut an ERP project with returns expected in 2011 in order to favor a customer facing in-flight wireless communications project that will provide payback in a much shorter time.

It is interesting to compare the case above to a more optimistic view, featuring Lean IT, expressed in the a recently published paper on preparing for the upturn from this recession, which you can download by clicking here. It does resonate with the ITPro article in that does underline the need for companies to set frivolous projects aside and focus only on those that clearly produce value for customers and shareholders.

The customer centricity and eliminating wasted effort are central elements of Lean thinking which both the paper and article are touch upon and are worth a read.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Happy with Crappy

Steve Romero — Thu, 02 Jul 2009 16:22:00 GMT

I have written a number of posts discussing the rate of IT project failure. According to every study I have seen over the past 10 years, at least half of all IT projects fail. I believe there are many factors that contribute to this trend but during a recent interview with SearchCIO http://bit.ly/3w5S3, Kristen Caretta asked me to choose one. Whenever I am asked this question I always cite the lack of sound Project and Portfolio Management (PPM). I have seen few organizations that have the appropriate decision-making processes and relationships to ensure their IT investments are reasoned and rational.

Sound PPM enables enterprises to determine the optimal mix and sequencing of proposed programs and projects to best achieve the organization's overall goals. PPM enables investments to be expressed in terms of hard economic measures, aligned to business strategy goals, while honoring constraints imposed by management or external real-world factors. Without this capability, I argue many projects are doomed before they begin.

My discussion with Kristen reminded me of a recent visit I had with a CIO who is in the beginning stages of revamping an IT organization for a major insurance provider. We talked about many things in our two hours together, including IT investment governance in his organization. In our conversation, he offered a much simpler explanation for the rate of IT project failures. He contended enterprises are "Happy with crappy." He said so with a mischievous grin and I couldn't help but laugh.

I am sure you have heard that there is an element of truth in every joke, and his clever comment caused me pause. In the past, I have theorized that our inability to correct this disturbing trend was partially due to a complacency born of a belief that technology projects inherently:

Take longer than we plan
Cost more than we anticipate
Don't usually deliver what the user wants - the first time (for a variety of rationalized reasons)

Did his comment provide more insight into my theory? Are we happy with crappy based on our rationalization that technology projects are inherently difficult to estimate and deliver successfully? Let me know what you think.

Steve Romero, IT Governance Evangelist

Share this post: Email it! | bookmark it! | digg it! | reddit!

Economic Crisis and Service Management - Part II

Robert Stroud — Wed, 01 Jul 2009 15:12:00 GMT

Part I can be viewed here.

As I mentioned previously, I spoke last week at a joint Korean itSMF and ISACA conference. This post continues with additional answers I prepared, answering excellent questions raised by the facilitator of the closing panel session.

The second question asked at the panel was an interesting one about inhibitors and accelerators for service management. As many of you know I spend a good amount of time with large IT organizations globally so this allowed me to share some practical advice from a large Bank.

Question 2: How do we drive IT governance through ITSM or IT governance frameworks such as COBIT, VALIT? What are key accelerators and critical inhibitors? How these frameworks fit with IT organization of the future?

When I met recently with the CIO and CTO of a large global Bank, she mentioned that one thing happening today is the rate of change and the fact that more change is being generated by the business rather than IT. She quoted the example of interest rate changes that are controlled by the business and executed automatically by IT as a good example of IT automating Business As Usual (BAU) and collecting the relevant audit check points and approvals. She also mentioned that social media and collaboration is transitioning business - staff are dynamically communicating and searching for resolutions to problems or knowledge for "how to scenarios" using technologies like Twitter and Facebook. Sales is using LinkedIn connections to drive business relationships. Web 2.0 is changing again, accelerating the rate of change and the way that functionality is delivered to our working environment.This is the perfect catalyst for changing the manner that we deliver technology to support the business.
The best accelerator is for IT to acknowledge it is part of the business and for the business to acknowledge that it is dependent on IT. There are few industries or even business processes today where IT is not on the critical path to service delivery. This mandates a phase in enterprise change and that the processes that IT employs are NOT onerous but appropriate based on business risk.
The risk here is that we become so focused on the process and not the risk to the business that we unnecessarily add delays to delivery of service. Thus like the little boy who cried wolf, when the real risk is exposed IT, it will not be believed and we will again fail, further increasing the divide between IT and the business.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Service Definition: What do "My Cousin Vinny" and Song Airlines have in common?

Eric Feldman — Tue, 30 Jun 2009 21:10:00 GMT

Many companies adopting a Service Catalog are faced with a dilemma. How do they define their services? Actually, there are two components to service definition. One is the processes employed to deliver or enable the service. These can be documented in a process modeling application, or made actionable using a tool, such as CA Workflow or CA IT Process Automation Manager. This is the "behind the scenes" part of a service definition.

While this is important from the Service Definition and Lifecycle perspective, I wanted to focus this time on the specific definition that is published in a catalog. If you think about it, most customers and department managers are concerned with what they are choosing from a catalog, not how it will be delivered to them.

Ever shop online? Many online merchants have setup elaborate systems to help you choose a product or service. There are glowing descriptions, photos, videos, customer testimonials, and rating systems. You may even see a service level listed, representing the time frame where the product will be delivered.

On the other hand, do you see an activity diagram detailing how your credit card will be authorized, how the product will be picked from the warehouse, and how shipper routing decisions will be made? You don't. While this information is important from the provider point of view, it is almost irrelevant from the customer's perspective. They certainly care about receiving their product within a specified or reasonable time. How that product arrives is typically of no concern.

To establish a Service Catalog, you must follow a similar mindset. The process behind the service definition is important, but primarily from the IT or service provider perspective. The backend, if you will. It is the technique and style you use to define the service from the customer or end user's point of view that becomes crucial, especially when acceptance or adoption of the Catalog is of concern.

But how does an IT organization actually describe their offerings? The technique is easy to describe from a high level: Keep it informative, yet simple to describe. Think outcomes, not components. And use value added language that is meaningful to the appropriate user community. For example, a storage service could be described as “300 Gb logical volume size using SAS hard drives in a Raid 5 array. This description may be suitable for a technical user audience. For many business users, however, this information is inappropriate. A far more meaningful description may be “Reliable and secure data storage."

The Service Catalog is the publishing vehicle where IT does not just define their offerings. It also communicates their value to the business community.

Which brings us back to the original question. "My Cousin Vinny" and "Song Airlines" both can show us examples of how a Service Catalog was deployed. Each illustrates the parameters I described above, in entirely different ways.

In "My Cousin Vinny" the characters played by Joe Pesci and Marisa Tomei go to a diner and are handed a menu. It says simply "Breakfast," "Lunch," and "Dinner."

Song Airlines was a former division of Delta Airlines that featured an "upscale bistro" menu of food for purchase. It detailed elaborate descriptions of offerings more gourmet than geek. Here is an actual description taken from a Song menu: "Asian Chicken Salad. No, you don't have to eat it with chopsticks: Ginger-marinated chicken *** with romaine, napa cabbage, shredded carrots, water chestnuts and mandarin oranges. Served with chow mein noodles for crunch and a sesame-ginger vinaigrette for kick."

So, which method are you using to represent your organization's value? Do you use the "My Cousin Vinny" or the "Song Airlines" technique?

Or to ask this question in a different way, are you using relevant value oriented language in your Service Catalog, or do you get by with just a simple two word description such as "request access?"

