Search

IT Service Management blog posts

Introduction to Hacking Web Applications

A web application is a program or software that runs on a web browser to perform specific tasks.  Any web application has several layers – web server, the content of the application that is hosted on the web server and the backend interface layer that integrates with other applications. Web application architecture is scalable and has components which have high availability.Hacking is the process of the appropriating the web application from its actual user by tinkering in various ways.  The web application hacker needs to have deep knowledge of the web application architecture to successfully hack it. To be a master, the hacker needs to practice, learn and also tinker with the application.Web application hacking requires tenacity, focus, attention to detail, observation and interfacing. There are many types of web application hacking, and many defense mechanisms available to counter and to protect the application from being hacked.Core defense mechanismsThere are four categories in which we can protect the web application:User access handling to the application data and functionalityUser input handling  Suitable defensive and offensive measures to frustrate the hackerApplication configuration to get the alert in case of unauthorized accessUser AccessA web application provides different roles for user access depending on the business requirement and use cases.  A classic example is a digital banking scenario, where the customer wants to access the banking functions to get the balance from his account or transfer the cash to someone else. Another example is a scenario where a Linux administrator wants to provide privileges and rights to authorized users.The web application uses the below security mechanisms:AuthenticationSession managementAccess controlAuthentication is identifying a user to whom the credentials belong. This can be done using is a user name and password.  Additional authentication can be done through the user’s mobile number or biometrics.Session management is the process of the user being signed in throughout, while using the web application.  Every time the user logs in to use the application, it is recorded as a session. Sessions can vary depending on the use case and application.Access control is a process of protecting the HTTP requests in Web application. This is the last layer of defense in the user access.User InputAll the user inputs in the web application are always untrusted. A web application should have defense mechanisms in place to prevent the user from writing malicious code or breaking the website.  We can handle the user input validation at various levels based on the need of the business.Input handling to reject all words related to hacking- this is a process of blacklisting them which the web server will check and confirm. These are called Semantic Checks.Also creating a set of rules to accept the user inputs – for example, only numbers that are safe for Bank account access can be used. This is called Safe Data Handling.We need to have multi-step validation where every component is checked for user inputs in the web application.We can have boundary validation to check all the external interfaces with the applications.Handling HackersTo get more sensitive alerts in the web application we need to have followingAudit logs recordsIP address blockingIntrusion Detection systemsFirewallsWe need to have application configuration with the key alert that has to be notified immediately when any hacker gets into the web application.Web application technologiesThe top web technologies that developers are using for web development are as below:HTMLCSSProgramming LanguagesJavaScript Coffee Script Python Ruby PHP GO Objective C SWIFT JavaFrameworks Node.JS Ruby on Rails Django Ionic Phonegap Bootstrap Foundation Wordpress Drupal .NET Angular JS Ember JS Backbone JSLibraries J Query UnderscoreDatabase MongoDB Redis Postgres SQL MySQL Oracle SQL ServerData Formats JSON XML CSVProtocols HTTP DDP RESTDigital Technologies for Web ApplicationsWeb Assembly – similar to JavaScript Movement UI Design Chabot’s Artificial Intelligence Dynamic Web Applications – PWA Blockchain Single Page Applications Web Server Software Computerized Transformation AMP Wins VR and AR Symfony LaravelBypassing client-side controlsThe process of sending data from server to client is very common in web applications.  The reverse is also true when client sends the data to the server. It is normal for software developers to assume that the client will not modify the data.  Avoiding the storage of data within the user session can help in security and also increase performance. Modifying the data stored in the client side is easy in comparison to the server side by the hacker.Two ways exist for bypassing: Application relies on client-side data to restrict the user input. So, restricting the client side controls the security. Application gathers data that is entered by user, the client implements methods to control the previous data.For both the options, the following are the techniques to by-pass client side controls: HTML form features Client Side Scripts Thick Client technologiesAuthentication and AuthorizationWeb applications have both authentication and authorization as key concepts supporting the web applications.Authentication refers to any verification process that checks whether a human or automated system is who or what it claims to be. Authentication is the process of verifying the identity of the individual. A unique identifier is added for the web application like Password, Login or username.  We can use OpenID, OAUTH, and SAML. The entire Authentication depends on the HTTP/HTTPS implementation.Authorization is a process in which we have controls to allow or restrict resources. It is entirely dependent on business use cases and it varies end to end.  For strengthening the authorization we should implement logging for all privileged actions. Invalid sessions should be made to log out. So we need to have strict controls on both the concepts to prevent hacking of web applications.XSS – Cross site scriptingThis is a type of injection in which malicious scripts are injected to trusted websites.  A hacker uses a web application to send malicious code. This is in the form of browser-side script. The end user has no way to know that a hacker has entered into the web application and he continues to execute the script. Script can access cookies, session tokens and all other sensitive information and even have the capability to rewrite the entire HTML page content.Types of XSS Stored XSS Reflected XSS DOM based XSSAll these can occur in Client XSS or Server XSS.Bypassing blacklists and whitelistsBlacklist refers to the practice of not allowing certain addresses and blocking them based on the need and requirement. They can be IP address, Networks and URLs.Whitelist indicates that a server would only allow through requests that contain a URL on an accepted list, and other requests will fail.Whitelist are harder to bypass as they are default controls in the web application.  The concept is that it redirects to the internal URL. We can bypass a blacklist byFooling it with redirects Tricking with DNS IPV6 address usage Switching out the encoding Hex Encoding Octal Encoding Dword Encoding URL Encoding Mixed EncodingCSRF – Cross site request forgeryCSRF is an attack that forces an end user to execute unwanted actions on a web application which is already authenticated. The hacker can send a link via an email and chat, and may trick the users of a web application into executing actions. In case the attack is on an administrator account the entire web application can be compromised. Unvalidated redirects These are possible when a web application accepts untrusted input. This can cause the web application to redirect the request to a URL containing untrusted inputs. Through the modification of the Untrusted URL input to a malicious site, the hacker launches a phishing attack and steals the user credentials.These redirects using credentials can also give the hacker the privilege functions which normally they cannot access.We need to have the user provide a short name, ID or token which is mapped server-side to a full target URL and this gives protection to the entire process.SQL injectionSQL injection is a process of injecting the malicious SQL query via the input data from the client to the web application.SQL injection can modify, read, and delete the sensitive information from the Databases. Has the ability to issue commands to the operating system Administration controls on the operations of the database Done through simple SQL commandsFile upload vulnerabilitiesWeb applications have these functionalities and features of uploading files.These files can be text, pictures, audio, video and other formats.We need to be careful while uploading files.A hacker can send a remote form Data POST request with mime type and execute the code.With this, the files upload will be controlled by the hacker.Attacking the application serverThe various formats of the attacks on the application server are listed below:Cross-Site Scripting (XSS)SQL Injection (SQLi)File upload  Local File Inclusion (LFI)Distributed Denial of Service (DDoS)Web application hacker’s toolkitThe hacker’s toolkit is as given below:Intercepting Web proxy – Modifies all HTTP messaging between browser and web applicationWeb application scanner -  For the hacker to get the entire information about the web application.A few of the tools which belong to the above two categories:Kali LinuxAngry IP ScannerCain & AbelEttercapBurp SuiteJohn the RipperMetaspoiltWeb application hacker’s methodologyConclusion:In this article, we have covered the entire hijacking web application concepts end to end. We have discussed the concepts of web applications and covered topics such as - Core defense mechanisms, Web application technologies, Bypassing client-side controls, Authentication and authorization, XSS – Cross site scripting, Bypassing blacklists and whitelists, CSRF – Cross site request forgery, Unvalidated redirects, SQL injection, File upload vulnerabilities, Attacking the application server, Web application hacker’s toolkit, and Web application hacker’s methodology.
Introduction to Hacking Web Applications
Anand

