FierceCIO News

Hacker posts Symantec's pcAnywhere code

Caron Carlson — Wed, 08 Feb 2012 18:20:56 -0500

A hacker posted the source code for Symantec's pcAnywhere product Tuesday, following a failed attempt to extort $50,000 from the security company, Reuters reported. The previous day, Symantec publicized an email thread detailing the extortion negotiations, which the company said it participated in as part of a sting operation.

In January, Symantec told customers to stop using pcAnywhere while it prepared patches, and then it issued patches twice toward the end of the month. The phony ransom negotiations may have given Symantec time to try to issue repairs to the program.

"Symantec was prepared for the code to be posted at some point and has developed and distributed a series of patches since January 23rd to protect our users against known vulnerabilities," spokesman Cris Paden said. If users have the up-to-date version of the product, they should not be at any special risk, he added.

The company posted an email string between the hacker, named "YamaTough," and law enforcement agents pretending to work for Symantec. According to the company, the hacker, who said he is based in Mumbai, India, belongs to the Lords of Dharmaraja group, which is affiliated with Anonymous.

The hacker told Reuters that he never planned to take Symantec's money. "We tricked them into offering us a bribe so we could humiliate them," YamaTough told the news organization.

For more:
- see the Reuters article

Multiple monitors makes some multitasking faster, easier

Caron Carlson — Wed, 08 Feb 2012 18:15:37 -0500

If employees in your organization are spending a lot of time toggling back and forth among documents, email, instant messages, calendars and websites, they may need more than one monitor. Adding a second or third display to help workers manage their content is a growing tactic, reports Matt Richtel at The New York Times.

Last year 179 million monitors and 130 million desktop computers were sold, adding up to a greater number of displays per desk, according to Rhoda Alexander, analyst at the research firm IHS iSuppli. Monitors have become cheaper and thinner in the last few years, just as employees have been handed more communications avenues.

Chuck Rossi, an engineer at Facebook who uses three monitors, says that offering more--and larger--displays can be a good recruiting tactic. "Companies will pitch it" to job candidates, he said. "They know real estate is important. It shows they are serious about their engineers."

Between 30 and 40 percent of the employees at corporations buying products from NEC Display use more than one monitor. Whether multiple screens increases productivity depends in part on the nature of an employee's work. Research by the University of Utah (funded by NEC Display) revealed that when people are editing, using two monitors increases productivity.

On the other hand, scanning multiple screens could distract users from focusing on the task at hand, said David E. Meyer, a psychology professor at the University of Michigan. "There is 'thought-killing' going on," Meyer said. "Rome crashed and burned because it got too big. Go past that scale and you're going to wind up like Rome."

For more:
-Matt Richtel's article at The New York Times

FBI insists cloud providers meet strict security requirements

Caron Carlson — Wed, 08 Feb 2012 18:10:01 -0500

Large enterprises continue to have reservations about the security of cloud computing, and apparently the FBI does too. The agency made it clear this week that any cloud providers who want to do business with U.S. law enforcement agencies must abide by its Criminal Justice Information Systems security requirements--which is a very high bar, reports Jaikumar Vijayan at Computerworld.

"The FBI remains committed to using technology in its information-sharing processes, but not at the sacrifice of the security of the information with which it has been entrusted," Stephen Fischer Jr., a spokesman for the FBI's CJIS division, told Computerworld.

As Vijayan notes, the Los Angeles Police Department recently cancelled plans to move to Google Apps, citing lack of compliance with the CJIS requirements. Google claims that the requirements are not compatible with cloud computing, but the FBI's Fischer said they are compatible, although they may be difficult for vendors to meet.

To meet the requirements, providers have to identify all administrators--system, database, security and network--who are given access to criminal justice data, according to Fischer. They also must require fingerprint criminal background checks on those administrators.

"Admittedly, these requirements may be difficult for some cloud-computing vendors due to the sheer numbers and the geographic disbursement of their personnel," he said. "However, these requirements aren't new to vendors serving the criminal justice community and many vendors have successfully met these requirements for years."