Share this post: Email it! | bookmark it! | digg it! | reddit!

What Part of DLP Should I Implement First?

David Miller — Mon, 29 Jun 2009 16:18:00 GMT

Data Loss Prevention (DLP) solutions secure a company’s sensitive data and critical digital assets on endpoints (desktops and laptops), the network, message servers, and even stored data. Comprehensive DLP solutions create a dilemma for organizations: what aspect of data loss do they address first? This query may seem commonplace. But because DLP identifies and controls highly sensitive data across the enterprise, this question is very important.

As expected, the answer depends on various characteristics and goals of the firm asking the question. A few considerations:

Do you know of data that you must protect now? If you need to protect something specific – such as product design documents, proprietary models, or your customers’ personal information, you may decide to start using DLP to control the use or transmission of that particular data.
Then, which type of use must you control? There is email, Web, IM, FTP, moving data to removable media, printing data, and many other methods available to your end users that can result in data misuse and leakage. To understand what to protect, you need to evaluate these against existing procedures. If you’ve locked down USB ports, then perhaps you should first protect network-based transmissions or emails at the message server. If the use of removable media is permissible, consider protecting against saving your high-risk data to them.
Do you have high-risk users? These can be executives with insider information, engineers with next-generation product designs, and even outsourced employees. If so, consider using your DLP solution to focus on controlling their activity first, or at least differently than for other users.
Do you need to discover your data risks? If so, that’s ok – and you’re not alone. Here, DLP should be used to identify and discover sensitive data across the enterprise. You must determine what systems to scan – content repositories (such as Microsoft SharePoint), network folders, and/or end-user desktops. This can depend on how your end-users collaborate.
How will you support your DLP system? If you will control use and transmission straight away, be prepared to handle the activity the system will detect. This calls for the highest levels of detection accuracy so that your security and compliance resources will be used efficiently.

Keep in mind – a DLP solution must be able to accommodate expansion beyond your initial deployment.

How have you approached your DLP deployment?

Share this post: Email it! | bookmark it! | digg it! | reddit!

Italy: Prime Minister Subject of Spam?

Rossano Ferraris — Mon, 29 Jun 2009 09:42:00 GMT

Spammers have used the recent political controversy that surrounds the Italian Prime Minister
Silvio Berlusconi to lure and trap Italian speaking people via an email spam (see Figure 1 and
Figure 2). Italian people who love gossip about public people may be particularly susceptible to
this type of email.

Figure 1 - Spammed Email

The English translation is:

“Have you seen what our Prime Minister Silvio Berlusconi is doing? Have you followed his story
with the escort?
Thanks to a journalist of LEGGO, we have got the opportunity to see our Premier together with
his escort girl recently appeared on newspapers. If you want to see them, click on the link below:
hxxp://you[BLOCKED].com/watchv=W3k9pMtrccQ.html

TO SEE THE VIDEO YOU NEED TO INSTALL THE FOLLOWING CODEC…”

If we examine the email closely, we see that the email pretends to come from Youtube.
However, the email really comes from a certain Youtorube.com (see Figure 1 and Figure 2) which
is hosted on a web server located in Florida with IP address 64.71.35.20.

Figure 2 - Email Header

A link in the email will redirect us to a malicious website “youtorube.com” that asks the user to
install a new codec to view the video (Figure 3):

Figure 3 - Host website

The new codec is called “wmpcodec.exe,” and CA AV detects this file as the worm
“Win32/IRCBot.OQ”, and blocks it from running.

Additional Information on Win32/IRCBot.OQ

We managed to follow the communication between the malware file and its IRC server, from
there we found that the bot malware is monitoring keystrokes, passwords, websites visited and
windows opened in the infected system.

Win32/IRCBot.OQ sends a log of computing activities of an infected system in the IRC server. It
makes the activity log visible to the malware author and also to other infected systems.
The IRC channel becomes a log file of activities of all infected machines.

Figure 4 shows how each activity was logged in the IRC channel:

Figure 4 - Communication capture in the IRC channel

It logs usernames and passwords when an infected system accesses a website that contains
'login.php' in the URL.

In addition, it attempts to download other malware to the infected system, which CA detects as
Win32/PolyCrypt!packed.

Thanks to Zarestel Ferrer for his contribution to the description of Win32/IRCBot.OQ malware

Share this post: Email it! | bookmark it! | digg it! | reddit!

Malware finds refuge in school

Aaron Faloon — Mon, 29 Jun 2009 03:37:00 GMT

This week in CA Research Labs as we were receiving new variants of the popular Bancos Trojan we were able to make a successful attempt at tracing one of these variants back to its distribution point.

This distribution point is a web server located in the state of New Jersey in the United States of America. The web server is associated with a local school in the area and is used to host it’s website to the public.

An interesting point to note is that the school is presently closed for maintenance and equally important the school has dismissed for the summer.

Was this timing intentional by the malware authors in order to go undetected by the people involved with monitoring the schools website and network or purely just coincidence?

[Figure 1 - School Website hosted on web server]

[Figure 2 –Bancos Malware stored on compromised web server]

As well as hosting the schools website we can see that the compromised web server is also hosting Bancos malware. Here we can see the malware files that are stored in the directory on the compromised web server. These files are used to resemble legitimate banking applications in order to fool the user into entering their banking information which is then stolen by the attackers.

Anatomy of the Attack

[Figure 3 – Anatomy of the attack]

Step 1 - The Users machine gets infected by one of the Bancos download agents. These agents are detected by CA as Win32/Bancos.ORU and Win32/Bancos.ORV.

Step 2 - The infected machine will now automatically connect to the compromised web server under control of the download agents.

Step 3 - Once connected to the compromised web server the download agents will download Win32/Bancos.ONW onto the user’s machine.

The system is now infected with a Bancos Trojan which can steal sensitive information relating to the users banking habits.

Here we can see the download agents (Win32/Bancos.ORU and Win32/Bancos.ORV) contacting the compromised web server in order to download the Bancos Trojan onto the users system.

[Figure 4 – Contacting the web server and downloading files]

We can see from Figure 4 that an executable (sidebr.exe) and an image file (c1.bmp) are downloaded to the infected user’s machine. Many more files are downloaded to create the Bancos Trojan application. A few of these files can be seen in Figure 2.

CA currently detects the downloaded Bancos Trojan as Win32/Bancos.ONW.

CA also recommends keeping your security software up to date in an attempt to avoid this infection of Bancos Malware taking place on your system.

We have also notified the administrator of the compromised web server regarding this issue.

Please read our blog on Banking Trojans - Tips and Tricks for more information on the Bancos Trojan.

Share this post: Email it! | bookmark it! | digg it! | reddit!

What Makes You Think You Are An ITIL V3 Shop?

Peter Doherty — Sat, 27 Jun 2009 09:23:00 GMT

At CA Expo here in Oz I asked the 200 people in my session who thought they were an ITIL V3 shop and probably 20 or so hands went up sheepishly. Maybe the reason for this is that they have seen what happens to people who put their hands up in response to my questions or maybe they were unsure.

Word out of the latest Gartner conference is that lots of IT organisations are adopting V3. Now for the record, I think they should. But just because I think they should does not mean that they are. So here in Oz, which is a very mature Service Management market, I get mixed feedback about the adoption of V3. When I asked the same question in the Sydney Expo I told some of the people to put their hands down (see what I meant about putting your hand up in my sessions!). So why did I ask them to put their hands down? For the same reason that I do not think there is the ITIL V3 uptake that the analysts are quoting.