Introduction to Hacking Web Applications

A web application is a program or software that runs on a web browser to perform specific tasks.  Any web application has several layers – web server, the content of the application that is hosted on the web server and the backend interface layer that integrates with other applications. Web application architecture is scalable and has components which have high availability.Hacking is the process of the appropriating the web application from its actual user by tinkering in various ways.  The web application hacker needs to have deep knowledge of the web application architecture to successfully hack it. To be a master, the hacker needs to practice, learn and also tinker with the application.Web application hacking requires tenacity, focus, attention to detail, observation and interfacing. There are many types of web application hacking, and many defense mechanisms available to counter and to protect the application from being hacked.Core defense mechanismsThere are four categories in which we can protect the web application:User access handling to the application data and functionalityUser input handling  Suitable defensive and offensive measures to frustrate the hackerApplication configuration to get the alert in case of unauthorized accessUser AccessA web application provides different roles for user access depending on the business requirement and use cases.  A classic example is a digital banking scenario, where the customer wants to access the banking functions to get the balance from his account or transfer the cash to someone else. Another example is a scenario where a Linux administrator wants to provide privileges and rights to authorized users.The web application uses the below security mechanisms:AuthenticationSession managementAccess controlAuthentication is identifying a user to whom the credentials belong. This can be done using is a user name and password.  Additional authentication can be done through the user’s mobile number or biometrics.Session management is the process of the user being signed in throughout, while using the web application.  Every time the user logs in to use the application, it is recorded as a session. Sessions can vary depending on the use case and application.Access control is a process of protecting the HTTP requests in Web application. This is the last layer of defense in the user access.User InputAll the user inputs in the web application are always untrusted. A web application should have defense mechanisms in place to prevent the user from writing malicious code or breaking the website.  We can handle the user input validation at various levels based on the need of the business.Input handling to reject all words related to hacking- this is a process of blacklisting them which the web server will check and confirm. These are called Semantic Checks.Also creating a set of rules to accept the user inputs – for example, only numbers that are safe for Bank account access can be used. This is called Safe Data Handling.We need to have multi-step validation where every component is checked for user inputs in the web application.We can have boundary validation to check all the external interfaces with the applications.Handling HackersTo get more sensitive alerts in the web application we need to have followingAudit logs recordsIP address blockingIntrusion Detection systemsFirewallsWe need to have application configuration with the key alert that has to be notified immediately when any hacker gets into the web application.Web application technologiesThe top web technologies that developers are using for web development are as below:HTMLCSSProgramming LanguagesJavaScript Coffee Script Python Ruby PHP GO Objective C SWIFT JavaFrameworks Node.JS Ruby on Rails Django Ionic Phonegap Bootstrap Foundation Wordpress Drupal .NET Angular JS Ember JS Backbone JSLibraries J Query UnderscoreDatabase MongoDB Redis Postgres SQL MySQL Oracle SQL ServerData Formats JSON XML CSVProtocols HTTP DDP RESTDigital Technologies for Web ApplicationsWeb Assembly – similar to JavaScript Movement UI Design Chabot’s Artificial Intelligence Dynamic Web Applications – PWA Blockchain Single Page Applications Web Server Software Computerized Transformation AMP Wins VR and AR Symfony LaravelBypassing client-side controlsThe process of sending data from server to client is very common in web applications.  The reverse is also true when client sends the data to the server. It is normal for software developers to assume that the client will not modify the data.  Avoiding the storage of data within the user session can help in security and also increase performance. Modifying the data stored in the client side is easy in comparison to the server side by the hacker.Two ways exist for bypassing: Application relies on client-side data to restrict the user input. So, restricting the client side controls the security. Application gathers data that is entered by user, the client implements methods to control the previous data.For both the options, the following are the techniques to by-pass client side controls: HTML form features Client Side Scripts Thick Client technologiesAuthentication and AuthorizationWeb applications have both authentication and authorization as key concepts supporting the web applications.Authentication refers to any verification process that checks whether a human or automated system is who or what it claims to be. Authentication is the process of verifying the identity of the individual. A unique identifier is added for the web application like Password, Login or username.  We can use OpenID, OAUTH, and SAML. The entire Authentication depends on the HTTP/HTTPS implementation.Authorization is a process in which we have controls to allow or restrict resources. It is entirely dependent on business use cases and it varies end to end.  For strengthening the authorization we should implement logging for all privileged actions. Invalid sessions should be made to log out. So we need to have strict controls on both the concepts to prevent hacking of web applications.XSS – Cross site scriptingThis is a type of injection in which malicious scripts are injected to trusted websites.  A hacker uses a web application to send malicious code. This is in the form of browser-side script. The end user has no way to know that a hacker has entered into the web application and he continues to execute the script. Script can access cookies, session tokens and all other sensitive information and even have the capability to rewrite the entire HTML page content.Types of XSS Stored XSS Reflected XSS DOM based XSSAll these can occur in Client XSS or Server XSS.Bypassing blacklists and whitelistsBlacklist refers to the practice of not allowing certain addresses and blocking them based on the need and requirement. They can be IP address, Networks and URLs.Whitelist indicates that a server would only allow through requests that contain a URL on an accepted list, and other requests will fail.Whitelist are harder to bypass as they are default controls in the web application.  The concept is that it redirects to the internal URL. We can bypass a blacklist byFooling it with redirects Tricking with DNS IPV6 address usage Switching out the encoding Hex Encoding Octal Encoding Dword Encoding URL Encoding Mixed EncodingCSRF – Cross site request forgeryCSRF is an attack that forces an end user to execute unwanted actions on a web application which is already authenticated. The hacker can send a link via an email and chat, and may trick the users of a web application into executing actions. In case the attack is on an administrator account the entire web application can be compromised. Unvalidated redirects These are possible when a web application accepts untrusted input. This can cause the web application to redirect the request to a URL containing untrusted inputs. Through the modification of the Untrusted URL input to a malicious site, the hacker launches a phishing attack and steals the user credentials.These redirects using credentials can also give the hacker the privilege functions which normally they cannot access.We need to have the user provide a short name, ID or token which is mapped server-side to a full target URL and this gives protection to the entire process.SQL injectionSQL injection is a process of injecting the malicious SQL query via the input data from the client to the web application.SQL injection can modify, read, and delete the sensitive information from the Databases. Has the ability to issue commands to the operating system Administration controls on the operations of the database Done through simple SQL commandsFile upload vulnerabilitiesWeb applications have these functionalities and features of uploading files.These files can be text, pictures, audio, video and other formats.We need to be careful while uploading files.A hacker can send a remote form Data POST request with mime type and execute the code.With this, the files upload will be controlled by the hacker.Attacking the application serverThe various formats of the attacks on the application server are listed below:Cross-Site Scripting (XSS)SQL Injection (SQLi)File upload  Local File Inclusion (LFI)Distributed Denial of Service (DDoS)Web application hacker’s toolkitThe hacker’s toolkit is as given below:Intercepting Web proxy – Modifies all HTTP messaging between browser and web applicationWeb application scanner -  For the hacker to get the entire information about the web application.A few of the tools which belong to the above two categories:Kali LinuxAngry IP ScannerCain & AbelEttercapBurp SuiteJohn the RipperMetaspoiltWeb application hacker’s methodologyConclusion:In this article, we have covered the entire hijacking web application concepts end to end. We have discussed the concepts of web applications and covered topics such as - Core defense mechanisms, Web application technologies, Bypassing client-side controls, Authentication and authorization, XSS – Cross site scripting, Bypassing blacklists and whitelists, CSRF – Cross site request forgery, Unvalidated redirects, SQL injection, File upload vulnerabilities, Attacking the application server, Web application hacker’s toolkit, and Web application hacker’s methodology.
9574
Introduction to Hacking Web Applications