For more:
- see Jaikumar Vijayan's article at Computerworld

3 ways for CIOs to become business leaders

Caron Carlson — Wed, 08 Feb 2012 18:05:56 -0500

It's one thing to say that CIOs need to serve as business leaders in today's global enterprise, and it's another thing to offer concrete suggestions on how to do it. Ben Kerschberg, founder of BK Advisory Group, outlines three steps.

The first step is to reconcile the need to standardize IT globally with the need to allow regional divisions to abide by regional rules, Kerschberg writes in a post at Forbes. The CIO has to find efficiencies through consolidation while considering the unique local needs of sales and marketing initiatives.

The second step is to make sure you are at the table when possible mergers and acquisitions are being discussed. Newly combined entities can harbor a hornets' nest of complicated IT environments, and that reality needs to be addressed early on.

"Including the CIO in M&A discussions acknowledges the fact that bringing together two corporations is likely to create highly complex information technology landscapes with disparate structures that must quickly support equally disparate business units," Kerschberg writes. "Failure to properly acknowledge this can have serious repercussions, such as a negative effect on the customer experience and an inability to rearrange the customer base across multiple brands."

The third step is to be an active advocate not only of IT but also of business initiatives. This may not be a painless process, however, as it requires delving into the middle of the corporate hierarchy and learning to communicate in a new language.

"CIOs who talk to business managers about software migrations and database updates will be seen as technicians and not as business leaders," he advises. "But CIOs who manage how IT adds value to the business, by increasing efficiency or driving revenue, will showcase their savvy sense of business."

For more:
- see Ben Kerschberg's post at Forbes

10 tips to keep Anonymous away

Caron Carlson — Wed, 08 Feb 2012 18:01:02 -0500

Distributed denial-of-service attacks seem to have become a dime a dozen, thanks in large part to Anonymous, which last year released simple DDoS tools, including Low Orbit Ion Cannon. Businesses don't have to sit idly by waiting to become the next victim, however, writes InformationWeek's Mathew J. Schwartz, who spells out 10 steps to reduce the impact DDoS attacks can have.

The first two steps are to recognize that pretty much nobody is immune from the DDoS threat and that the attacks are easy and cheap to conduct but hard to combat.

Steps three and four involve preparing for attack by fortifying your network and finding the weak links and bottlenecks. Be sure your infrastructure can scale to deal with traffic spikes. The fifth step is to keep a close eye on the network, which means have clear visibility into the traffic.

Next, take note that not all attacks are going to be the classic Anonymous packet flood. Most DDoS attacks last year involved less than 1 Gbps of bandwidth. What's more, attacks at the application layer can be highly effective but hard to detect. If more than one application is targeted--or if an application and packet flood attack are launched together--it gets even more difficult.

The ninth step is to work closely with your ISP, making sure you know who to deal with at times of attack.

Finally, there may be countermeasures you can take, but be careful not to overstep the law.

For more:
- see Mathew J. Schwartz's article at InformationWeek

What happens when the CIO is also the CFO

Caron Carlson — Sun, 05 Feb 2012 11:11:57 -0500

The chief of the finance department and the chief of the IT department have probably always enjoyed a healthy tension, as the dueling goals of cost-management and innovation vie for dominance. In our pressure-cooker times, however, the tension has been known to get intense, and it can become difficult to fully appreciate the other chief's point of view.

For a little perspective on collectively maximizing the two viewpoints, we can look to Steve Snodgrass, CIO and CFO at Graniterock, a mid-market provider of construction materials in Watsonville, Calif. Graniterock has a quarry that sits on the San Andreas Fault and 20 locations from Oakland to Monterey Bay. I recently spoke with Snodgrass about his disaster recovery initiative (see the Q&A), and I learned that he approaches that--and other IT challenges--with both finance and technology in mind. I asked him how he handles the duality in his job.

"I am torn in two directions and the cognitive dissonance is huge," he told me. "The nice thing about having a finance background is that when I have clarity about the issues, I can translate that to a business benefit. We look at alternative ways of shaving a nickel, but we also try to be innovative."