And that reason is that if you are just doing Incident, Problem, Change, don’t kid yourself that you are a V3 shop. It is really good that you are doing those things, don’t get me wrong. It is just that IT is so bad at managing expectations and here is another example:

You need to be doing more than the old Service Support processes.

So are the analysts wrong? And if so where are they getting the data? Or are they asking the wrong questions? I think it is a combination of things. I twitter on Service Management (@ITILNinja) and David Ratcliff of Pink Elephant (@pinkerdavid) asked the question about why are we twittering on advanced topics when most people are still crawling? And he is so right.

There are so many shops out there still implementing the SS processes and here I am talking about Service Portfolio Management. If you are struggling with Incident and Change, SPM is fantasyland. But I want people to start thinking about how good fantasyland could be!

And this is how I think you can define yourself as an ITIL V3 shop – you have started to think and plan to eventually get to Peter’s fantasyland and it is a good place!

You are an ITIL V3 shop if you have started to embrace some of the new processes and are talking about a Service Lifecycle. Sorry, not just talking about it but it is starting to become part of the culture. When you start appointing Service owners and Business Relationship Managers that actually talk to the business, not just other parts of IT.

So if an analyst asks you whether you are a V3 shop or not, forget about the pressure for you to say yes and ask yourself how you stack up against some of my basic criteria and also ask yourself whether your CIO talks about this as well.

As I always like to do – if you think you are a V3 shop, leave a comment and tell me why.

Share this post: Email it! | bookmark it! | digg it! | reddit!

IT Uncommon: The Ties that Bind

Jeff Foucher — Fri, 26 Jun 2009 17:18:00 GMT

I'm pretty amazed at the seemingly endless discussion and un-evolved thinking around "aligning IT with the business." Various machinations have surfaced ("it's about IT being part of the business" or "it's about aligning IT and business") and at least a dozen vendor-driven acronyms have emerged all purporting to put IT & business on the same page. However, I've yet to see a more detailed, behavioral analysis applied to better understanding the underlying human factors which still make this a relevant discourse and one that still appears to keep executives up at night.

As an IT outsider, it seems that this is no different than any other inter-departmental cultural divide hindered by a general misunderstanding of what one party perceives to be of value, exacerbated by disparate metrics and measures, and undermined by intra-departmental silos of dysfunction.

Finding Common Ground

As with any cultural divide, there are fundamental steps which can be taken to ensure that both parties find mutual benefit and success. And of course, technology can help play a part. Hence, a four part plan for IT:

1. Common Goals: As with any business, this is all about IT getting lean and orienting itself around a value/cost/risk axis. Starting with a firm (documented) understanding of business goals and priorities, IT then can establish a customer-centric beacon upon which all activities are then managed, executed and measured. If it's not on the business agenda, it should never get onto the IT agenda.

2. Common Language: In most areas of business, and certainly all areas of the public domain (government, education, healthcare), the value orientation is predicated upon the services being delivered to customers. Even manufacturing ‘output' can be considered a service since without the underlying orchestration of the supply chain, nothing would ever be built. Likewise, IT should start with the ‘language of business' and ground itself in the management of its own IT service portfolio. This requires a full understanding of IT cost, quality & function packaged in terms of the services being delivered or supported.

3. Common Currency: While business is based upon a service orientation, the way the business operates is actually quite different. Accounting principles require a more detailed view beyond just the ‘cost of the service' - for purposes of depreciation, tax, operating margins and capital expense. A service oriented view of IT "cost" is absolutely needed to establish a common language with the business around value, but the currency of business is more rigorous and requires cost accounting principles applied to asset expenses, labor expenses, application costs, license costs, maintenance on hardware, communications, infrastructure. Similarly, IT Financial Management must be able to plan, actualize and optimize its expense base against these same principles and detail -- whether they are IT assets or projects or telecom expenses or software contracts.

4. Common Knowledge: Underpinning all of this is the ability for organizations to create a shared sense of purpose, allowing them to galvanize against common goals with a unified language and currency system. In IT, this is essential to breaking down the long-standing silos of disconnect which have undermined IT for years. ITIL plays an essential role here, by focusing on processes, which quickly afford one function to realize their own role in the context of the broader organization.

Building A Common Culture

In the end, business may or may not care to engage fruitfully in an ‘alignment' discussion with IT. But they are forever connected to IT as their lifeline to innovation and competitive advantage. But by establishing a common framework for success based on shared goals, a language everyone understands, a single currency system and a shared knowledge base, IT leaders can indeed become business leaders and along the way, improve the way the business itself operates by embracing and driving toward a common culture of success.

How has Technology helped you bridge the divide?

Share this post: Email it! | bookmark it! | digg it! | reddit!

“Amp up the ‘folio”: Reasons for Tuning a Project Portfolio

Pradeep Bhanot — Thu, 25 Jun 2009 12:54:00 GMT

Creating a perfect portfolio may be a dream, but striving for one should not be. Lean thinking encourages incremental measures that focus on the customer, improve processes, amplifying good projects and eliminating waste by switching off or deferring non-strategic ones.

What makes one portfolio better than another? One popular view would be of a portfolio that manages to balance risk with return is perfect. A conservative company in a highly regulated market with minimal competition may be happy with a high percentage of its projects focused on customer retention and maintenance of existing services. This approach would protect top line revenue while trimming the bottom line by increasing efficiencies.

For an aggressive business that is in a growth market with a high tolerance for risk may consider an optimal portfolio to be one that supports a handful of ambitious "game changing" initiatives while mitigating essential regulatory exposures. A secondary focus on maintenance and customer retention may be tolerated if there is high demand from an emerging market. This might be the case for a vendor of GPS devices where the vast majority of the revenue from new customers.

Another definition of an optimum portfolio is one that is well aligned to the company's strategy and business climate. The current economic reality is favoring measures that cut or contain costs, a scale back on large cost intensive projects and a focus on projects that offer fast payback to sustain the company through the recession.

In the absence of facts and metrics around business alignment, cost, value and risk factors, balancing a real portfolio becomes an art. PPM solutions provide some clarity by providing a decision making framework for making informed portfolio decisions, which makes the process less subjective and more of a science. When facing a cost cutting requirement from executive management, being able to quickly identify candidate projects based on cost, value or strategic fit can be pretty handy.

A project portfolio can be a pretty dynamic thing. Tuning the portfolio is an exercise that needs to be done at on ongoing manner to keep pace with changes in the market and business climate.

Share this post: Email it! | bookmark it! | digg it! | reddit!

World Economic Crisis and Service Management

Robert Stroud — Wed, 24 Jun 2009 20:30:00 GMT

This week I was in Korea for the joint Korean itSMF and ISACA conference. Understanding the issues surrounding the business climate and the demands on their members' time and finances, these two organizations worked together for a single event instead of their usual independent events. The event was a huge success based on the attendance, attendee comments, press comments and the smiles on the organizers' faces.

I spoke about Governance for your ITSM environment--more on that next week--and I wanted to share with you my prepared comments to the excellent questions raised by the facilitator of the closing panel session.

Questions: As you may know, we are facing a world economic crisis and many leading firms demand to sustain their businesses. What's your perspective on the role of ITSM and IT governance to sustain our business (in terms of efficiency) in this crisis? What can you suggest based on your global experiences, providing recent case examples? Will ITIL-based ITSM solutions or VAL IT enable us to sustain our businesses during this particular period?

