Search

ITIL Practitioner: Core Competencies, Guiding Principles and Service Strategy Importance

In my previous post, I wrote a beginners article for ITIL practitioner. There I spoke about how ITIL practitioner certification fits in the entire ITIL framework, we briefly touched upon the examination format for ITIL practitioner course, I wrote about what benefits you and your company can have if you choose to take ITIL practitioner certification and most importantly, I tried to answer the question, “whether you should choose to go for ITIL practitioner certification or not”. Now, in this post, I will try to delve a bit deeper into the other but very important aspects of ITIL practitioner course and those are following: What are the core competencies of ITIL Practitioner Various guiding principles of ITIL Practitioner And to answer the question of the previous post- “Why service strategy is considered the core of ITIL and ITSM framework” Let’s start! Core competencies of ITIL Practitioner: Core competencies refer to the major engine behind ITIL framework. All the processes, steps, functions and techniques revolve around these competencies in the ITIL universe. These three core competencies are as follows: Critical competency Guiding Approach CSI or Continual Service Improvement Critical Competency talks about the critical requirements that any member or professional or organization should possess if they want to achieve success in their service-based projects. Those competencies have been categorized into 3 sections: Communication Organizational change management Measurement and Metric I personally, like to refer to them as CMO [for the ease of memorization]. As expected, communication refers to the paradigm where every individual in your team/project is able to articulate his/her needs, wants, requests in a clear concise manner and as well as to be able to decipher the sender’s message in its accurate form of meaning. Not only this, it also covers the area where the project manager or the project owner needs to ensure that communications to all stakeholders, customers, internal or external are handled properly, documented for future reference and lead to overall service satisfaction. Measure and Metrics deals with the obvious concept that what you can’t measure, you can’t improve. Hence, you will not be able to gauge with accuracy if your service is providing the benefits or not, if your project is on track or not or if the service that is eating resources is performing its intended job or not. For example, an internet search engine service might be able to return more than 1000 results for the most basic of queries. But whether those results are relevant to the user or not will decide the fate of your internet search engine company. In the above case, the internet search engine service is doing the job well by returning more than 1000 results to choose, but if none of those results are the ones user is looking for then it is a failure. And you will not be able to know if you can’t measure effectiveness, efficiency, user satisfaction etc. Hence, measurement on the scale of defined metrics is very important competency to have in ITIL. Organization change management depicts an organizational structure that deals with change management for the service you are providing. Let us continue with the example of Internet search engine service.  Once you could identify, through Measurement and Metrics, that your service was not returning relevant results for your users, then obviously you will engage your engineering team to work on the improved service design. New service design will require changes in the existing search engine code, infrastructure and may be configurations as well. Not all changes, can be, should be and will be approved. Right? We all know that. So there needs to be a change management board for your organization [or project] that will discuss the merits and demerits of all the proposed changes, prioritize them as per business benefits and costs involved, then finally give go-ahead or not. This is what organizational change management is all about. No service management project or organization can succeed if they do not have these 3 competencies sorted out perfectly. And that is where your role as an ITIL practitioner becomes important. Guiding Principles of ITIL Practitioner Now since your project and organization has entrusted you to get the service management perfect and set the core competencies in place and get the parts moving, being a thorough professional and an ITIL practitioner, you will do those perfectly well. Because you have the knowledge required to do this. But what should be your guiding principles for the situations that are not mentioned in the ITIL practitioner guide, what should decide your way forward when you will encounter roadblocks resisting change, and what values should you believe in before you explain the needs of these improvements to stakeholders. And those mantras to guide you in difficult, uncertain, moralistic situations are known as “Nine Guiding principles of ITIL Practitioner”. I personally believe that even if you lose your ITIL practitioner guide [which I hope you don’t because it is not cheap] or if you forget the technical knowledge, as long as your guiding principles are correct you will never falter on your journey. Those principles are as follows: Focus on Value: Always try to look beyond materialistic gains. Look for long-term value. Will it help the organization in long run? Will it solve some genuine problems? Will your customers/users thank you for it? Design for experience: Always ask your designer to keep themselves in the user’s shoes and try to use the service as if they were them. Then check if this current service is being helpful to them or not. This actually helps eliminate a lot of faux pas that actually look good in presentation but are miserable failures when released to the market. Start where you are: There could be multiple interpretations to this statement, but in simple terms, it states, do not forget who you are, where you come from and what your current ground reality is. If you are clear about these things, then more often than not, you will make correct plans. Work Holistically: Always remember, your work and your service not only help solve a problem, but it interacts with a lot of other components in the ecosystem also whether technical, mechanical, and emotional or culturally. So work holistically. An internet search engine may provide accurate results, but in a country where those results are banned or are offending the audience’s religious faith can seriously backfire on you and your organization. Progress Iteratively: Always break the problem into smaller pieces and achieve one or two steps at a time. This helps you get user feedback and improve your service at a low cost, rather than creating the whole service and finding out that there is no market for it. Observe directly: What if you rely on sources to get you the feedback or user reactions or problems data and later on find out that the “source” did not understand the feedback properly, leading you to make something that was not required at all. Or worst, the “source” had vested interest and now your service is out of the market. So don’t take the risk. Focus more on getting the data directly. Be Transparent: Good or bad, whatever be the situation, it should be clearly communicated to your stakeholders. All the decisions along with their rationale should be explained to the audience. Precaution should be taken to not divulge unintended information to the unintended audience. Still, there should be transparency. For example, you got a feedback that in the Middle East your service was gaining negative publicity due to the search results being rendered on a particular topic in spite of the government directive against doing so. In such cases, you are expected to inform your stakeholders about the situation, your plan to tackle it and to inform the end user about the upcoming change. You need to explain the exact problem and its implication to the business users, but you need not maintain the same detailing while sending out communication to market users. So use your filtering mechanism but ensure that transparency is maintained. Collaborate: Not everybody has answer or solution to everything. So better to get best people for their competencies and sometimes, more minds can give you better results. So mix and collaborate. Simple! Keep it simple: Means keep things simple and do not overcomplicate them for showing proficiency. And finally, continually improving service talks about the goal where you have to keep finding ways to improve your service through measure and metrics via communication and organizational change management. So these are the 3 competencies of an ITIL practitioner along with their 9 guiding principles- Why is service strategy the core of ITIL Practitioner? You will be amazed by the answer! It keeps in line with the 9th guiding principle of ITIL. And that principle was: Keep it simple! And this is the reason, I did not answer this question up until now. The answer is: Service strategy deals with the knowledge of what service are you [as a company] going to create through this project and why. It talks about the plans to be executed to develop this service, how to market it, how to provision it, what business benefits will it drive for users and for the organization. So once you have that clear, all your plans, processes, techniques need to be modified to align with that goal, else there is no point of creating an internet search engine service that gives wrong results to the user even if it works very fast.  And this is the reason why Service strategy is the core of ITIL practitioner. Because you need to make it clear to the team you are going to work with!  