The dissonance can be especially apparent, Snodgrass said, when he sees employees suffering because of insufficient IT. For example, Graniterock's locations, which vary considerably in size, are connected to the data center via wide area network. Some locations have slower network speeds than others, and recently employees suffering under slow speeds wanted to increase network bandwidth. Snodgrass said that his finance background flagged that as the wrong solution. ("I call [adding bandwidth] the gift that keeps on giving," he said.) After weighing both finance and IT considerations, he decided to try out a WAN optimization solution instead, and so far it's proving successful.

Snodgrass began heading up IT at Graniterock around 2002, when he was the company's corporate controller. Because he didn't come from an IT background, it isn't so hard for him to recognize when his relatively small operation is less equipped than an outside provider to handle IT responsibilities. Graniterock turned to a hosted ERP solution in 2001, long before anyone was buzzing about the cloud.

I asked how Graniterock's IT pros felt about having to answer to a finance chief once he donned the CIO hat. Luckily, he said, they were too busy to worry about it. "We were on the bleeding edge of several things at that point," he recalled. "We had installed a VoIP system, which we had moved over during Thanksgiving weekend of 2001, and we had massive VoIP issues throughout 2002. We also had residual Y2K issues. Those were whirlwind years." - Caron

Northeastern Illinois University's consolidation journey

Caron Carlson — Fri, 03 Feb 2012 16:43:50 -0500

Northeastern Illinois University had no permanent IT chief for many years before Kim Tracy took the position of executive director of University Technology Services about 6 years ago. As a result, he found a fragmented IT environment with multiple departments with overlapping duties, and it was his job to consolidate the infrastructure, processes and services.

Tracy was charged with improving operations and functions by coming up with a plan to streamline and standardize. The consolidation program had to support the university's existing needs and stand ready to support future ones too. Tracy shares what he learned from the process in a post at CIO Insight.

The first lesson is to look ahead and plan for growth. When implementing an ERP system, Tracy's team upgraded its servers and deployed a new storage system that would be able to handle future demands. Virtualizing servers positioned the university to be able to add new services without having to invest in new gear.

Different back-up and recovery systems supporting different environments presented Tracy with another consolidation opportunity. The consolidation brought immediate benefits, including freeing up one staff member's time for other projects.

Moving IT services to the cloud further relieved the burden on Tracy's staff and gave them more time to improve services for the university's users. He started the journey into the cloud with messaging security.

"Phishing and spear-phishing became onerous problems for the university, and dealing with them consumed much of our IT staff's time and energy. Our first response was to crank up inbound filtering with our previous appliance-based solution; however, this inevitably increased the number of false positives," he writes. "Rather than have 200,000-plus spam messages pounding at my mail gateway everyday-and dealing with the resulting bandwidth issues--I wanted to make this someone else's problem by moving to a cloud solution."

The end result of the consolidation program: Organizational silos broken down; lower costs; improved back-up; improved messaging security.

For more:
- see Kim Tracy's post at CIO Insight

Credit Suisse traders who bypassed controls plead guilty

Caron Carlson — Fri, 03 Feb 2012 16:37:21 -0500

If your instinct tells you that your organization needs to tighten IT controls rather than cave to demands for greater user autonomy, here's a story for you: Two employees at Credit Suisse who were charged with bypassing a mandatory reporting system have pleaded guilty to falsifying data and wire fraud. They admitted to manually inputting fake profit and loss numbers in the bank's record system to hide more than half a billion dollars lost, reports Leo King at ComputerworldUK.

U.S. authorities, including the FBI, spent about four years investigating the case, much of which occurred in the bank's London and New York offices. The guilty pleas came from two traders, who admitted to trying to hide losses related to subprime mortgage-backed securities, King reports. Their manager has been charged as well. The three stand accused of contributing more than $500 million to a $2.52 billion write-down that Credit Suisse took in 2008 during the Wall Street meltdown.

The traders had been under severe pressure to avoid revealing losses after Credit Suisse deployed a system that required traders to deliver "flash" reports of profits and losses in real time. They each face as much as five years in prison.

At least one of the traders and the manager are also being charged in a civil suit by the Securities and Exchange Commission. They "periodically directed the traders to change the bond prices in order to hit daily and monthly profit targets, cover up losses in other trading books, and send a message to senior management about their group's profitability," the SEC said in a statement.