At the moment, the global focus is clearly on cost reduction. Unfortunately much of this is based on simply cutting people, deferring investments, wholesale removal of a service or introduction of service delays. Instead, focus needs to be on real immediate savings and this needs to be linked to business demands.
Frameworks, including ITIL or COBIT, give us the opportunity to deliver efficiencies but only where they are delivered through automation of process with a focus on the reduction in complexity - these must be linked to the demand side and the organization's strategy.
We must balance supply and demand.

One of the real opportunities here is to expose the business to the operational services that are being delivered and the costs associated with their delivery, proactively providing information on how to reduce these costs.
The Service Catalog is an good example of this - where the business consumes services expressed in business terms with business based service levels. IT has to opportunity to associate costs with the various service levels.
These services must be reviewed on a regular basis with efficiencies reviewed with the business - not just evaluated by IT.

One example of this is a power company in the U.S. that is using COBIT for Governance and setting controls for risks and exposures. It also is linking IT strategy to the business strategy. This organization uses ITIL for Service Management, uses PMBOK for project management and currently is implementing the Investment Management domain within VALIT.

The company has implemented a Service Catalog that defines business services. It has implemented self help for issue resolution, and the service catalog allows users to consume services acknowledging cost and all investments are linked to business strategy.

This organization has been dictated a 10% overall cost reduction
Immediately the investments could be prioritized for relevance to the new strategy of cost reduction. Projects were all reviewed and by slowing down several and completely removing two, a 15% saving was made.
Operations wrote to all users of services that leveraged consumption-based third parties and advised them of the opportunity to cut costs.
IT identified that by accelerating the VOIP initiative they could save 3% from the total IT budget in the first partial year of operation after all costs. Because of the near-term cost-savings, this project was accelerated.
Self-service Catalog automation increased and provided another 2% saving.
Overall the 11% of real savings were delivered.

What do you think?

Share this post: Email it! | bookmark it! | digg it! | reddit!

Verified Identity Pass Goes Kaput - Where is the Data Now?

Merritt Maxim — Wed, 24 Jun 2009 16:15:00 GMT

On Monday, Verified Identity Pass announced that it will cease operation of its Clear program at 18 airports throughout the U.S. To the estimated 250,000 frequent fliers who had signed up for Clear Pass program and shelled out $200 annually for the privilege, this news was sudden and unexpected.

The Clear program was one of three registered traveler programs that enabled travelers to obtain priority at airport security. In light of the extra waits often encountered at airport security following the new post-9/11 rules, these registered programs seemed attractive. With Verified Identity Pass' announcement, the viability of such services is now in doubt.

The initial news on getting refunds back is not promising. Disregarding the financial impact of not getting a refund, there is a much more important identity question to ask, "What happens to the biometric data of the registered travelers?"

Biometrics are the one credential that cannot be revoked. Passwords can be changed, users can be removed from directories, smart cards can be locked, and certificates can expire, but your fingers, eyes and face are with you. And while most biometric systems only store a digital interpretation of this data, the point is that Clear possesses some unique data about 250,000 people and the future of that data is in some doubt. The FlyClear website has this short statement

"Applicant and Member data is currently secured in accordance with the Transportation Security Administration's Security, Privacy and Compliance Standards. Verified Identity Pass, Inc. will continue to secure such information and will take appropriate steps to delete the information."

On the surface, this sounds good, but given that the company is having financial difficulties, what assurances do we have that their systems are safe from attack and that personal data will not be compromised now? If the data is going to be deleted, what assurances are there that the data will be destroyed completely?

I don't mean to be an alarmist and all data may be handled correctly, but this business failure raises some important policy questions about ownership and protection of personal biometric data by third parties.

This will be an interesting case to monitor going forward.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Security Management in a Hybrid Application Deployment World

Matthew Gardiner — Tue, 23 Jun 2009 19:20:00 GMT

A recent Wall Street Journal article discussed the challenges and opportunities around the emerging business model of software vendors offering both "online applications" (SaaS) in addition to the traditional mode of providing software as on-premise applications. I am not going to wade into the merits of one approach of the other here, other than to say that some applications are well-suited to SaaS and will be provided as a service - many already are. The question I want to ask and partially answer is, where does this leave enterprises with security management? The fact that applications and their associated data are outsourced certainly doesn't mean that organizations also can outsource ultimate responsibility for the security of these applications. Who do you think will get blamed if there is a data leak?

If IT security organizations think that they have a heterogeneous IT security management challenge now, just wait until more of their applications are provided via SaaS - and thus delivered via the Internet and hosted who knows where. What enterprises are going to need is an approach to security management that automates the management of security without regard to whether the applications are deployed via the traditional on-premise mode or via the SaaS mode (what I call the hybrid application deployment world). In addition they will need an approach to security management which is nearly instantly re-configurable so that what is outsourced one-day can be in-sourced the next, and vice versa. While there is no perfect solution yet to this hybrid security management challenge, many of the problems are well understood and at least partially solved in the world of identity and access management, Web access management, federation, and Web services security as well as through the use of associated standards such as SAML , XACML, and SPML. Vendors, like CA, have been providing solutions to the management challenges of cross-domain, Web security management for many years now. It is only natural that CA, and vendors like us, will do so for this hybrid application deployment world as well.

One certainty is that the Web security industry needs to work together at many levels such as technology to policy, interoperability to privacy, and other areas to make this all work from a security management point of view. And that is exactly what we are doing. For two very timely proof points, take a look at the SaaS interoperability demonstration that is on tap at July's Burton Catalyst Conference. For another proof point on how the industry is working together to make security work in this model, take a look at the newly launched industry consortium, the Kantara Initiative.

While the particular business viability of one application deployment mode over another is still pretty foggy right now, it isn't foggy that security will need to be managed in a hybrid mode for as far as one can see ... and solutions to this problem have and will primarily come out of the Web security management software world.

Share this post: Email it! | bookmark it! | digg it! | reddit!

The Challenges of CMDB Federation without a Standard

Marvin Waschke — Tue, 23 Jun 2009 15:50:00 GMT

There are many difficulties involved in CMDB federation that the CMDBf specification helps address.

When you set out to integrate a CMDB product with another data source, such as another CMDB or a specialized device monitor, there are several steps that you must take and with each step there are choices to make.

Perhaps the most important architectural choice is the level on which to federate. You can choose to federate on a database to database level. That involves a detailed knowledge of the schema of both the target and the source system, and the federation is likely to break if the schema of either system changes. Because the schema is intimately tied to the internal operation of the applications, schema changes occur frequently when either the data source or target changes. Often, schemas are not designed with federation in mind and so data that is not relevant to federation may appear as columns in the same tables as federation data. This can complicate transactions and cause the federation to break when an unrelated feature in the federation source changes. In addition, exchanging schema information can become a thorny intellectual property problem, especially when the source and target are from rival vendors.

Due to the difficulties of database to database integration, APIs are often used instead. Using this strategy two products communicate by each calling the published APIs instead of reading or updating a database. These APIs are usually designed and published to support integration. Consequently, they do not require intimate knowledge of the products that support them and they tend to change less often than database schemas that often change to support new features and efficiencies. And finally, APIs are better documented than schemas.

API to API integrations are a distinct improvement, but they still have problems. For example, they still are subject to breaking if either party changes their API with a product change. Sometimes, good engineering rules are followed and the APIs are backward compatible so that existing integrations do not break, but this is not guaranteed. In addition, as new features are incorporated into products, new APIs are often added and integrations must change in order to take advantage of new capabilities. There is often little incentive to vendors to roll new features into existing APIs, which is often much more difficult than inventing a new API. This means that new releases always threaten the federation and adds an element of unreliability. Not only is there danger of downtime and recoding costs, remediation for the unreliability also incurs more cost in the form of extended testing and more elaborate transition plans with new releases.