A web application is a program or software that ru... Read More

Introduction to Session Hijacking Exploitation

In this article we will be talking about session hijacking and exploitation. You will learn about session management with its applications and the common ways of hacking session tokens. You will also learn how the key methods of session hijacking helps the hacker to penetrate the session. Get to know the differences that are present between session hijacking, session fixation and session spoofing, and also the activities that attackers will perform after the successful session hijacking. Finally, learn how we can prevent the session hijacking.Introduction to session managementSession management is a rule interface that helps interaction of the user with the web applications. HTTP is the communication protocol that websites and browsers use to interact and share the data. A session is a continuous HTTP request. Transactions are created that belong to the same user. HTTP is a stateless protocol.  The response pair and request are completely Predictable Session Tokens of the similar web interface and interactions.  Current command is not dependent on the previous command.  This makes us bring in the concept of session management which primarily interfaces the authentication and access control. These are both enabled in web applications.There are primarily the following types of session management:CookieURL RewritingThey can be used as silos or can be used together.  The best use case is to track the number of unique visitors to the website.Introduction to session hijacking and cookiesSession hijacking refers to an attack on a user session by a hacker. The session is live when we log into any service. The best use case is when we log in to our web application, say banking application, to do some financial transaction.  The other name for the session hijacking is Cookie Hijacking or cookie side jacking.  The more accurate information that a hacker gets regarding our sessions, the more precise is the hacker’s attack. This session hijacking is common for browser sessions and web applications.Session Hijacking WorkflowCommon ways of hacking session tokensA session Token can be compromised by the following ways:Predictable Session TokenSession ID should be unpredictable in the browser or the web application.Session token should be extremely descriptive for the hacker to not recognize it easily.Should not be with short session keys.Session SniffingAttacker uses a valid sniffer to capture the valid session ID.The hacker gets unauthorized access to the web server.Client Side attacks – ( XSS, Malicious JavaScript Codes, Trojans)Hacker hijacks the session ID by using the malicious code or programs running at the client side.Cross Site Scripting attack is very common to steal the session token.Can be done with malicious JavaScript codes.Man in the Middle attackThe hacker intercepts the communication between two systems.Hacker can split the original TCP connection into two new connections, Client and hacker and another hacker and server.Hacker acts like a proxy server and will be able to read, modify or edit the data.Man in the Browser AttackVery similar to the Man in the Middle Attack.Trojan Horse is used to intercept.Manipulation done between the browser and application.Key methods of session hijackingThere are five key methods of Session hijacking:Session FixationSession Side JackingCross Site ScriptingMalwareBrute ForceSession FixationThe hacker or attacker already has information about the session ID of the user. The hacker would have sent the email containing the Session ID. Attacker has to wait for the user to login. The hacker sends the user a crafted login that contains the hidden field with the fixed session ID.Session Side JackingHacker uses the packet sniffing technique to find the network traffic between two parties. Hacker then steals the session cookie. Most possible attacks happen in Unsecured Wi-Fi Spots. Even if the websites use SSL, the hacker can easily attack the networks to access the servers and get access to information or session of the users. Hacker uses Man in Middle Attack as one of the classic use cases for this session side jacking.Cross Site ScriptingAttacker sends the user a running code to get a copy of the cookie.For the user, these seem trustworthy as it is the server information.Typically, the hacker uses client-side script, such as JavaScript. This code attacks the browser to execute arbitrary code and provides information on session hijacking. Types – Reflected XSS,  Stored XSS, DOM- Based XSSMalwareUnwanted programs to steal the browser cookie files Performed without a user knowledge to obtain file or memory contents of the user’s computer or the server Hacker creates a client browser temporary local storage called as Cookie Jar.Brute ForceHacker uses key generation algorithms to get the session ID.Algorithm recognizes the sequential keys.Maximizes the predictable sessions and accesses the user's active session.Entropy is compromised using Brute Force and hacker is successful in stealing the information.Can only be protected with short predictable session identifier.We can use longer session keys.Exploiting the session hijack vulnerabilityFour categories of Vulnerabilities exploit the session hijack:XSS VulnerabilitiesInjecting Client-Side ScriptsJavaScript is embeddedCreates a faulty page and hacker attacksSession Side Jacking VulnerabilitiesUse packet Sniffers to attackE.g.- Man in the middle attackSession Fixation VulnerabilitiesMainly done through fake websitesUser assumes it is an original link and clicksMalware Installation VulnerabilitiesThe hacker sends the malicious code to disrupt the application or networks or the communicationHacker gets access to the applicationsOverall, the hacker exploits session hijacking through various vulnerabilities making the system highly unstable and gains unauthorized access. The user is not aware of any of the system changes, and he assumes that the session is original. The hacker gains control of the data or information through these vulnerabilities.Difference between session hijacking, session fixation and session spoofingTopicSession HijackingSession FixationSession SpoofingGoalTo get unauthorized access to active user sessionTo get unauthorized access to active user sessionTo steal or modify the dataMethodThrough Sniffing network trafficThis is an inverted technique to get access through pre-defined session cookie planted in the user browserCan be done through fake Email, fake Website or fake IP address creationsActivityPerformed on user who is currently logged in and already authenticatedThe hacker already knows the session IDs for getting unauthorized accessAttackers use stolen or counterfeit session tokens to initiate a new session and impersonate the original user, who might not be aware of the attackWhat Can Attackers Do After Successful Session Hijacking?The attacker can perform any action that the user was carrying out with his credentials.The hacker can gain access to multiple web applications, from financial systems and customer records to line-of-business systems potentially containing valuable intellectual property. The attacker can use session hijacking cookies for identifying authenticated users in single sign-on systems (SSO). Here are a few examples:Attackers can log into bank accounts for transferring moneyHackers can use the access for online shoppingHackers can get access to sensitive data and sell it on the dark webHackers can demand a ransom from the user in exchange for the dataPrevention of Session hijackingSession hijacking can be protected by taking preventive measures on the client side.Software Updating, End Point Security will be a key from a user side. Having Biometric authentication for every user session can prevent attacks. End to End encryption can be done between the user browser and web server using secure HTTP or SSL. We can have the session value stored in the session cookie. We can have an automatic log off after the session ends. We can use session ID monitors. VPN use can prevent unauthorized access. Web server generating long random session cookies can prevent attacks. Usage of Session ID monitors enhances security. Deleting the session cookie from the user server and computer enhances security. Having different HTTP header order for different sessions is a good precaution.ConclusionIn this article we have covered the key concepts of session hijacking and the ways by which this activity can be performed by the hacker. We have discussed the methods for unauthorized access by hackers or attackers, including the techniques used by hackers for injecting vulnerabilities. We have understood the concept of Session spoofing and Session fixation.  We learnt the various activities that a hacker can perform after getting control of the user session, and finally touched upon how to prevent session hijacking.
4329
Introduction to Session Hijacking Exploitation