For more:
- see Leo King's article at ComputerworldUK

What lies ahead for CRM in 2012

Caron Carlson — Fri, 03 Feb 2012 16:29:19 -0500

We've heard a lot about mobile CRM and social CRM over the past year, but 2012 is widely expected to witness greater integration of the stalwart enterprise software system into more aspects of the business. Jennifer Lonoff Schiff at CIO magazine presents a variety of anticipated CRM-related developments in the year ahead from CRM experts.

Peter Coffee, vice president and head of platform research at Salesforce.com: CRM in the cloud is expected to continue to expand as companies seek more information from external sources. It is more cost-effective to allow cloud-based systems to gather external data than purchase on-premise gear to do a similar function. "Old CRM was people inside the company talking about [customers]...information that's most important in a CRM system originates outside [company] walls, in conversations on social networks and in other external sources."
Mitch Lieberman, vice president, market strategy for Sword Ciboodle: The success of CRM is increasingly dependent on application usability, making an accessible, understandable interface is vital. "Users are picky about their workspace, now more than ever represented by the screen in front of them. Data needs to be available through one UI, in context."
Pamela O'Hara, president of BatchBook: CRM will play a growing role in how businesses interact with customers. "Businesses that use CRM effectively will benefit from pulling all the loose strings together in one place and developing a stronger bond with each customer."
Paul Turner, senior director of product marketing at NetSuite: Integration between CRM and other critical systems, such as ERP, will become more important and may lead to more efficient processes--although sticking disparate systems together could lead to problems. "Organizations want integrated lead-to-cash processes, an integrated view of the customer, and more comprehensive cross-functional reporting--and vendors will try and adapt their offerings to meet this demand...Look for systems that are designed from the ground up to work as a single solution to get the maximum benefits."
Clint Oram, co-founder, CTO and vice president of product strategy for SugarCRM: Technical features, such as interfaces and delivery models are becoming more important to users. "That will give CRM applications designed for ease of integration and user self-customizability an advantage, and will leave vendors whose products come in a single flavor of SaaS [software as a service] scrambling to expand customer options, often through cumbersome workarounds...In 2012, CRM systems will be bought in terms of the strength of the mobile component. Vendors with strong mobile components will gain a significant advantage over those that lack it, and many vendors will play catch-up around native clients and security."

For more:
- see Jennifer Lonoff Schiff's article at CIO

VeriSign breach disclosure stirs both outrage and appreciation

Caron Carlson — Fri, 03 Feb 2012 16:18:47 -0500

VeriSign was hacked several times in 2010 and undisclosed data was stolen off its network, Reuters reported Thursday. After the news broke, VeriSign said that it did not believe the attacks breached the servers supporting its DNS network. Reaction around the web was split between those outraged that the company didn't disclose the breach sooner, and those appreciative that they disclosed it at all.

Reuters uncovered the breach in a review of quarterly Securities and Exchange Commission reports filed in October. "Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign wrote in its quarterly filing. "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."

The vaguely worded disclosure adds that network administrators didn't tell top executives about the breach until September 2011.

If the DNS network servers had been breached, stolen data could help hackers send Internet users to fake websites. "Oh my God," Stewart Baker, former assistant secretary of the Department of Homeland Security, said to Reuters. "That could allow people to imitate almost any company on the Net."

The long stretch of time between the attacks sometime in 2010 and VeriSign's reporting them in October, 2011 raised the ire of a number industry observers, including Keith Wagstaff at Time.

"We're talking about the breach of a company that, in its own marketing materials, boasts that 'more than half (56%) of the world's DNS hosts rely on the Verisign .net and .com infrastructure.' The fact that a company this big and this central to the Internet would wait so long to reveal it had been attacked is unacceptable," Wagstaff wrote.

Some security experts say that it could have been useful if VeriSign had taken measures to help users protect themselves and their data in the wake of the attacks. "It's always a cat and mouse game between fraudsters and security experts," said Catalin Cosi, chief security researcher at BitDefender Labs. "In this particular scenario, advising users into installing state-of-the-art anti-phishing solutions, adjusting anti-malware engines into not skipping files that are signed with a valid certificate and even basic education could have been quite helpful immediately after the attack."