ITIL Practitioner: Core Competencies, Guiding Principles and Service Strategy Importance

1K
ITIL Practitioner: Core Competencies, Guiding Principles and Service Strategy Importance

In my previous post, I wrote a beginners article for ITIL practitioner. There I spoke about how ITIL practitioner certification fits in the entire ITIL framework, we briefly touched upon the examination format for ITIL practitioner course, I wrote about what benefits you and your company can have if you choose to take ITIL practitioner certification and most importantly, I tried to answer the question, “whether you should choose to go for ITIL practitioner certification or not”.

Now, in this post, I will try to delve a bit deeper into the other but very important aspects of ITIL practitioner course and those are following:

  • What are the core competencies of ITIL Practitioner
  • Various guiding principles of ITIL Practitioner
  • And to answer the question of the previous post- “Why service strategy is considered the core of ITIL and ITSM framework”

Let’s start!
Core competencies of ITIL Practitioner:
Core competencies refer to the major engine behind ITIL framework. All the processes, steps, functions and techniques revolve around these competencies in the ITIL universe.

These three core competencies are as follows:

  • Critical competency
  • Guiding Approach
  • CSI or Continual Service Improvement

Critical Competency talks about the critical requirements that any member or professional or organization should possess if they want to achieve success in their service-based projects. Those competencies have been categorized into 3 sections:

  • Communication
  • Organizational change management
  • Measurement and Metric

I personally, like to refer to them as CMO [for the ease of memorization].