In this article we will be talking about session h... Read More

What Is Ethical Hacking?

The internet brought with it the third revolution; a revolution that has interconnected the world like never before. There are currently 5 billion internet users in the world. And this number only increases day on day. From education to healthcare to communications to transport, the internet has permeated every industry to make our lives easier and more convenient. But is the internet a manna from the heavens? Sadly not. While it has brought with it immense opportunities and innovations, it has also brought with it, threat; threat of breach, fraud and attacks. And foremost among these threats is the threat from hackers.  Hackers are sophisticated criminals who can breach cyber security systems and cause loss of money, credibility and trust. In 2017 alone, hacking cost people $172 billion, while it is predicted that by the end of 2020, the average cost of data breaches will be about 150 million. Apart from the money that is lost, a company that is vulnerable to cyber-attacks also loses face with its customers, making it unreliable. Which is why, to counter these attacks, more and more organizations today are investing in sophisticated cyber security, to protect their data and reputation from hackers.  But how does one know if the security they have in place is fool proof and not susceptible to cyber-attacks? This is where ethical hackers come in. An ethical hacker is a security professional who assesses a system for vulnerabilities that can be exploited for a malicious attack.  Ethical hackers break and build the security for an organization.  They have become an indispensable resource in the security market. Right from ecommerce websites to banks, all organizations are investing in ethical hackers who can assess and put a security system in place.    So, how does one become an ethical/white hat hacker? And what’s the career path in this role? Understanding Ethical HackingEthical Hacking is a legitimate and structured way of hacking, performed to expose the vulnerabilities in the software, web application, or in the network, that can be accessed and exploited by an unauthorized person. Ethical hacking helps secure both your personal as well as an organization’s IT assets.  There are many threat vectors which attackers use to get the access to a website, software or network. Ethical hackers are trained to identify these and fix them before they are discovered by malicious hackers. In organizations, they are often given the role of a security analyst, security consultant security architect etc.  Some of the tasks of an ethical hacker include: Detecting loopholes in a database that can be exploited by any unauthorized person  Finding vulnerabilities in networks that can be exploited by any attacker Educating the employees on how to identify phishing mails and tackle them  Establishing proper security controls on all the devices. Securing your Web applications and websites Securing your organization's network  Regular patching of Infrastructure devices like routers, switches, firewall and servers. Establishing perimeter security to protect the organizational network. Ensuring User and Access based controls are setup and implemented.  Input validation on Websites. Security analyst, security consultant or security architect...these are some of the names given to ethical hackers in the corporate world.What Ethical Hackers Do In essence an ethical hacker uses the same tools and techniques that would be used by a malicious or black hat hacker to breach a system. The only difference is that what an ethical hacker does is legitimate, ethical and with the consent of the organization quite contrary to a malicious hacker who hacks a system’s security without user consent.An ethical hacker’s job involves identifying loopholes and developing and discussing their assessment methods and findings with various IT team and  the higher management.  Ethical hackers perform vulnerability assessment on the network, software, and servers. Later they fix those incompetencies so that no unauthorized user can compromise the system’s integrity. What qualifications does one need to become an Ethical Hacker?A Computer Science or Information Technology degree is not required to become an ethical hacker. There are many professionals who come from non-technical background and go on to become excellent ethical hackers. What you need is expertise on the latest hacking tools and techniques that you can use to test the system and identify its loopholes.   Some of the defensive approaches ethical hackers use to protect organizations include:  Regular patching of Infrastructure devices like routers, switches, firewall and servers. Establishing perimeter security to protect the organizational network. Ensuring User and Access based controls are setup and implemented.  Input validation on Websites.  And many more.History of Ethical Hacking:- The term ‘hacker’ was coined in 1960 at Massachusetts Institute of Technology where some great minds were trying to redevelop mainframe systems using FORTRAN programming. With the dawn of the digital age, hacking became one of the top methods of conducting cyber-attacks. Nation sponsored attacks are a new form of cyber terrorism that can bring countries to their knees.   One of the biggest examples is Stuxnet; a virus attack on the Nuclear program of Iran, which according to Wikipedia was carried out jointly by USA and Israel. Some of the other victims of hacking are organizations such as: Adobe hack: 2013 Yahoo Hack: 2013 eBay hack: 2014 Sony hack: 2014 Mariott hack: 2018 Dubsmash hack: 2019 Evolution of the Ethical Hacking role:Ethical hackers play an important role in securing us in this era, and can be said to be the unsung heroes of the IT industry.  Organizations have greatly expanded the investments made on cyber security after realizing that a breach could cost them more than their turnover. The digital demand in today’s world has ensured that the responsibilities of and the need for ethical hackers is on the rise.  How does Hacking become Ethical? Hacking can be legal or illegal depending on the intention of the act. If hackers use their knowledge for providing security and protection to any organization, it becomes legal or ethical. When a hacker has the user’s consent to check the security of their system by breaching the system, it is ethical hacking. However, if the security of a system is breached without the user’s consent to perform a malicious act such as stealing passwords, sending spam, damaging/stealing data, making unlawful transactions etc, then that makes it a cybercrime.   Recent Hacking Attacks:- What do hackers do? Perform a data breach Get details of the Server Get sensitive details from a database Crash a website Some of the more prominent attacks of data breach in recent years include In 2015, Barack Obama, Joe Biden, Jeff Bezos, Waren Buffet, Bill Gates, Mike Bloomberg, Elon Musk, Kanye West, and others were victims of hacking.  Myerscough College, in Billsborrow, Lancashire was attacked by an attacker on their result day. This compelled the staff to email each student about their grades, individually, Even their online enrolment system was affected by the attack.  A ransomware Wannacry, was used to derail thousands of computer systems including those of Government organizations and private organizations.  Ashley Madison is a website with the slogan 'Life Is Short, Have an Affair.' This website was attacked by attackers in July 2015, which resulted in the personal data of 37 million users being leaked on public websites. The results were catastrophic and it ruined the reputations and marriages of many. In June 2015, the records of 21.5 million people, including social security numbers, dates of birth, addresses, fingerprints, and security-clearance-related information, were stolen from the United States Office of Personnel Management (OPM). Most of the victims are employees of the United States government. This attack was also considered to be serious due to the leak of private information of the officials. The attackers used asymmetric cryptography, in which they encrypted the complete system using a public key and stored the private key on their own server. The owner of the system was blackmailed into giving money in exchange for the private key to decrypt that system.  According to McAfee "Rise in Cyber Attacks Amid Covid-19 Resulted in 375 Threats Per Minute in Q1 2020" What is Vulnerability: - Vulnerability is a loophole in the system which allows any unauthorized user to get access into the system.  Vulnerability is often a result of misconfiguration of the logic which is implemented for operation or security of the system. Any weakness in a system that can be used to exploit the organization's property is called vulnerability. A flaw in the system makes it vulnerable to attacks. A small configuration error can become a high-level vulnerability.  Generally, vulnerabilities are categorized according to the severity and frequency of occurrence. These are:  Critical  High Medium Low Below are some of the different types of vulnerability: If Database default credentials are used If Server is not properly patched  If Session time out is not properly configured If Server is executing data entered in input field as a command If handling of data is not properly implemented.What types of Systems do Hackers target?Hackers often want to hack those computers or networks from which they know that they will surely get some valuable/sensitive information. Government and Private organizations that store large amounts of sensitive data are especially vulnerable to hacking. Individual hacking is also on the rise were hackers attack individuals to steal money or passwords. In the times we live, knowledge of hacking and security is a must for every individual and organization to protect themselves.  Ethical hackers are the modern-day vigilantes who protect and serve organizations and individuals by fixing security issues of systems and keeping them safe from attacks. 
7390
What Is Ethical Hacking?