Looking at the breach news from another angle, Bob Sullivan and MSNBC wrote that VeriSign's disclosure to the SEC demonstrates that companies are beginning to comply with new reporting guidelines, and that is a positive step.

"In October of last year, the SEC issued guidelines that called out public firms for under-disclosing security leaks and hinted strongly that fines would come when firms failed to report successful hacker attacks," Sullivan noted. "The VeriSign quarterly report was issued soon after, and it's easy to imagine the disclosure is more routine than anyone would like to admit."

For more:
- see the Reuters article
- see Keith Wagstaff's post at Time
- see Bob Sullivan's post at MSNBC

Best city for data centers is Sioux Falls, S.D.

Caron Carlson — Fri, 03 Feb 2012 16:02:51 -0500

Financial services companies looking to build a data center might want to consider Sioux Falls, S.D., reports Beth Bacheldor at ITworld. The mid-sized city is cold in the winter, relatively inexpensive and relatively secure, making it the top place to locate a data center, according to a study by The Boyd Company, a consulting firm in Princeton, N.J.

The Midwest dominated the study's recommendations. Behind, Sioux Falls came Tulsa, Okla., Ames, Iowa, Council Bluffs, Iowa, Bloomington, Ind., Albuquerque, N.M., San Antonio, Omaha, Neb., Colorado Springs, Colo. and Denton, Texas. As John Boyd, principal at The Boyd Co., notes, Google (NASDAQ: GOOG) recently announced data center activity in Council Bluffs, and Microsoft (NASDAQ: MSFT) did in San Antonio.

Land is cheaper in the middle of the country than on the either coast, energy costs are competitive and quality of life is perceived as good. The cost of running a data center is most expensive in New York, at an estimated $23.67 million per year. In Sioux Falls, the operating cost is $11.9 million per year.

What's more, the recommended cities are seen as less prone to natural disasters like hurricanes and earthquakes, and they may be less likely than huge population centers to be targets of terrorism.

For more:
- see Beth Bacheldor's article at ITworld

Help desks get help at Peugeot, De Beers and University of Georgia

Caron Carlson — Wed, 01 Feb 2012 16:49:26 -0500

The help desk generally has not been a hotbed of innovation and efficiency in the enterprise. It isn't uncommon for large businesses to hold on to outdated, complicated ticket-tracking systems that offer little insight on performance. But that is beginning to change, writes Computerworld's John Brandon, who takes a look at help desk evolutions at Peugeot, De Beers, and the University of Georgia.

Help desks have the potential to shed insight on an organization's recurring problems, says Jarod Greene, analyst with Gartner. What's more, the help desk goes a long way in shaping an IT group's perceived value. If the help desk looks old and tired, it doesn't reflect well on the entire IT department.

The help desk for the Netherlands unit of French auto manufacturer Peugeot supports 160 users at the headquarters and 179 dealerships around Europe. With 26 staff members, it manages to process approximately 3,750 tickets annually. In 2010, the group was able to resolve nearly 90 percent of support issues in an average of 2.4 days, but help desk manager Richard Nolting wanted to do better.

Peugeot was also looking for greater flexibility in the system and a more personal communication style. Nolting wanted users to be able to write their own personalized ticked, and he wanted technicians to be able to communicate with IT staff via SMS. A system from Kayako Studio was deployed, simplifying the query process and tracking all tickets. New tools allowed agents to enter user profiles when they create tickets and view all emails relating to support.

In the past year, Nolting's team reduced support resolution time from an average of 2.4 days to 1.8 days. The tracking features in the new system played an important role.

"Only well-documented processes can be transformed into structured workflows. So if the data is not captured in ticketing tools, it will be hard to find and re-use should the [same] issues ever arise again," says Gartner's Greene. Tools like Kayako "keep out-of-band conversations from going into the garbage, and let IT operations groups and administrative teams better understand work patterns in support of processes."

For more:
- see John Brandon's article at Computerworld

CFO has a role to play in ERP rollouts

Caron Carlson — Wed, 01 Feb 2012 16:44:43 -0500

When an ERP implementation goes south, the good news is that the CIO shouldn't have to handle it alone--the chief finance officer has a role to play as well. If the CFO plays an active role earlier on in the project, there may be less chance for failure, reports Fred O'Connor at Computerworld.