As expected, communication refers to the paradigm where every individual in your team/project is able to articulate his/her needs, wants, requests in a clear concise manner and as well as to be able to decipher the sender’s message in its accurate form of meaning. Not only this, it also covers the area where the project manager or the project owner needs to ensure that communications to all stakeholders, customers, internal or external are handled properly, documented for future reference and lead to overall service satisfaction.

Measure and Metrics deals with the obvious concept that what you can’t measure, you can’t improve. Hence, you will not be able to gauge with accuracy if your service is providing the benefits or not, if your project is on track or not or if the service that is eating resources is performing its intended job or not.

For example, an internet search engine service might be able to return more than 1000 results for the most basic of queries. But whether those results are relevant to the user or not will decide the fate of your internet search engine company.

In the above case, the internet search engine service is doing the job well by returning more than 1000 results to choose, but if none of those results are the ones user is looking for then it is a failure.

And you will not be able to know if you can’t measure effectiveness, efficiency, user satisfaction etc.

Hence, measurement on the scale of defined metrics is very important competency to have in ITIL.

Organization change management depicts an organizational structure that deals with change management for the service you are providing. Let us continue with the example of Internet search engine service. 

Once you could identify, through Measurement and Metrics, that your service was not returning relevant results for your users, then obviously you will engage your engineering team to work on the improved service design.

New service design will require changes in the existing search engine code, infrastructure and may be configurations as well. Not all changes, can be, should be and will be approved. Right? We all know that.

So there needs to be a change management board for your organization [or project] that will discuss the merits and demerits of all the proposed changes, prioritize them as per business benefits and costs involved, then finally give go-ahead or not.

This is what organizational change management is all about.

No service management project or organization can succeed if they do not have these 3 competencies sorted out perfectly. And that is where your role as an ITIL practitioner becomes important.

Guiding Principles of ITIL Practitioner
Now since your project and organization has entrusted you to get the service management perfect and set the core competencies in place and get the parts moving, being a thorough professional and an ITIL practitioner, you will do those perfectly well. Because you have the knowledge required to do this.

But what should be your guiding principles for the situations that are not mentioned in the ITIL practitioner guide, what should decide your way forward when you will encounter roadblocks resisting change, and what values should you believe in before you explain the needs of these improvements to stakeholders.

And those mantras to guide you in difficult, uncertain, moralistic situations are known as “Nine Guiding principles of ITIL Practitioner”.

I personally believe that even if you lose your ITIL practitioner guide [which I hope you don’t because it is not cheap] or if you forget the technical knowledge, as long as your guiding principles are correct you will never falter on your journey.

Those principles are as follows:

  • Focus on Value: Always try to look beyond materialistic gains. Look for long-term value. Will it help the organization in long run? Will it solve some genuine problems? Will your customers/users thank you for it?
  • Design for experience: Always ask your designer to keep themselves in the user’s shoes and try to use the service as if they were them. Then check if this current service is being helpful to them or not. This actually helps eliminate a lot of faux pas that actually look good in presentation but are miserable failures when released to the market.
  • Start where you are: There could be multiple interpretations to this statement, but in simple terms, it states, do not forget who you are, where you come from and what your current ground reality is. If you are clear about these things, then more often than not, you will make correct plans.
  • Work Holistically: Always remember, your work and your service not only help solve a problem, but it interacts with a lot of other components in the ecosystem also whether technical, mechanical, and emotional or culturally. So work holistically. An internet search engine may provide accurate results, but in a country where those results are banned or are offending the audience’s religious faith can seriously backfire on you and your organization.
  • Progress Iteratively: Always break the problem into smaller pieces and achieve one or two steps at a time. This helps you get user feedback and improve your service at a low cost, rather than creating the whole service and finding out that there is no market for it.
  • Observe directly: What if you rely on sources to get you the feedback or user reactions or problems data and later on find out that the “source” did not understand the feedback properly, leading you to make something that was not required at all. Or worst, the “source” had vested interest and now your service is out of the market. So don’t take the risk. Focus more on getting the data directly.
  • Be Transparent: Good or bad, whatever be the situation, it should be clearly communicated to your stakeholders. All the decisions along with their rationale should be explained to the audience. Precaution should be taken to not divulge unintended information to the unintended audience. Still, there should be transparency. For example, you got a feedback that in the Middle East your service was gaining negative publicity due to the search results being rendered on a particular topic in spite of the government directive against doing so. In such cases, you are expected to inform your stakeholders about the situation, your plan to tackle it and to inform the end user about the upcoming change. You need to explain the exact problem and its implication to the business users, but you need not maintain the same detailing while sending out communication to market users. So use your filtering mechanism but ensure that transparency is maintained.
  • Collaborate: Not everybody has answer or solution to everything. So better to get best people for their competencies and sometimes, more minds can give you better results. So mix and collaborate. Simple!
  • Keep it simple: Means keep things simple and do not overcomplicate them for showing proficiency.