Most seriously, the APIs for every MDR and federating CMDB are all different. That means each integration project has to be designed and engineered individually. Not only is development of this form of federation expensive, each integration must be supported individually by engineers specially trained on the specific federation, which eliminates economies of scale in support.

In a word, API to API federation is expensive to the supplier of the federation and inconvenient to the user of the federation.

The CMDBf is a public specification for API to API integration and addresses two of the substantial problems involved with that type of federation. First, it puts everyone on the same API. Second, by placing changes to the specification in the hands of an organization like the DMTF, the change process is stabilized and the specification undergoes industry-wide scrutiny before it changes. Like code reviews in software development, this scrutiny can eliminate a large share of the problems with federation breakage.

When the specification becomes widely accepted, basically the same integration can be repeated and supported over and over again. The process of building a federation between an MDR and a CMDB requires a thorough understanding of the APIs of both the MDR and the CMDB. Typically, the developer is only familiar with one of the two and has to fight a learning curve to master the unknown API. Then the federation must be designed, implemented and tested at considerable expense. If standard APIs are used, which apply to both MDRs and federating CMDBs, the expense and risk is not eliminated, but they are both reduced. The learning curve is diminished because the developer is experienced in the standard API, and much of the code will be identical to that used in previous CMDBf-based projects. Although specialized data may be unfamiliar and require some special processing, that is a small part of the entire undertaking. The bulk of the work and risk is eliminated by using the standard interface.

It is hard to over-estimate the importance of these basic improvements that come from standardization. There are other improvements that can be made to CMDB integration, but they all depend upon a well-defined and standardized API.

This is not the whole CMDBf story, but it is an important part. I'll be blogging more on this.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Malware using the _OLD_ New Executable file format

Zarestel Ferrer — Tue, 23 Jun 2009 05:20:00 GMT

It is surprising to see 16-bit Windows-based malware now that we have 64-bit technology.
Recently we encountered a malware that uses the 16-bit New Executable file format and we detect it as Win16/Tanglinko.A.

[Figure 1 – IDA Pro Analysis of the file format]

As you can see in Figure 1, IDA Pro identified the File Format to be “New Executable (NE) Windows”, the Application type as “Console GUI Executable DLL 16 bit” and the file’s Expected Windows Version as “3.0”. Currently the version for new Windows Operating systems such as Windows Vista is 6.0 and Windows 7 is 6.1 so you can see how old the file format is!

Does this mean the malware is old just because it uses an old file type? Not at all, this is new malware. However, malware authors just can’t leave the past behind and use old tricks when developing new malware. Here is the Virus Total scan result of 21st June, 2009.

[Figure 2 – Malware dropping files with directory names]

Now, what does this malware do? Apart from its file format, nothing fancy really. However, it is just as annoying as any other average malware that we encounter at present. It disables the clipboard, which means a user cannot perform a Copy/Paste operation, and terminates some Windows applications if they have any of the following strings in their Window title.

• Run
• Search Results
• Select Files and Folders
• System Configuration Utility
• Folder Options
• Display Properties
• Registry Editor
• Command Prompt
• C:\Windows\System32

In case your system has been infected and you want to manually remove the infection, a simple search, using Process Explorer, for the malware file (usually is SYSTIM32.EXE) can help you identify the malware. Please make sure you terminate the NTVDM.EXE containing SYSTIM32.exe, terminating the wrong process may give you unwanted results.

[Figure 3 – Malware Search]

As you can see it runs under NTVDM.EXE (NT Virtual DOS Machine), which is a Win16 subsystem process under NT-based Windows Operating Systems.

To be on the safe side always keep your CA security software updated.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Recap of Three Interop Panels on Virtualization and Automation

Stephen Elliot — Mon, 22 Jun 2009 12:24:00 GMT

I participated in three panels at the recent Interop in Las Vegas. These were:

1) The Impact of IT Virtualization on Applications and Networks, moderated by Jim Metzler. Additional executive panelists were from F5 and Cisco.

2) Technologies that Data Center Managers Can't Live Without, moderated by Forrester analyst Doug Washburn. Additional executive panelists were from APC/ Schneider Electric and Perot Systems.

3) Virtualization Management Futures: the Final Frontier?, moderated by Barb Goldworm of Focus. Additional executive panelists were from VMware, Microsoft, and BMC.

The first two panels had about 80-100 attendees, while the third had about 40 or so who have network related titles at the manager level or above. Following are the key points of interest and discussion from each session.

The Impact of IT Virtualization on Applications and Networks

Management is going to be a key requirement for network teams and NOCs to understand. The importance of end-to-end service availability and visibility into both the physical and virtual infrastructures are critical to success in emerging next generation data centers.
The emergence of automation is a critical requirement, which many IT organizations are adopting, often in incremental steps.
Virtualization is accelerating the need for automation; existing management processes can be incorporated into ITIL v2 and ITILv3; process standardization is a key requirement for automation.
"Old school" management technologies will not scale with the pace that virtualization brings to IT organizations in areas such as provisioning. Key management technologies that enable both physical and virtual management scalability include patented root cause analytics, models-based management, and automated thresholding. Scalability of virtualization application infrastructures will become a common theme for IT organizations over next 5-10 years.
The discussion of the idea of internal private clouds and external public clouds continues to garner IT's attention; however, management of the cloud continues to require attention to deliver SLA visibility.
Virtualization is impacting most aspects of IT from application deployment to networking. Many teams are experiencing VM sprawl as VMs propagate the "IT silos"; management is a key requirement for on-going virtualization success.
End-to-end service availability and granular performance visibility between the application and network flows are increasingly a requirement for problem identification and resolution.
Element or platform management solutions are a good start, but not enough for IT organizations to provide the required visibility and end-to-end service visibility.

There is no doubt that IT organizations are facing new dynamic requirements that virtualization is forcing onto networks, storage, and server infrastructures. Automation and technologies such as root cause analytics, models-based management, automation, and process encapsulation will be critical to the success, and business alignment of IT in the future. To learn more about how CA is helping clients adjust to these new demands on performance visibility, please go to www.ca.com/virtualization.

Technologies that Data Center Managers Can't Live Without

This panel had several interesting key points of discussion, with audience members a mix of data center facilities management and IT operations. The critical points were:

Physical data center planning is more important now than ever before; the idea of KW/sq foot is no longer a reliable benchmark metric as hardware density and performance improves.
The average temperature in the data center will likely continue to go up as hardware resiliency improves.
It is increasingly critical that power and cooling metrics be imported into management systems to drive improved automated actions. This is important as facilities managers and IT operations teams learn to collaborate over time.
Automation is increasingly a key part of data center transformations; IT organizations are adopting technologies that utilize automation to increase efficiencies and cost savings opportunities.
Process standardization, power and cooling, capacity planning, virtualization, enterprise management, automation, and tighter business-to-IT alignment are now requirements for data center transformation projects.
End-to-end service level management is a key concern for customers, across physical and virtual infrastructures. It requires granular performance metrics across the domains; increasingly the value will come from the analysis of the data.