Despite a long and well-documented history of troubled ERP rollouts to learn from, the complex software systems remain a daunting challenge for enterprises. Analysts say that a variety of ERP vendors make unrealistic claims, and companies often aren't exactly sure what they're looking for anyway.

"It's like the company and the vendor have been speaking two different languages, and then things go wildly off track," said China Martens, analyst with Forrester Research. "Sometimes ERP vendors oversold it and are promising things it can't do. Other times the company hasn't been very clear on what it's trying to do."

This is a good time for CFOs to come in and help resolve the problems. Not only can they make definitive statements about the project's impact on revenue and operations, but they also can offer an enterprise-wide point of view regarding long-term needs. An ERP system should be able to scale to meet future financial goals, and a CFO can offer much-needed perspective.

CFOs may be attracted to new ERP deployment strategies developed in response to competitive pressure from cloud computing solutions, Martens said. Some vendors are touting packages that cover an entire deployment for a set fee. "They try to package something up that is the software, the services, the training and commitment to implementation and try to hit various mast ends," she said. "The idea is that everyone sits down, you map things out and there is a fixed price."

While this may sound alluring, customers have to be wary of where the vendor is cutting costs. In some cases, Martens said she has seen vendors scale back on services in order to offer a fixed price deployment.

For more:
- see Fred O'Connor's article at Computerworld

Not asking risky questions is risky business

Caron Carlson — Wed, 01 Feb 2012 16:37:46 -0500

Asking risky questions can lead to discomfort or even embarrassment, and the business culture has conditioned people to avoid those outcomes. However, by sidestepping such questions, risk is increased, warns Michael Santarcangelo in a post at CSO magazine.

"In the security industry, we often avoid asking risky questions. In the process, we increase our risk by missing out on opportunities to learn, to change our perspective and to build a series of shared experiences necessary for continued success," Santarcangelo writes.

Three possible outcomes are likely to result from asking a lot of questions: First, you learn something; second, your perspective changes; and third, you end up with more questions arising out of your new knowledge. No matter what, you increase communication, which in itself reduces risk.

Asking risky questions comes with the added benefit of relieving everyone else who had the same questions but were too afraid to ask.

For more:
- see Michael Santarcangelo's post at CSO

Enterprise architecture at Chubb Insurance

Caron Carlson — Wed, 01 Feb 2012 16:33:16 -0500

Chubb Insurance has spent about 10 years moving toward a comprehensive enterprise architecture, which allows it to address rapidly changing dynamics in markets and technologies. While the process is not yet complete, it shows the value that EA offers, particularly in an organization with a number of business units that are used to operating somewhat on their own, writes Madeline Weiss, director of the Advanced Practices Council at the Society for Information Management.

Chubb's EA reflects the federated structure of its business. A team of five enterprise architects, who report to a chief architect, work with lines of business architects to establish overall strategy and standards. The lines of business architects report to both the chief architect and the CIO of the corresponding line of business.

"Although this structure is harder to manage, its key advantage is that the lines of business CIOs and their IT staff are members of their business teams," Weiss writes in a post at CIOUpdate. "Given the trust between lines of business CIOs and their businesses, there was little resistance to the EA concept."

The architectural model, built on The Open Group Architecture Framework, is made up of five parts: architecture strategy, architecture definition, architecture governance, lines of business project implementation and enterprise shared assets and solutions.

Chubb's chief architect, Patrick Sullivan, says that establishing the proper culture goes a long way in eliminating the interference that typically arises from politics and personalities. "It's all about minimizing the processes, adding value and helping people understand basic architectural principles," he said. "We don't take a 'field of dreams' approach to architecture. Our programs are all business-oriented and attached to real value and real projects. Once leaders understand this, we get their support."

As a result of the EA initiative, in 2010 Chubb saved $600,000 by redistributing unused software site licenses. Time-to-market decisions can be made faster because of the effective processes and standards that have been put in place. Business unit CIOs are better able to convey the value of IT investments to non-IT business colleagues.

For more:
- see Madeline Weiss's article at CIOUpdate