And finally, continually improving service talks about the goal where you have to keep finding ways to improve your service through measure and metrics via communication and organizational change management.

So these are the 3 competencies of an ITIL practitioner along with their 9 guiding principles-

Why is service strategy the core of ITIL Practitioner?
You will be amazed by the answer!

It keeps in line with the 9th guiding principle of ITIL.

And that principle was: Keep it simple!

And this is the reason, I did not answer this question up until now.

The answer is:
Service strategy deals with the knowledge of what service are you [as a company] going to create through this project and why. It talks about the plans to be executed to develop this service, how to market it, how to provision it, what business benefits will it drive for users and for the organization.

So once you have that clear, all your plans, processes, techniques need to be modified to align with that goal, else there is no point of creating an internet search engine service that gives wrong results to the user even if it works very fast. 

And this is the reason why Service strategy is the core of ITIL practitioner. Because you need to make it clear to the team you are going to work with!
 

Abhinav

Abhinav Gupta

Blog Author

PMP, has 12+ years of experience working in Information technology sector and has worked with companies like Infosys and Microsoft in various capacities. He started his career as a manual tester for a world renowned software product and grew on to become automation champion in both functional as well as UI. He has worked with Healthcare units providing various software solutions to companies in North America and has worked with search engine based groups to enhance their experience and provide more bang for buck to their customers.

