One of the main tasks of the Information Technology Infrastructure Library (ITIL) implementation process is choosing an ITIL automation tool. Hence, while embarking on the IT service management (ITSM) automation journey, we should not rush into implementing a tool, even if the supplier claims that the tool has pre-built ITIL processes. First and foremost, we need to identify the existing gaps and the maturity levels in the 3 major domains, namely people, process and technology. The priority of these 3 domains should also be people, process and technology, respectively. Second, we need to ask specific questions for each of these 3 domains.
In recent years, board-level supervision in information technology matters has become a key IT governance topic. It is often assumed that national corporate governance codes can guide board members to design and potentially improve their IT governance practices. At the Antwerp Management School (AMS), we conducted a study to understand what IT governance-related guidelines are included in national corporate governance codes.
We selected 15 national corporate governance codes to study. These codes were selected based on income level and geographic dispersion across different continents. Surprisingly, we found that most national corporate governance codes do not include key IT governance topics. There is hardly any IT governance information incorporated in the codes at all. The only exception we found was the South African corporate governance code, King III, which contains an entire chapter on IT governance-related guidelines. We also note that the committee responsible for drafting the South African corporate governance code recently finalized King IV, in which IT-related matters assume an even more prominent role. Based on our findings, we conclude that:
There are far more ways to apply encryption incorrectly than there are ways to apply it correctly. Sadly, many people think they already know everything they need to know about encryption because they have read a few articles online. Recently, I published an article in which I discuss methods for assessing your HTTPS posture. While I was specifically focused on internal systems where you have some degree of control or are obligated to inform those who do have the degree of control, it is also extremely important not to overlook the necessity of performing the same type of assessment against vendor solutions.
If you work in technology and have a working Internet connection, chances are good that you heard of (best case) or experienced firsthand (worst case) the ransomware variant making the rounds yesterday that most are referring to as a new Petya variant. It is fast, it is sophisticated and it has left a trail of global chaos in its wake as it impacted everything from national electrical grids to banks to shipping and logistics.
While this attack would be noteworthy on its own, it is particularly so coming as it does on the heels of the WannaCry attack just a few weeks ago. The reason that this fact is both relevant and noteworthy is that it leverages one of the same transmission vectors that WannaCry did: specifically, the EternalBlue Server Message Block (SMB) exploit (i.e., CVE-2017-0144)—an SMB issue addressed by MS17-010.
There is a certain satisfaction that comes from turning the tables on a seemingly unbeatable adversary. Luke Skywalker exploited a design flaw to destroy the Death Star. Rocky Balboa exploited Ivan Drago’s arrogance to win a boxing round. Sarah Connor exploited a reprogrammed Arnold Schwarzenegger to beat the T-1000 in Terminator 2.
In cyber security, the hacker community often seems as evil as Darth Vader, as cold as Ivan Drago and as relentless as the Terminator. It would be nice if there were a way to turn the tables and beat hackers at their own game.