The internet brought with it the third revolutio... Read More

The ITIL Framework and It’s Processes

You’ve got ITIL® questions. We’ve got ITIL answers. Recently, a group of learners, due to complete their engineering degrees in computer science caught up with John Dell, one of our expert ITSM trainers and authors, seeking advice on careers in ITSM. This blog is an account of the conversation which will serve ITIL aspirants well. The learners opined that they were not very keen on programming and would like to explore what other options exist in the IT sector. They were about to graduate and were not sure there is much opportunity outside programming in IT. John clarified that firstly, the IT sector does not revolve only around software development. The IT industry is vast and presents plenty of opportunity. He suggested they start by carrying out a quick SWOT analysis for themselves.  Majority of the learners cited that communication, good analytical and testing skills and leadership skills were their strengths; incidentally, coding and design were not particularly strengths for this group. The group recognized that IT support and the IT service industry would open up several opportunities, while programming and core software development were not areas that appealed to them. Based on this basic SWOT analysis, John suggested that the students consider jobs related to Service management. Jumping into what ITIL is all about and how it could propel their career.  IT Management mainly involves Software Development & Management, IT Infrastructure Management, and IT Service Management. The ITIL Framework refers to set of best practices, guidelines, methodologies designed by industry experts to align their IT Services with customer and business strategic goals. So, this framework provides uniform and consistent guidelines to all IT industries to define their IT Service Management processes.  Why is there a need for a consistent framework? When asked whether each IT company can come up with their own framework and design for IT service management, John answered that they actually can. He further elaborated with an illustration -  Company A provides support to Company X and Company B provides support to Company Y. Here, A and B are Service providers and X and Y are service consumers. They have not adhered to any service management framework.  Both service providers, A and B, have unknowingly made many mistakes and faced lots of challenges in providing support to their consumers, X and Y.  After a couple of years, once the project is completed, A and B have not exchanged notes, nor learnt from each other’s mistakes. Six months down the line, B commits the same mistakes that A earlier had and vice versa. In such a scenario, would service consumers X and Y ever come back to A and B again? Not likely. When mistakes repeat, service consumers or customers will not be happy and may not return to with the project again. To avoid such a scenario, what such companies could do is to connect with each other and share lessons. Such an initiative would avoid many bottlenecks and arrest many recurring challenges. John explained that companies, understanding the importance of consistent process, have embraced lessons from the industry and continually improvise their processes for better customer experience. While it may not be feasible to connect with every other company and collect their lessons and best practices in real time, not with standing that companies may or may not share that information, there is a need for a common forum or entity to collect best practices and lessons across the IT industry and formulate a framework. Such a framework formulated for the IT Service industry is called the ITIL framework. Why is this framework called ITIL? ITIL stands for Information Technology Infrastructure Library. When asked why it was referred to as a ‘Library’, John explained that it is a set of practices for Information Technology Service Management (ITSM) that focuses on aligning IT services with the needs of the business.  As it is a set of practices best practices and lessons from the service industry, it is referred to as a “library”.  Significance of ITIL in the Service Industry John went on to explain that there were plenty of reasons for the ITIL framework: ITIL framework helps to align the IT solutions with business strategic goals  It helps to set the realistic, achievable and predictable service goals  It ensures efficient service delivery and improves customer satisfaction  It reduces costs through improved utilization of resources  It defines consistent IT roles and improves communication through standardized terminology It improves planning and continual improvement due to regular measurement and monitoring What is meant by continual improvement? John addressed the question with a use case: Company A is the Service Provider and Company X is the Service consumer.  Company A and Company X are in legal contractual agreement. Company A agrees to provide N services to Company X for the next 2 years. One of the agreed services is to resolve all High priority incidents within 4 hours. After a year of experience, Company A (Service Provider) becomes very good knowledge in resolving incidents within 2 hours and this has been verified as well.  Now, Company A (Service Provider) submits a proposal to Company X (Service Consumer) to improvise the High priority incident resolution time by 2 hours instead 4 hours. The contractual document is amended. Company X (Service consumer) agrees to pay an additional amount for the improvisation of service to Company A (Service Provider). This is a good example of continual improvement.  Continual improvement results in improvising service will always increase the customer satisfaction index, says John. History of ITIL In the year 1989, the UK Government’s Central Computer and Telecommunications Agency (CCTA) developed the first version of ITIL to unite IT systems in an efficient and cost-effective way.  Collecting best practices from all government agencies and private sector companies across Europe, the CCTA came up with an initial standard framework. History of ITILITIL soon grew to a 30-volume catalogue, providing a collection of all IT best practices that focused on and catered for client and business needs. In the year 2000, CCTA change into OGC (Office of Government Commerce, UK). The same year, Microsoft also adopted ITIL as the foundation for developing their Microsoft operations and framework (MOF). This version was focused on making ITIL more accessible and arranged the 30-volume framework into nine related categories.  In the year 2007, ITIL was expanded and reorganized as an IT service management lifecycle, known as ITIL Version 3 (ITIL V3).  This version covers the initial conception, development, transition, operations, and improvement of a service.  ITIL V3 views the activity of managing service as a lifecycle, which is a shift in focus from the individualized process/function view of the previous version. The service lifecycle concept has further evolved since.  In the year 2011, AXELOS released a revision of ITIL that resolved errors and inconsistencies with V3. This is the updated version of the 2007, referred to as ITILv3 updated. In this version, the ITIL service lifecycle contains 5 stages:  ITIL Service Strategy,  ITIL Service Design,  ITIL Service Transition,  ITIL Service Operation and  ITIL Continual Service Improvement.  