Join the Discussion

Your email address will not be published. Required fields are marked *

Suggested Blogs

Introduction to Hacking Web Applications

A web application is a program or software that runs on a web browser to perform specific tasks.  Any web application has several layers – web server, the content of the application that is hosted on the web server and the backend interface layer that integrates with other applications. Web application architecture is scalable and has components which have high availability.Hacking is the process of the appropriating the web application from its actual user by tinkering in various ways.  The web application hacker needs to have deep knowledge of the web application architecture to successfully hack it. To be a master, the hacker needs to practice, learn and also tinker with the application.Web application hacking requires tenacity, focus, attention to detail, observation and interfacing. There are many types of web application hacking, and many defense mechanisms available to counter and to protect the application from being hacked.Core defense mechanismsThere are four categories in which we can protect the web application:User access handling to the application data and functionalityUser input handling  Suitable defensive and offensive measures to frustrate the hackerApplication configuration to get the alert in case of unauthorized accessUser AccessA web application provides different roles for user access depending on the business requirement and use cases.  A classic example is a digital banking scenario, where the customer wants to access the banking functions to get the balance from his account or transfer the cash to someone else. Another example is a scenario where a Linux administrator wants to provide privileges and rights to authorized users.The web application uses the below security mechanisms:AuthenticationSession managementAccess controlAuthentication is identifying a user to whom the credentials belong. This can be done using is a user name and password.  Additional authentication can be done through the user’s mobile number or biometrics.Session management is the process of the user being signed in throughout, while using the web application.  Every time the user logs in to use the application, it is recorded as a session. Sessions can vary depending on the use case and application.Access control is a process of protecting the HTTP requests in Web application. This is the last layer of defense in the user access.User InputAll the user inputs in the web application are always untrusted. A web application should have defense mechanisms in place to prevent the user from writing malicious code or breaking the website.  We can handle the user input validation at various levels based on the need of the business.Input handling to reject all words related to hacking- this is a process of blacklisting them which the web server will check and confirm. These are called Semantic Checks.Also creating a set of rules to accept the user inputs – for example, only numbers that are safe for Bank account access can be used. This is called Safe Data Handling.We need to have multi-step validation where every component is checked for user inputs in the web application.We can have boundary validation to check all the external interfaces with the applications.Handling HackersTo get more sensitive alerts in the web application we need to have followingAudit logs recordsIP address blockingIntrusion Detection systemsFirewallsWe need to have application configuration with the key alert that has to be notified immediately when any hacker gets into the web application.Web application technologiesThe top web technologies that developers are using for web development are as below:HTMLCSSProgramming LanguagesJavaScript Coffee Script Python Ruby PHP GO Objective C SWIFT JavaFrameworks Node.JS Ruby on Rails Django Ionic Phonegap Bootstrap Foundation Wordpress Drupal .NET Angular JS Ember JS Backbone JSLibraries J Query UnderscoreDatabase MongoDB Redis Postgres SQL MySQL Oracle SQL ServerData Formats JSON XML CSVProtocols HTTP DDP RESTDigital Technologies for Web ApplicationsWeb Assembly – similar to JavaScript Movement UI Design Chabot’s Artificial Intelligence Dynamic Web Applications – PWA Blockchain Single Page Applications Web Server Software Computerized Transformation AMP Wins VR and AR Symfony LaravelBypassing client-side controlsThe process of sending data from server to client is very common in web applications.  The reverse is also true when client sends the data to the server. It is normal for software developers to assume that the client will not modify the data.  Avoiding the storage of data within the user session can help in security and also increase performance. Modifying the data stored in the client side is easy in comparison to the server side by the hacker.Two ways exist for bypassing: Application relies on client-side data to restrict the user input. So, restricting the client side controls the security. Application gathers data that is entered by user, the client implements methods to control the previous data.For both the options, the following are the techniques to by-pass client side controls: HTML form features Client Side Scripts Thick Client technologiesAuthentication and AuthorizationWeb applications have both authentication and authorization as key concepts supporting the web applications.Authentication refers to any verification process that checks whether a human or automated system is who or what it claims to be. Authentication is the process of verifying the identity of the individual. A unique identifier is added for the web application like Password, Login or username.  