This panel really took a deep look at how the IT organization and related technologies are changing. While there is a chasm between IT operations and facilities management teams today, the general agreement was that the most effective and efficient organizations will bring these two groups together to drive impactful business decisions. As energy costs continue to be a key concerns for the CIO, collaboration across the data center can drive further cost reductions, and beyond that impact business strategies that drive new lines of business.

Virtualization Management Futures: the Final Frontier?

This session featured a dynamic discussion among panelists from CA, BMC, Microsoft, and VMware. The group addressed may of the leading topics of the day, including automation, partnerships, virtualization, and management. Some of the key points of this discussion included:

Vendors should continue to improve third party integrations; emerging standards will help but are not the "holy grail" of integrated management requirements.
Virtualization is another architecture that must be managed and will become part of the data center fabric with critical applications residing on it.
Management and automation are ways that IT organizations can extend the value of virtualization deployments; the consideration of management and automation prior to rollout is delivering improved cost savings and an application service perspective.
Customers want an integrated view of both their physical and virtual infrastructures to reduce costs and drive more management efficiencies.
Process standardization is a key requirement for virtualization deployments as ITIL moves towards the broader definition of standards in version 3.
Virtualization and the idea of a cloud are interconnected; management from the application perspective will be a critical business differentiator and a key consideration for customers as it relates to tiered service level agreements and performance visibility.
The real focus of management should be the service layer, whereby the consolidation, analysis, and automated actions taken by management solutions deliver insight to the service layer.
Technology is getting more complex driving up the need for end-to-end service management; virtualization does not solve traditional management challenges, it asks for more focus on management and automation.

The general take away was that management at the element level (i.e. hypervisor platform providers) and the end-to-end service level (i.e., CA solutions) are what customers require to deliver business outcomes. IT is increasingly critical that customers recognize the need for both types of solutions. Integrations betweens the element and service management solutions will be important, with a driving need to have an integrated console /solutions that do both physical and virtual analysis and present the data at the service level. In the future, it won't matter if the application is on virtual or physical infrastructure; what matters will be how IT and LOB managers manage the infrastructures to optimize their business goals.

Share this post: Email it! | bookmark it! | digg it! | reddit!

IT is not on the Menu

Eric Feldman — Fri, 19 Jun 2009 17:38:00 GMT

I know of a company that has a very large user community. Most of the entry pathway to IT was via telephone. While there also were a significant number of email requests for services, their process required a help desk analyst to call the requestor back.

The company knew that a Service Catalog would enable a massive reduction in the number of phone calls to or from IT. This alone would help them down their path to Lean IT and a reduction in costly manual touch points.

There was another issue. Besides a minimal amount of IT process automation, the company offers unlimited IT support, for unlimited cost. Support and IT offerings were so widespread, that people were even phoning the help desk to open issues about their personal IPods and cell phones. As a service organization, there was a perception that it was their job to fix anything. Hence, it was often difficult denying these requests for services that would not be supported in most other organizations.

The IT department realized that offering unlimited support for anything the user wanted was an unsustainable model.

Yet they had a challenge. How could they reduce the need to provide unlimited support for personal items or systems outside of their domain, without the appearance of saying "no?"

How many of you find this situation familiar?

This is where a Service Catalog is of value, by changing perceptions and "reframing the conversation" around what IT does offer, not what it does not.

There are parallels to this concept found within virtually any other industry. An airline will not fly you to any city. They have routes and schedules -- not that they actually meet those schedules. A movie theatre does not show whatever film you desire at the moment. They have movie times and distribution agreements for only the latest releases. And you cannot go into a restaurant and order anything you like. It must be on the menu.

When IT or another provider organization within the enterprise, establishes a Service Catalog, they create a publishing vehicle. This enables them to define their offerings in descriptive terms, with associated costs, service levels, deliverables, and metrics for performance. A Service Catalog enables IT to illustrate the value of its offerings.

And by listing only what services are offered from IT, you can naturally provide a reduction in non-supported service requests, without the need to say "no." How?

Think about the next time you go out to eat. You do not go to a pizzeria and order Chinese food. You do not typically enter a seafood restaurant and order a cheeseburger. Why not?

It is not on the menu.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Death to the Penguin!

Reg Harbeck — Fri, 19 Jun 2009 12:12:00 GMT

If the title of this blog entry got your attention, I hope it also gets the attention of everyone that has been saying "death to the mainframe" for the past three decades.

After all, given the number of people who have been trying to portray the mainframe's invisibility as some sort of demise over the years, it seems like that's actually a good indicator of something that works - so well that nobody notices it. Just like that old saying, "housework is something nobody notices unless you don't do it."

So, now, Linux, that friendly operating system with the penguin mascot (named "Tux" as it turns out), has arrived on the invisible platform. Actually, it's been there for nearly a decade - but, as I mentioned in my blog entry from March 12, 2009, its progress has also been somewhat invisible.

As Wikipedia reminds us, IBM first announced mainframe Linux in 2000.

And, ever since then, everyone's been waiting and watching and trying to figure out what has happened to this penguin on its journey into the world of mainframe.

Well, someone has finally found the answer - and it's good news!

According to a Press Release that CA issued this past Wednesday, the folks at TheInfoPro have done a survey of large mainframe shops that have or are getting mainframe Linux, in order to find out what people are doing (see http://ca.com/mainframe/linuxresearch). The answer? They're growing it, and moving both new and existing (especially distributed) applications to it, in order to take advantage of the significant strengths (virtualization, security, scalability...) and cost savings available on the mainframe.

Since CA has a large and growing stable of products for managing mainframe Linux (see ca.com/mainframe/linux), this is good news for CA and the rest of the mainframe world, as it affirms the choice to join this penguin on its sojourn.

So, what about the death of the penguin? Just as with the mainframe, nothing could be further from the truth. It's just been too busy taking root under the surface (if I may mix metaphors), and taking on many of the same production qualities that we've come to take for granted on the mainframe.

Something tells me we'll be hearing plenty more about this before long.

What do you think? Are you or your organization using or considering Linux on the mainframe? What do you have in mind for it?

Share this post: Email it! | bookmark it! | digg it! | reddit!

Why CA Supports the Kantara Initiative

Matthew Gardiner — Wed, 17 Jun 2009 20:53:00 GMT

Over the past year or so, I have been CA's representative involved in the structuring and birth of the Kantara Initiative. Now that the Kantara Initative is officially launched, I thought it made sense to blog about why CA believes the creation of the Kantara Initiative is so important. In no particular order, here are my thoughts on "why Kantara."

The challenges around identity go beyond just technology. Over the years the industry has done a pretty good job inventing technologies and establishing standards to address identity challenges (too well really), only to discover that the real challenges to identity and security on the Internet are around softer issues like privacy and trust. The Kantara Initiative will focus on this in a way that is neutral to the underlying technologies.
Along the same lines, to date technologists have invented many technologies/standards that are at least somewhat overlapping and certainly not interoperable (example SAML, Information Cards, OpenID) which complicates matters for both deploying organizations and end-users. The Kantara Initiative will focus on this. The identity community cannot afford to create new, incompatible silos of identity on the Internet.
Certification of interoperability of vendor implementations is critical to eased deployments in the real world. Inventing new technologies/standards without sustained vendor certification testing is a recipe for slow and painful adoption. The Kantara Initiative will focus on this.
Creating and promoting identity technologies and best practices is a global challenge and opportunity. Technology invention is only part of what is needed for adoption. Thus the Kantara Initiative will focus on both bringing the global community in on the debate as well as be the focus of the related communication and promotion.
Combining open participation with a serious and well-funded organization is unique. Traditionally you could have one or the other of these, but not both. We have typically seen many organizations where "all are welcome," but it is hard to get things done since everyone is a volunteer with day jobs. Or organizations which are well-funded but are correspondingly exclusive based on the need to pay - so that staff and expert consultants can be hired. The Kantara Initiative is covering both bases partially based on its unique bicameral governance model.