This forms the basis for all ITIL best practices across the globe. Since 2013, ITIL has been owned by AXELOS Ltd – a joint venture between Capita Plc and the British Government’s Cabinet Office. In the year 2019, due to the Industry 4.0 revolution, the current version of ITIL was launched. V4 has more practical guidance on how to use ITIL in an organization which embraces digital journey. This makes it easier for organizations to align ITIL with DevOps, Agile, and Lean work methods. With V4, ITIL adopted more of a holistic philosophy towards service management, making it broader and more inclusive for the modern IT environment. Having developed a good understanding of the evolution of ITIL, the students learnt about how the best practices which originated from a few European companies were continuously improvised and revised to now become a global acceptable Service management framework across the globe. How ITIL works The students now wanted to go deeper and asked how ITIL could help the organization to achieve its strategic goals. John explained that following ITIL practices helps organization achieve their strategic goals by: Ensuring quality of IT services meets Service consumer’s expectations and needs Ensuring Service consumer can use IT services whenever and wherever they are needed Ensuring organizations can improve Customer satisfaction by building and maintaining positive business relationships Ensuring that organizations maximize value for money from their service providers Allowing organizations to benchmark their IT services and maximize ROI Allowing organizations to demonstrate and quantify the actual value of the services they provide Allowing organizations to forecast, influence, and respond to demand IT services in a cost-effective manner depending on fluctuating demand situations Allowing organizations to minimize IT service disruption Stages of ITIL and the purpose of each stage By now, the students were very keen and eager to know about the different lifecycle stages defined in ITIL V3 and its purpose. John went on to explain that ITIL has five stages. The following table helps explain each stage and its purpose:S.NoITIL StagesPurpose1Service StrategyThe Service Strategy stage provides guidance on how to design, develop, and implement IT Service Management. This is the core of the Service Lifecycle. This phase mainly focuses on understanding and defining the market. Also defines the needs of the customers2Service DesignIn the Service Design stage, strategies generated in Service Strategy stage are turned into action. Services and processes are designed, and plans are implemented to have a better service management.3Service TransitionThe Service Transition stage ensures that the new changes and modifications are efficiently incorporated in the service lifecycle without disrupting the other existing services or processes. It is carried out in a well-coordinated manner using cost-effective measures and resources. Through service transition, the design built is tested and implemented in the lifecycle in a productive manner4Service OperationThe Service Operation stage provides guidance on day-to-day business operations. The goal is for the IT department to keep things running smoothly, reliably, efficiently, and cost-effectively. The activities and processes in this phase ensure that services are delivered to customers at the agreed Service level agreement with minimal interruptions and disruptions. Service Operation focuses on providing value to both service consumer and the service provider.5Continual Service ImprovementThe Continual Service Improvement stage focus on improving the current service to the Service consumers. Continual Service improvement focus on progressive monitoring and controlling of services. Key performance indicators must be in place to determine whether the service is running optimally, and the service owner must ensure that the service complies with the strategic targets linked to the IT serviceJohn went on to explain that the outcomes of the Continual Service Improvement become the inputs for Service Strategy. Identified improvements will help to revise the strategic goals and targets.  Explaining what was meant by Key Performance Indicator, John defined it as a quantifiable measurement for measuring any strategic goal. This is generally agreed between Service consumer and Service Customer in the legal contract, he added. The difference between ITIL®V3 and ITIL®4  Digging deeper into the difference between ITILv3 and ITIL4, John explained that ITIL4 was the latest version. The two may need to be prioritized depending on the case, he pointed out.  S.NoITILv3ITIL41IT defines life cycle approachIt defines Service Value system-based approach2This version does not talk about 4-dimension model.This version emphasises the importance of 4-dimensions for a holistic service management.3ITIL V3, with its 26 service lifecycle processes, functions and other guidance arguably also describes how the components and activities in the organization work together.ITIL 4 and the Service value system take a more holistic approach, providing organizations with a flexible operating model that supports different work approaches. ITIL 4 presents 34 practices as "sets of organizational resources designed for performing work or accomplishing an objective".4There are no guiding principles under ITILv3The ITIL 4 guiding principles are universal recommendations that can guide organizations in many situations, such as "work holistically" and "keep it simple and practical".5ITIL V3 covers governance under service strategyThe governance component of the ITIL 4 service value system is about directing and controlling the organizationWhat are the different certifications available in ITIL? Explaining the available certifications in ITIL, John elaborated using the following table to help the students to understand the different certifications under ITIL.  (Source: Axelos). S.NoLevelsPurpose1ITIL 4 Foundation LevelThe ITIL 4 Foundation certification is designed as an introduction to ITIL 4 and enables candidates to look at IT service management through an end-to-end operating model for the creation, delivery and continual improvement of tech-enabled products and services.2ITIL 4 Managing ProfessionalThe Managing Professional (MP) stream provides practical and technical knowledge about how to run successful IT enabled services, teams and workflows.3ITIL 4 Strategic LeaderITIL 4 Strategic Leader demonstrates that the you have a clear understanding of how IT influences and directs business strategy.4Master LevelTo achieve the ITIL Master certification, you must be able to explain and justify how you have personally selected and applied a range of knowledge, principles, methods and techniques from the ITIL Framework and supporting management techniques, to achieve desired business outcomes in one or more practical assignments.Getting started Concluding, John summarized that to get started all one needs to do is to talk to professionals to understand how the work they do contributes to creating value for customers. If everybody thinks about what they do in these terms, then the next step will be much easier. The IT world we live in is becoming more and more service based by the day and there is great opportunity. Industry leaders have seen ITIL in action and have bought into it. Most major global corporations run their services on ITIL®, and such IT professionals are in great demand. 
7148
The ITIL Framework and It’s Processes