We can use OpenID, OAUTH, and SAML. The entire Authentication depends on the HTTP/HTTPS implementation.Authorization is a process in which we have controls to allow or restrict resources. It is entirely dependent on business use cases and it varies end to end.  For strengthening the authorization we should implement logging for all privileged actions. Invalid sessions should be made to log out. So we need to have strict controls on both the concepts to prevent hacking of web applications.XSS – Cross site scriptingThis is a type of injection in which malicious scripts are injected to trusted websites.  A hacker uses a web application to send malicious code. This is in the form of browser-side script. The end user has no way to know that a hacker has entered into the web application and he continues to execute the script. Script can access cookies, session tokens and all other sensitive information and even have the capability to rewrite the entire HTML page content.Types of XSS Stored XSS Reflected XSS DOM based XSSAll these can occur in Client XSS or Server XSS.Bypassing blacklists and whitelistsBlacklist refers to the practice of not allowing certain addresses and blocking them based on the need and requirement. They can be IP address, Networks and URLs.Whitelist indicates that a server would only allow through requests that contain a URL on an accepted list, and other requests will fail.Whitelist are harder to bypass as they are default controls in the web application.  The concept is that it redirects to the internal URL. We can bypass a blacklist byFooling it with redirects Tricking with DNS IPV6 address usage Switching out the encoding Hex Encoding Octal Encoding Dword Encoding URL Encoding Mixed EncodingCSRF – Cross site request forgeryCSRF is an attack that forces an end user to execute unwanted actions on a web application which is already authenticated. The hacker can send a link via an email and chat, and may trick the users of a web application into executing actions. In case the attack is on an administrator account the entire web application can be compromised. Unvalidated redirects These are possible when a web application accepts untrusted input. This can cause the web application to redirect the request to a URL containing untrusted inputs. Through the modification of the Untrusted URL input to a malicious site, the hacker launches a phishing attack and steals the user credentials.These redirects using credentials can also give the hacker the privilege functions which normally they cannot access.We need to have the user provide a short name, ID or token which is mapped server-side to a full target URL and this gives protection to the entire process.SQL injectionSQL injection is a process of injecting the malicious SQL query via the input data from the client to the web application.SQL injection can modify, read, and delete the sensitive information from the Databases. Has the ability to issue commands to the operating system Administration controls on the operations of the database Done through simple SQL commandsFile upload vulnerabilitiesWeb applications have these functionalities and features of uploading files.These files can be text, pictures, audio, video and other formats.We need to be careful while uploading files.A hacker can send a remote form Data POST request with mime type and execute the code.With this, the files upload will be controlled by the hacker.Attacking the application serverThe various formats of the attacks on the application server are listed below:Cross-Site Scripting (XSS)SQL Injection (SQLi)File upload  Local File Inclusion (LFI)Distributed Denial of Service (DDoS)Web application hacker’s toolkitThe hacker’s toolkit is as given below:Intercepting Web proxy – Modifies all HTTP messaging between browser and web applicationWeb application scanner -  For the hacker to get the entire information about the web application.A few of the tools which belong to the above two categories:Kali LinuxAngry IP ScannerCain & AbelEttercapBurp SuiteJohn the RipperMetaspoiltWeb application hacker’s methodologyConclusion:In this article, we have covered the entire hijacking web application concepts end to end. We have discussed the concepts of web applications and covered topics such as - Core defense mechanisms, Web application technologies, Bypassing client-side controls, Authentication and authorization, XSS – Cross site scripting, Bypassing blacklists and whitelists, CSRF – Cross site request forgery, Unvalidated redirects, SQL injection, File upload vulnerabilities, Attacking the application server, Web application hacker’s toolkit, and Web application hacker’s methodology.
9552
Introduction to Hacking Web Applications