I will certainly blog more about the Kantara Initiative as it develops and starts making an impact, but if any of these points hit home for you, please consider participating and/or joining the Kantara Initative yourself.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Another Organization Using Service Catalog as a Key Component of Lean IT Service Management

Robert Stroud — Wed, 17 Jun 2009 07:43:00 GMT

The last few weeks meeting with organizations in New Zealand, Australia, India, France, Denmark, UK and the U.S. reinforced that the current economic climate is forcing IT organizations to get lean.

Lean for IT does not mean slim and trim; lean in IT is about maximizing IT value while minimizing cost. For lean IT service management it requires focusing on the components that matter to the business to ensure that IT can deliver what the business needs at the right time and optimize service supply and demand.

In my June 8 blog I discussed a conversation I had in India with a CIO and his approach to "leaning up" his IT organization by using a service catalog. Not surprising, I am finding this approach is being applied by other organizations globally.

While attending the CA Expo in France earlier this month, another CIO commented that his business is now demanding to see a list of the services that IT can deliver with business related service levels and costs. Users (or consumers as I like to call them) of IT-enabled business services are becoming more IT savvy. Just think about the growth in sales of goods and services over the internet such as books, airline tickets or satellite television. Consumers are now very used to identification, negotiation, ordering and tracking goods and services electronically with the expressed service level agreement and cost clearly outlined. In business this is achieved using a business service catalog. The business expectations are set, the business is engaged and understands the implications of its choice, and the decisions for cost reduction are transferred to the business rather than IT. This helps ensure IT support is directly aligned to business need - helping optimize service supply and demand.

Share this post: Email it! | bookmark it! | digg it! | reddit!

No "One size fits all"

Steve Romero — Tue, 16 Jun 2009 17:32:00 GMT

Are you looking for "the" solution to a specific problem in IT? Are you looking for a single solution for all of your problems in IT? Do you seek the "one" best practice that will make things better? Do you want that silver-bullet?

Don't look here, because I can't give it to you.

I have said this, time and time again. And there have been occasions when it was not well received at all. In fact, you might be wondering why you should even continue reading this post. You likely know plenty of sources to which you can turn that are more than willing to give you "the" answer.

I have been working as CA's IT Governance Evangelist for more than 2½ years now. I have had the honor to present and speak to thousands of people around the world. In those interactions I have been asked over and over, "Steve, here is our situation, what do we do?" My answer (though it makes my stomach hurt each and every time I say it) is always the same, "It depends." Even in those cases where there is a single solution, the approach, starting point, sequence and implementation roadmap will vary greatly from instance to instance.

I am certain this is not what they want to hear. Some are openly frustrated by my response. A few dismiss me outright and turn quickly towards others who will be delighted to tell them exactly what to do. Thankfully, most folks let me explain.

I am sure I don't need to convince you that the world of IT is incredibly complex. This intricate atmosphere creates multifaceted challenges, problems, issues and opportunities. The circumstances and variables are countless. Given this complexity, how can there be any single or simple answer? In fact, it will be a series and sequence of integrated solutions that will simplify and unify their complex IT environments, ultimately reduce its complexity, and make it far more manageable.

I tell everyone they have some homework to do before they can adequately answer their question. I provide them a laundry list of things they need to understand:

Business problem or opportunity and related risks
Industry and business sector
Current capacity and capability
Strengths and weaknesses
Culture and organizational constructs
Governance and decision-making mechanisms
Policies, Standards, Processes and Procedures

In addition to understanding the elements I list above, they then need investigate:

Disciplines and frameworks
Approaches and Best Practices
Standards and conventions
Solutions, systems and tools
External resources and potential Partners
Mountains of research

Confronted with these lists (and please, I entice you to add to them) they will find they have a sometimes overwhelming myriad of choices and alternatives. This approach requires acute understanding, in-depth analysis, accurate interpretation and courageous decision. Most importantly, it requires time. If you don't have sufficient and adequate time then you must understand, mitigate and potentially accept the risk of not taking the time.

I was inspired to broach this subject because in addition to being asked what to do, I have had the luxury of immersing myself in research and interacting with countless brilliant and astute people in my profession. I enjoy their ideas, insights and theories. At the same time, I am bothered by some of their conclusions. I have witnessed a propensity if not an obligation to accompany investigation with one-size-fits-all recommendation. Why? Go back to the first paragraph of this post. Too many of us want "the" answer. We want the solution to be singular, simple, and even easy. As I have said countless times, if it was easy, we would already be doing it.

I urge caution in those instances when specific recommendations follow research. I will give said researchers the benefit of the doubt that these recommendations are based on their devoted and fervent desire to help others succeed. It is quite reasonable to accept the notion that following the singular recommendation is better than doing nothing. Enterprises are likely subscribing to the 80/20 rule, which is many cases is adequate. My hope is that those adopting this approach are doing so due to reasoned and rational necessity as opposed to expediency or worse, recklessness. I also hope they luckily if not accidentally select a recommendation that is "coincidently" appropriate for them.

Whatever the case may be, I will continue my quest to evangelize IT Governance and resist the urge to downplay its complexity. I will try to persuade folks there is power and promise in the discipline when it is applied thoughtfully and appropriately. I will try to convince them to take the time to do the right things, and to do them right. I will inform them that their approaches and paths to success will vary greatly from their contemporaries as well as their counterparts. I will tell them it is a journey that requires audacity, courage, perseverance and resilience. I will continue to insist there are no easy answers, and I will warn everyone to question any "one size fits all" recommendation or solution.

One last note, I drafted this post on my flight to Boston to attend MIT's CISR Executive Summer Session. This is my third trip to MIT and I don't want to give you the impression my time with these incredible minds (led by Peter Weill and Jeanne Ross - both heroes of mine) inspired this post, quite the contrary. I have never seen them oversimplify the answers to the incredibly complex question of how enterprises derive value from technology. MIT CISR has been addressing that question for 35 years and they are the first to admit, there are no easy answers.

Steve Romero, IT Governance Evangelist

Share this post: Email it! | bookmark it! | digg it! | reddit!

Gartner MQ for IT PPM Published

Pradeep Bhanot — Tue, 16 Jun 2009 17:02:00 GMT

In the latest Magic Quadrant for IT Project and Portfolio Management report, Gartner has raised the bar for the PPM market by Increasing the emphasis on the integrations to support broader use cases such as IT Planning and Control, Application Portfolio Management and use with ERP systems. CA was placed in the Leaders Quadrant. The full report is available at http://mediaproducts.gartner.com/reprints/ca/article3/article3.html This report has encouraged CA to further evolve its capabilities for enabling true service portfolio management through improved interoperability of PPM and IT Service Management. About the Magic Quadrant The Magic Quadrant is copyrighted 2 June 2009 by Gartner, Inc. and is reused with permission.

The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Fake Microsoft Updates coming back?

Rossano Ferraris — Tue, 16 Jun 2009 09:22:00 GMT

It’s been awhile since I saw a fake update email which looked like it came from Microsoft security laboratories. Some people complained to me about a strange email that asked the user to update their machines because of a recent outbreak of the well-known Conficker worm (see Figure 1 and Figure 2).