You’ve got ITIL® questions. We’ve got ITIL an... Read More

The Business Benefits of Following ITIL Best Practices

Information Technology Infrastructure Library® or ITIL® as it is widely known is the accepted best practice framework in IT Service Management (ITSM).Around the world, organizations have adopted it as an effective tool to transform management of IT services and for achieving business growth. IT Service Management is leveraged extensively to create competitive advantages. IT is no more a cost center, but it has come to be regarded as an important business driver which offers tremendous opportunities for value creation. Today, it is hard to come across any service not enabled by IT and with businesses faced with tremendous disruptions, IT services comprise the most significant and perhaps the largest component. With Digital transformation rapidly changing the global business and economic landscapes, corporations are striving to remain competitive and relevant. How a service is delivered and managed can determine who will survive and who will not. Creating value through services for customers and for themselves is what organizations are striving for. Many enterprises are embracing opportunities offered by digital transformation. These organizations realize that such transformations must be in sync with the need for stability, predictability, operational agility, and organization velocity. Therefore, improving and expanding capabilities in IT Service management is the name of the game! Overview of the ITIL4 framework ITIL4 is a major upgrade from the previous version, ITIL V3. In keeping with the changing business environment, ITSM is also evolving as organizations adopt newer ways of working.  Cross function teams are becoming commonplace and there is an increased integration of IT with other organizational capabilities. ITIL4 provides a new operating model – a model that is flexible as well as practical, one that can help organizations on their digital transformation journey. In the new framework, ITIL best practices are integrated with new ways of working such as Agile and DevOps. The key elements of ITIL4 are the four dimensions, the guiding principles, the move from processes to practices, and the ITIL service value system. In this article, we will discuss each of this in detail. Benefits of ITIL4 Adoption of ITIL4 can bring a lot of benefits to the organizations and practitioners alike. In the new version, the framework accords strategic importance to ITSM by placing it in the wider context of customer experience and value co-creation. The main benefits of ITIL4 are: Holistic Approach to Service Management Understanding how all the parts of the organization – ITSM, development, operations, business relationship and governance – work together in an integrated way is key to a holistic approach to value creation. This provides end-to-end visibility and appropriate controls which is essential to the achievement of organizational agility, faster time to market, quality, optimized costs, and reduced risk through continual improvement and innovation. Focus on co-creating business value: While the focus of ITIL V3 was on IT services lifecycles(development, deployment, improving and retiring), ITIL4 has a focus across the entire organization. The four dimensions that are essential to creating value for all stakeholders, including customers are as follows: Organization and People This dimension is essentially about the people aspect of ITSM. The organizational culture needs to support its objectives and the right level of staff capacity, competencies and skill sets are required for value co-creation to take place. Organizational structure (horizontal or vertical),roles and responsibilities, adequate Governance and effective communication are some other key considerations to focus under this dimension.ITIL4 shows how every dimension is affected by multiple factorsInformation and technology: This aspect applies to both service management and to the services being managed. This dimension includes information created, managed, and used in the course of service provision and consumption. The technology part considers components like storage, network, databases etc. that make up the service as well as technology that support service management at the enterprise level. Partners and suppliers Value is increasingly achieved through co-creation. Partners and suppliers play a vital role in the design, development, delivery, and continual improvement of services. The breadth and depth to which organizations integrate suppliers into their value chains depends on many factors like in-house capabilities, sourcing strategy, relationship, cost etc. Value streams and processes It is critical that the different parts of the organization work in an integrated and coordinated way to create value. ITIL4 introduces the service value chain which is an operating model which helps map how a value stream (the delivery process of a service) flows across various activities from demand to supply. Organizations should map a value stream for every product or service to provide a complete, end-to-end picture of how value is created. Improved Business and IT alignment With a flexible operating model in the form of Service Value System (SVS),the framework offers opportunities for better alignment of Business and IT whereby IT contributes works in tandem to realize organizational goals. This not only improves quality of service but also leads to higher customer satisfaction by reducing risks and cutting down time to market. Key concepts of ITIL V4 Value Co-creation  ITIL4 defines Services as: “A means of enabling value co-creation by facilitating outcomes that customers want to achieve, without the customer having to manage specific costs and risks” This definition marks a shift from the old definition as it outlines ‘value co-creation’. What this means is that the Service provider and Service Consumers must work together to create value. In ITILV3, value was described as something the Service Provider created for customers. The Service provider collaborates with customers to understand what constitutes value for customers rather than creating products and services in a vacuum. There are also two types of key stakeholders defined within ITIL4: Service Provider When provisioning services, an organization takes on the role of the service provider. The provider can be external to the consumer’s organization, or they can both be part of the same organization. Service Consumer When receiving services, an organization takes on the role of the service consumer. Service consumer is a generic role that is used to simplify the definition and description of the structure of service relationships. Just as there can be different provider roles, consumers are also divided into different roles or categories, namely: Customer a person who defines the requirements for a service and takes responsibility for the outcomes of service consumption User a person who uses the service Sponsor a person who authorizes budget for the service In some instances, the same person may serve in several roles. In other cases, different people may assume the various roles. As a Service Provider organization, it is important to understand who fills each of these roles and what expectation each of them wants and expects from the service provider. Products A configuration of an organization’s resources designed to offer value for a consumer A service provider may a product or portfolio of products that have the potential to co-create value for multiple customer segments. Service Provider can thus create one or more service offerings.Products are a configuration of an organization’s resources Source: AXELOSService Value System and Management Practices The ITIL4Service Value System (SVS) describes how all the components and activities of the organization work together as a system to enable value creation. A system can be defined as an interconnected network or as a set of things working together as parts of a mechanism. An organization is a system. The Service provider as a system, receives demand from multiple sources and converts them into value by creating/offering services for customers.ITIL Foundation: ITIL4 Edition (2019). Source: AXELOSThe Service Value System (SVS) is a different way of looking at the organization. The SVS is interconnected. It has individual parts; but they are all part of the same mechanism, working together. This includes how  organizations get things done (Service Value Chain), how decisions are made (Guiding Principles), how do they improve (Continual Improvement), how do they ensure they are doing what they profess to be doing (Governance), and how do they process work (Practices). Successful organizations exploit opportunities and respond to demand by delivering high-quality products and services in a fast and efficient way. They stand out for their agility and they do it by breaking down silos.  Now, let us break down those components and discuss how each contributes to making the Service Value System successful. Guiding Principles Guiding principles guide an organization in all circumstances. These should form the basis for decision making in the organization. The guiding principles provide a comprehensive and holistic vision of how a service or service management organization should manage and execute its work. The seven guiding principles include: Focus on value Start where you are Progress iteratively with feedback Collaborate and promote visibility Think and work holistically Keep it simple and practical Optimize and automateGovernance Governance is the means by which an organization is directed and controlled by defining policies and rules. Service value chain It is an operating model which outlines the key activities required to respond to demand and facilitate value realization through the creation and management of products and services. Service Value Chain in ITIL4. Source: AxelosThe service value chain outlines six value chain activities –  Plan Engage Design and transition  Obtain or build  Deliver and support, and  ImproveTypically, a service provider will engage with external stakeholders, plan work, deliver and support live products and services. Practice ITIL4 moved away from processes towards more expanded ‘practices’ and defines them as ‘a set of organizational resources designed for performing work or accomplishing an objective. ’They are both practical and flexible and each practice supports multiple SVC activities and aids the flexibility of the entire service value chain. These practices are leveraged in order to cater to the various aspects like time to market, responding to demand and resource allocation and scaling. ITIL4 has 34 practices as follows: General Management Practices 14 general management practices have been identified. These are generally practiced across the organization and are adopted for use in ITSM as well. Service Management Practices 17 service management practices have been developed for specific area of IT service management and ITSM industries as a whole. Technical Management Practices There are three technical management practices which come from technology management domains for service management. They have been adopted in such a way that expand their applicability in IT services domain as well. Namely, these are: (1) deployment management, (2) infrastructure and platform management, and (3) software development and management. The 34 practices of ITIL4 have been summarized in the following table: General Management practices(14)Service Management Practices(17)Technical Management Practices(3)Architecture management Availability managementDeployment managementContinual improvement Business analysisInfrastructure and platform managementInformation Security managementCapacity and performance managementSoftware development and ManagementKnowledge managementChange ControlMeasurement and reportingIncident managementOrganizational change managementIT asset managementPortfolio managementMonitoring and event managementProject managementProject managementRelationship managementRelease managementRisk managementService catalogue managementService financial managementService configuration managementStrategy managementService continuity managementSupplier managementService designWorkforce and talent managementService deskService level managementService request managementService validation and testing34 practices of ITIL. Source: Axelos.Implementing ITIL4 in your organization – Best Practices Implementing ITIL4 in your organization, is all about the ABC of an organization - attitude, behavior, and culture. It is these three ABCs that will determine the success or otherwise of ITIL implementation.  A culture that accords highest importance to holistic service delivery and value co-creation, naturally evokes right attitude and behavior from all sections of the organization. With that said, the following are some of the key factors to be considered: Start where you are An objective evaluation of the current situation needs to be carried out before initiating a transformation. This gives us a perspective of our current capabilities, things that are working well and things that are not, what we can do and what we can’t, the processes that are currently being used, the prevailing organizational culture etc. So, the current baseline is the best starting point. Organizational Vision For organization wide adoption, it is important that there is a common big picture, an organizational vision which everyone, understands, aligns, and is committed to. Everyone should be able to know what the organizational goals are they are working for, how do their role fit into the larger scheme of things and what role does IT play in the achievement of the business strategy. Therefore, the following factors, among others, need to be looked at: The People The Practices  The product and technology The culture, service, and attitude The organization, communication, and relationships  Build capability and evaluate progress: Having a clear vision helps in building what matters the most to the organization. It helps draw a roadmap. Capability building in ITSM should include having defined practices, effective tools for ITSM and as also for collaboration, competency building for the staff, putting the right governance structures in place etc. Measuring and evaluating progress at key milestones is important to know if we are headed in the right direction and, if the changes that are being introduced bring value or not. Concluding thoughtsITSM has evolved well with times and ITIL has kept pace. The new version is both practical and flexible and takes ITSM to the next level of maturity by embracing a holistic view of service management and aligning itself with newer ways of working like Agile, DevOps and lean. The new version, which has received a lot of contribution from members of the ITSM community and industry practitioners, has made ITIL more relevant than ever before.
6463
The Business Benefits of Following ITIL Best Pract...