A web application is a program or software that ru... Read More

Introduction to Session Hijacking Exploitation

In this article we will be talking about session hijacking and exploitation. You will learn about session management with its applications and the common ways of hacking session tokens. You will also learn how the key methods of session hijacking helps the hacker to penetrate the session. Get to know the differences that are present between session hijacking, session fixation and session spoofing, and also the activities that attackers will perform after the successful session hijacking. Finally, learn how we can prevent the session hijacking.Introduction to session managementSession management is a rule interface that helps interaction of the user with the web applications. HTTP is the communication protocol that websites and browsers use to interact and share the data. A session is a continuous HTTP request. Transactions are created that belong to the same user. HTTP is a stateless protocol.  The response pair and request are completely Predictable Session Tokens of the similar web interface and interactions.  Current command is not dependent on the previous command.  This makes us bring in the concept of session management which primarily interfaces the authentication and access control. These are both enabled in web applications.There are primarily the following types of session management:CookieURL RewritingThey can be used as silos or can be used together.  The best use case is to track the number of unique visitors to the website.Introduction to session hijacking and cookiesSession hijacking refers to an attack on a user session by a hacker. The session is live when we log into any service. The best use case is when we log in to our web application, say banking application, to do some financial transaction.  The other name for the session hijacking is Cookie Hijacking or cookie side jacking.  The more accurate information that a hacker gets regarding our sessions, the more precise is the hacker’s attack. This session hijacking is common for browser sessions and web applications.Session Hijacking WorkflowCommon ways of hacking session tokensA session Token can be compromised by the following ways:Predictable Session TokenSession ID should be unpredictable in the browser or the web application.Session token should be extremely descriptive for the hacker to not recognize it easily.Should not be with short session keys.Session SniffingAttacker uses a valid sniffer to capture the valid session ID.The hacker gets unauthorized access to the web server.Client Side attacks – ( XSS, Malicious JavaScript Codes, Trojans)Hacker hijacks the session ID by using the malicious code or programs running at the client side.Cross Site Scripting attack is very common to steal the session token.Can be done with malicious JavaScript codes.Man in the Middle attackThe hacker intercepts the communication between two systems.Hacker can split the original TCP connection into two new connections, Client and hacker and another hacker and server.Hacker acts like a proxy server and will be able to read, modify or edit the data.Man in the Browser AttackVery similar to the Man in the Middle Attack.Trojan Horse is used to intercept.Manipulation done between the browser and application.Key methods of session hijackingThere are five key methods of Session hijacking:Session FixationSession Side JackingCross Site ScriptingMalwareBrute ForceSession FixationThe hacker or attacker already has information about the session ID of the user. The hacker would have sent the email containing the Session ID. Attacker has to wait for the user to login. The hacker sends the user a crafted login that contains the hidden field with the fixed session ID.Session Side JackingHacker uses the packet sniffing technique to find the network traffic between two parties. Hacker then steals the session cookie. Most possible attacks happen in Unsecured Wi-Fi Spots. Even if the websites use SSL, the hacker can easily attack the networks to access the servers and get access to information or session of the users. Hacker uses Man in Middle Attack as one of the classic use cases for this session side jacking.Cross Site ScriptingAttacker sends the user a running code to get a copy of the cookie.For the user, these seem trustworthy as it is the server information.Typically, the hacker uses client-side script, such as JavaScript. This code attacks the browser to execute arbitrary code and provides information on session hijacking. Types – Reflected XSS,  Stored XSS, DOM- Based XSSMalwareUnwanted programs to steal the browser cookie files Performed without a user knowledge to obtain file or memory contents of the user’s computer or the server Hacker creates a client browser temporary local storage called as Cookie Jar.Brute ForceHacker uses key generation algorithms to get the session ID.Algorithm recognizes the sequential keys.Maximizes the predictable sessions and accesses the user's active session.Entropy is compromised using Brute Force and hacker is successful in stealing the information.Can only be protected with short predictable session identifier.We can use longer session keys.Exploiting the session hijack vulnerabilityFour categories of Vulnerabilities exploit the session hijack:XSS VulnerabilitiesInjecting Client-Side ScriptsJavaScript is embeddedCreates a faulty page and hacker attacksSession Side Jacking VulnerabilitiesUse packet Sniffers to attackE.g.- Man in the middle attackSession Fixation VulnerabilitiesMainly done through fake websitesUser assumes it is an original link and clicksMalware Installation VulnerabilitiesThe hacker sends the malicious code to disrupt the application or networks or the communicationHacker gets access to the applicationsOverall, the hacker exploits session hijacking through various vulnerabilities making the system highly unstable and gains unauthorized access. The user is not aware of any of the system changes, and he assumes that the session is original. The hacker gains control of the data or information through these vulnerabilities.Difference between session hijacking, session fixation and session spoofingTopicSession HijackingSession FixationSession SpoofingGoalTo get unauthorized access to active user sessionTo get unauthorized access to active user sessionTo steal or modify the dataMethodThrough Sniffing network trafficThis is an inverted technique to get access through pre-defined session cookie planted in the user browserCan be done through fake Email, fake Website or fake IP address creationsActivityPerformed on user who is currently logged in and already authenticatedThe hacker already knows the session IDs for getting unauthorized accessAttackers use stolen or counterfeit session tokens to initiate a new session and impersonate the original user, who might not be aware of the attackWhat Can Attackers Do After Successful Session Hijacking?The attacker can perform any action that the user was carrying out with his credentials.The hacker can gain access to multiple web applications, from financial systems and customer records to line-of-business systems potentially containing valuable intellectual property. The attacker can use session hijacking cookies for identifying authenticated users in single sign-on systems (SSO). Here are a few examples:Attackers can log into bank accounts for transferring moneyHackers can use the access for online shoppingHackers can get access to sensitive data and sell it on the dark webHackers can demand a ransom from the user in exchange for the dataPrevention of Session hijackingSession hijacking can be protected by taking preventive measures on the client side.Software Updating, End Point Security will be a key from a user side. Having Biometric authentication for every user session can prevent attacks. End to End encryption can be done between the user browser and web server using secure HTTP or SSL. We can have the session value stored in the session cookie. We can have an automatic log off after the session ends. We can use session ID monitors. VPN use can prevent unauthorized access. Web server generating long random session cookies can prevent attacks. Usage of Session ID monitors enhances security. Deleting the session cookie from the user server and computer enhances security. Having different HTTP header order for different sessions is a good precaution.ConclusionIn this article we have covered the key concepts of session hijacking and the ways by which this activity can be performed by the hacker. We have discussed the methods for unauthorized access by hackers or attackers, including the techniques used by hackers for injecting vulnerabilities. We have understood the concept of Session spoofing and Session fixation.  We learnt the various activities that a hacker can perform after getting control of the user session, and finally touched upon how to prevent session hijacking.
4318
Introduction to Session Hijacking Exploitation