Figure 1 - Fake Email (part 1)

Figure 2 - Fake Email (part 2)

Let’s take a look at the body of this email, which is very well written and uses persuasive language. The lure in the message is a Microsoft removal tool that will scan and clean the user’s machine.
However, I notice a phrase that says “you are advised to disable your already existing antivirus software.” My spam email reveals itself when I move my mouse pointer over the link “click here to download the removal tool” and I discover that the URL redirects the browser to a Russian server (windowsupdate.microsoft.com.ssl3.pop3.ru), which hosts the remtool_conf.exe.

If we look at the header, we see the following:

Figure 3 - Email Header

The email comes from a certain Microsoft[dot]ssl[dot]com whose IP address is 38.100.66.185. This IP address originates from a server which is located in Texas and is not a Microsoft server.

During the analysis, I download and install remtool_conf.exe:

Figure 4 - Removal Tool License

Then I click on “Accept” and the tool - which seems to belong to Symantec - starts to scan my machine:

Figure 5 - Removal Tool Software

The fake software scans the entire machine, and establishes a hidden connection to the host makemymoneys.com (Figure 6) from which it attempts to download and install the malicious file winupdate.exe, which is detected by CA Security products as “DelfInject CX.”

Figure 6 - makemymoneys.com host hidden connection

CA Security products detect the fake removal tool as “FakeScan A” warning against it and have the ability to remove it.

Although there has been a decrease in the number of fake Microsoft update emails, the current fake emails are more sophisticated and use a very high profile social engineering technique to lure and trap people. The CA Research team advises users to be aware of these types of spam message and to update their anti-malware products on a daily basis.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Koobface Re-Activated!

Ricardo Robielos III — Tue, 16 Jun 2009 05:17:00 GMT

Social networking sites are extremely popular these days and, not surprisingly, the latest variant of Win32/Koobface is still taking advantage of this popularity by using these sites as an attack vector.

A variant of Koobface is currently active (as of this posting), sending massive spam messages in several social networking sites such as FaceBook.com, MySpace.com, Friendster.com, Hi5.com, Bebo.com, Fubar.com, MyYearbook.com and Tagged.com.

This variant connects to the malicious server "UPR15MAY.COM" to get the information details for its spam messages to be sent to contacts of affected users who access any of the above mentioned social networking sites, with sample messages sent shown below:

For FaceBook.com:

[Sample Facebook Post]

[Sample Facebook Message]

For Facebook, this malware connects to "upr15may.com/fb" to generate the spam details to be sent.

For MySpace.com:

[Sample MySpace Message]

For MySpace, this malware connects to "upr15may.com/ms" to generate the spam details to be sent.

For Friendster.com:

[Sample Friendster Message]

For Friendster, this malware connects to "upr15may.com/fr" to generate the spam details to be sent.

For Hi5.com:

[Sample Hi5 Message]

For Hi5, this malware connects to "upr15may.com/hi" to generate the spam details to be sent.

For Bebo.com:

[Sample BeBo Message]

For Bebo, this malware connects to "upr15may.com/be” to generate the spam details to be sent.

For Fubar.com:

[Sample Fubar Message]

For Fubar, this malware connects to "upr15may.com/fu" to generate the spam details to be sent.

For MyYearBook.com:

[Sample MyYearbook Message]

For MyYearbook, this malware connects to "upr15may.com/yb" to generate the spam details to be sent.

For Tagged.com:

[Sample Tagged Message]

For Tagged, this malware connects to "upr15may.com/tg" to generate the spam details to be sent.

We did a simple curl POST command to the malicious server to obtain a list of spam messages that this worm may generate, giving us the following details:

Title/Subject: (Any of the following)

:)
;)
HA-HA-HA!!
L.O.L.
lol
OMFG!!!
W.O.W.
WOW

Text/Body: (Any of the following)

A--ha-ha, i saw yoour ass in the internet!! lol
Be more careful next time and get caught again!
Can anyone get busted, or is it just you?
Dammn! Haaven’t you seeen our secrett caamera?
Enjoy your first acting experience in our movie.
Got yoou! Ha--ha, now watcch and crry!
Hey ddude, yoou’re on candiid cammera!
I caan’t beelieve you diddn’t see the ssecret cammera!
Laaugh at oother people?? LLook at yoursself!
Man, you're great! See yourself naked, lol XD
Oh, what a shame, your ass is on our tape.
Prrivate viideo wwith yyou. funnny
YYou're so ppretty ggood on thhis vvideo.

… Or see the other list here

Malicious redirected Links: (Any of the following, please do not visit this sites)

hxxp://28680.yoyo.pl/extrimevideo/
hxxp://anilkapoor.net/amaizingdemonstration/
hxxp://baldom.yoyo.pl/privatevids/
hxxp://budget.user.kz/uncensoredvideo/
hxxp://canibals.ic.cz/coolclips/
hxxp://kuzmi4.110mb.com/uncensoredmovie/
hxxp://lambord.ic.cz/publicmovie/
hxxp://mediawork.ru/uncensoredmovie/
hxxp://punks.110mb.com/publicdvd/
hxxp://quicksilverr.110mb.com/freefilm/
hxxp://topwoman.intway.info/publictube/
hxxp://uc2qasimabad.com/freeclips/
hxxp://www.tangoballet.com/uncensoredvids/
hxxp://yarentextil.com/funnyfilm/
hxxp://zbanglabd.com/uncensoredshow/
hxxp://zidacilbin.tym.cz/privatefilm/
hxxp://zkouskafora.ic.cz/funnyfilm/
hxxp://zoghetaze.com/amaizingmovie/

… Or see the other list here

The spam messages contain a malicious link that accesses a Java Script. (See figure below. We detect this Java Script as a JS/Redirector variant)

This JavaScript redirects web browsers to a fake Video site ("YuoTube" misspelled) to download a file "setup.exe", which is also a variant of Win32/Koobface. This other variant may also download other malicious files such as Rogue Antivirus programs.

We advise users to avoid opening these spam messages when visiting their favorite social networking site and to always keep their CA Antivirus Product up-to-date with the latest signature files.

Share this post: Email it! | bookmark it! | digg it! | reddit!

CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability

Ken Williams — Tue, 16 Jun 2009 02:30:00 GMT

On June 15th, 2009, CA published a security notice to address a vulnerability in CA Service Desk.

Title: CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability

CA Advisory Reference: CA20090615-02

CA Advisory Date: 2009-06-15

Impact: A remote attacker can inject arbitrary web script or HTML.

Summary: The release of Tomcat as included with CA Service Desk r11.2 is potentially susceptible to a cross-site scripting vulnerability. CA has issued a technical document that describes remediation procedures.

Mitigating Factors: None

Severity: CA has given this vulnerability a Medium risk rating.

Affected Products:
CA Service Desk r11.2

Affected Platforms:
Windows, Unix

Status and Recommendation:
Follow the instructions in technical document TEC489643.

How to determine if the installation is affected:
Customers can use the instructions in technical document TEC489643 to determine if an installation may be affected.

Workaround:
None

References (URLs may wrap):
CA Support:
https://support.ca.com/
CA20090615-02: Security Notice for CA Service Desk
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209500
Solution Document Reference APARs:
TEC489643
CA Security Response Blog posting:
CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15.aspx
CVE References:
CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at https://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA.

Share this post: Email it! | bookmark it! | digg it! | reddit!