Information Technology Infrastructure Library® or... Read More

ITSM Gets Agile With ITIL® V4

The influx of new technologies has initiated a steep growth in the demand for a more modern, structured IT service management (ITSM) framework. Emerging technologies like blockchain, artificial intelligence, the internet of things (IoT), and many more are shaping the Fourth Industrial Revolution. A report by CompTIA projects the global information technology industry will grow at a rate of 3.7% in 2020, and that IT jobs are at risk as companies move toward automation. However, with multi-faceted certifications like ITIL®, the IT teams will be better equipped to handle more responsibilities overarching the IT industry.What is ITIL®?ITIL® (Information Technology Infrastructure Library) is a common framework that standardized global best practices in IT. It is used globally by millions of practitioners and is relied upon by 90% of the Financial Times Stock Exchange 500 to optimize their IT operations. Its framework equips a service provider with a clear capability model, aligning them to the business strategy and customer needs. Yet, with shifting work practices, the silo-model of ITIL® has been challenging its practitioners to evolve. With its new version, the ITIL® V4, some of these problem areas are addressed.Carefully curated with the help of 12 lead architects, 61 authors, and hundreds of IT practitioners, the latest additions incorporate a range of approaches from DevOps, Agile to SRE(Site Reliability Engineering). So what exactly sets apart ITIL® 4? Defining ITIL® V4 with agilityTraditionally, ITSM focused on continual service improvement (CSI) by collecting feedback and coming up with improvements in a project plan that spans anywhere between 6-12 months. However, with the advent of digital transformation, this approach has become obsolete. With its delayed turn-around-time or improvement model, customer-retention becomes difficult, and the overall pace is hampered as well.  The introduction of agility to this model ensures shorter cycles of projects and constant iterations to meet the customers’ or end-users’ expectations. Running 4-week sprints becomes a regular process, with mini-projects being stacked alongside – then passed to the Scrum Masters. Not only does this streamline the feedback mechanism to ensure continuous improvement, but it also helps in tracking the success and optimal usage of resources.  It is as simple as this: instead of doing something for 6 months, finding where it failed and then reworking on those aspects; using agile methodology one can continuously rework on what is wrong, while also progressing with the project and enhancing what is right. A perfect example of this is user testing and MVP (minimum viable product) in the case of IT services.  Agile also allows the setting of short-term goals aligned to the current business needs. With the entire team aligned to the end-result ploughing improvements on-the-go, overall productivity is also increased.  Breaking down silosITIL® 4 focuses on creating a shift in the ITSM mindset, both culturally and in the working methodologies, by breaking down barriers and silo-working. It helps in fostering a collaborative work environment right from the top and nurtures a holistic approach to work. By documenting processes formally and keeping track of consistency and progress, the dependencies involved in each process are transparent. Each team works to its strengths and supports the other in its shortcomings, creating a collaborative environment. When such structures are implemented at the top level, it is bound to trickle down to the remaining parts of the organization.  Benefits of ITIL® V 4ITIL® V4 has been primarily built on four dimensions of service management – people, products, partners, and processes. While the processes were largely overlooked by the previous versions, the ITIL® V4 embraces the core values of other frameworks like Lean, Agile and DevOps, making it more flexible and beneficial to the niche IT services.  With the support of ITIL® V4, ITSM is more structured around development processes and its adoption of agile methodologies creates space and autonomy in work within a consistent framework. Change is imperative for the growth of any organization, and ITIL® 4 helps them navigate it. Shifting gears from process-led delivery to value-driven delivery, ITIL® 4 ensures faster quality and quick growth for people and organizations.
3614
ITSM Gets Agile With ITIL® V4

The influx of new technologies has initiated a ste... Read More