In this article we will be talking about session h... Read More

ITIL Service Lifecycle And The Stages Of Successful Implementation

In this age of fast and digitized world, if you just look around, you will find that almost all the businesses are dependent on quicker and more precise functioning. You can find the application of digital functions in every aspect of the company and trade that will help you achieve a detailed output. The end of the year 2018 will see almost a 30 percent increase in the usage of the Information Technology functions in large, medium and small-scale industries. This gives us the relevance in the field of ITIL.  5 distinct phases of the ITIL service lifecycle - https://t.co/lAYUsmvIQY #ITIL #ServiceDesk #LifeCycle #ITSM #ServiceManagement pic.twitter.com/0pKtmxWjNl — Wolken Software (@wolkensoftware) February 22, 2017 ITIL or Information Technology Infrastructure Library is the use and application of Information Technology Service Management in the area of business that will make the arena of trade much more manageable. In the year 2018, ITIL has become an indispensable part of the trade world with almost all kinds of trades and transactions that are dependent on the application of Information Technology one way or the other.   The main motto of ITIL is to provide quality output with precision in the finished results. Using the ITIL service in the scenario of the functioning of business-related organization saves much of the company's cost. This implementation has a separate course where you can be a specialist in IT. As an ITIL expert, you need to take the responsibility of the organizations that are still dependent on the manual discourse of functioning. The expert will be responsible for implementing the entire digital way of operation, transaction, interaction, and client to the business support platform and many more.  As per the words of Kaimur Karu who is currently associated with the ITSM of Axelos says, “The ultimate priority should be on delivering results. Everything else is just a means to an end.” Fundamentals of ITIL and the complete stages are explained in the following video- Five stages of ITIL You can now easily understand the whole conceptualization and motto of ITIL. Soon coming back to the steps, there are five stages that are involved in ITIL. These are: Service Strategy of ITIL: First and foremost stage of ITIL consists of the instruction on how to implement and lay the foundation for IT services in a non-IT scenario or semi-IT scenario. On the part of the organizations, they will be informed about exactly which kind of implementation will help them to have the edge over their competitors. The IT departments would make the use of practical methods to describe the importance of IT in trade. Service Design of ITIL: After the successful implementation and inception of ITIL, the second stage now focuses on the design of the whole concept that will prove to be most beneficial for the most significant output. The efficient designs will help you to go for the perfection in addressing all the customer queries ensuring the highest level of customer satisfaction.  Service Transition of ITIL: With the implementation of ITIL, there comes a drastic change which could, in turn, affect the productivity. That is why this stage is involved with the systematic and planned implementation of the transition from non-IT or semi-IT deployment in a phased manner gradually so that it gets equally distributed and both business and customers get accustomed to the new order. Service Operation of ITIL: Now, after the successful implementation of all the changes, the next stage is to monitor if the new order is successfully able to function. The department of ITIL is to ensure that the new order is running smoothly and efficiently without any fear of loss or crashing down of the whole system. The department also provides hassle-free interaction between customer and business. Continual Improvement of Service of ITIL: After all these stages, the job does not end here itself. The ITIL expert should always keep on monitoring for any kind of error or discrepancy arising in the system. The expert must also be responsible for any kind of updates or improvements that are coming up with innovation every day.  Concepts of ITIL Analyzing the concepts of ITIL is a crucial factor in respect to the stages of the deployment in the real time scenario. The concepts that govern the scenario of ITIL are: ITIL provides the efficient service to all the clients or organizations who are seeking its help without any kind of financial risk or losses. The ITIL expert would provide a set of capabilities and resources that are used for the successful implementation of the program. The provider who is concerned with the provision of Information Technology will also provide the value and utility that will ensure the perfection in functioning by removing all the obstacles. The warranty is also offered for the reliability and the longevity of the performance. Board member of DevOps Institute Jayne Groll shares that " DevOps does not in and of itself have a single body of knowledge, so it does support agile, lean and IT service management." about the most effective chain of ITIL.   The specific objectives of correct output can be measured with respect to customer satisfaction is called the process that the whole function will be implemented. After that, you need to be very sure of the function that you need by the implementation of the ITIL. It is also essential to have the results that you desire from all these implementations. Case study for successful implementation Taking into account the example of a reputed Energy company, the successful implementation of ITIL is one of the examples how this company with its numerous head offices around the world in over 100 countries spread over six continents switched to the global centralized management system all by successful ITIL implementation. They have started this strategy from the year 2004, they have carefully implemented the plan for the overall and centralized communication to avoid the cumbersome process of collection of data and output from so many headquarters spread across the world.  Initially, 430 centers were consolidated into just four mega centers. Annually they set a target to reduce this distribution by 25 percent every year to gradually shrink to the centralized administration. Within three years, significant improvement in the sector of communication and functioning was observed saving up to 25 percent of costs increasing efficiency.  
ITIL Service Lifecycle And The Stages Of Successfu...

In this age of fast and digitized world, if you ju... Read More

Useful links