you are at: Home DII Divisions Commissioner CIO DII Newsletters May 2009 Newsletter

May 2009 Newsletter

 

 

In this months Issue:

Summer Plans

by Tom Murray

Tom

 

Summer Plans. Unfortunately, that does not mean that work and projects will slow down; if anything they will increase, as the state looks to technology to drive business processes more efficiently. Virtually every agency and department has a full plate of projects and ongoing operational requirements that need to be met.

In light of these challenges, several agencies are reaching out to DII to see how we can help. These requests range from desktop and/or server support to project management assistance. More and more our state agency customers are recognizing that DII can bring value to the table, and if not we can point them to the necessary resources.

One of DII’s critical roles is connecting the dots between these various projects and making sure agencies benefits from solutions and lessons learned by other state entities. Later this year our project management team will be upgrading the Plan IT system to a new solution that will better track the state’s IT portfolio and ensure we build the best possible solutions.

We appreciate the support that we get from state agencies and look forward to a productive summer on our shared projects.

Your PC May Be Infected

by Kris Rowley

Virus

Photo by Rodolfo Clix, Brazil

 

Your PC May Be Infected! Click here to clean it!
Have you seen this advertisement or similar pop-up messages? A free PC scan or an offer to clean your computer of supposedly infected files are often attempts by malevolent persons or organizations to install malicious software (malware) such as a Trojan horse, keylogger, or spyware. Such software is referred to as rogue (fake) anti-virus malware.

How can my system get infected?
The primary way rogue anti-virus software gets on your system is the result of you clicking on a malicious link in an advertisement or similar pop-up message. The wording contained in the advertisement is usually something alarming, designed to get your attention and attempt to convince to you scan your PC or clean it immediately with the offered tool. The names of the fake programs sound legitimate, and often, in a further attempt to make the malware appear legitimate, the programs may prompt you to pay for an annual subscription to the service.
Any kind of website could host ads for rogue anti-virus: news sites, sports pages, and social networking sites as well as “riskier” sites such as hacker blogs. Some varieties of rogue anti-virus programs will also get installed on your machine just by you visiting a website with a malicious ad or code, and you might never know you’ve been impacted.

Won’t my valid anti-virus and anti-spyware program protect my computer?
Though good anti-virus and anti-spyware programs will protect against many threats, they cannot protect against all malware threats, especially the newest ones. There are millions of different versions of malware, with hundreds more being created and used every day. It may take a day, a week, or even longer for anti-virus companies to develop and distribute an update to detect and clean the newest malware.

What can rogue anti-virus software do to my computer?
Just about anything, especially if you are using administrative-level access when using your computer. Rogue anti-virus software might perform many activities, including installing files to monitor your computer use or steal credentials, installing backdoor programs, or adding your computer to a botnet. The malware might even use your computer as a vehicle for compromising other systems in your home or workplace network.
Rogue anti-virus software can also modify systems files and registry entries, so that even when you clean off some infected files or registry keys, others might remain or even allow the infections to be restored and active again after your system is rebooted. For example, one recent rogue anti-virus program reportedly installed several malicious Trojan files, and also made over two-dozen different changes to ensure that the malware stayed on the system and stayed running. Often this type of malware blocks access to valid security sites (anti-virus and anti-spyware companies, and operating system and application update sites) so that you won’t be able to patch or clean your system by visiting those valid sites.

What can I do to protect my computer?

  1. Don’t click on pop-up ads that advertise anti-virus or anti-spyware programs. Even though pop-up ads are used for valid advertising they can also be used for malicious purposes, like getting you to install fake security programs. If you are interested in a security product, search for it and visit its homepage, don’t get to it through a pop-up ad.
  2. Use and regularly update firewalls, anti-virus, and anti-spyware programs. It is very important to use and keep these programs updated regularly so they can protect your computer against the most recent threats. If possible, update them automatically and at least daily.
  3. Properly configure and patch operating systems, browsers, and other software programs. Keep your system and programs updated and patched so that your computer will not be exposed to known vulnerabilities and attacks.
  4. Turn off ActiveX and Scripting, or prompt for their use. ActiveX controls are small programs or animations that are downloaded or embedded in web pages, which will typically enhance functionality and user experience. Many types of malware can infect your computer when you simply visit a compromised site and allow anything to run from the website, such as ads. Turning off ActiveX and Scripting can help protect your computer if you inadvertently browse to or are unwillingly redirected to a malicious site. (You can limit the functionality of your Internet browser through its configuration choices, but be sure to look for a guide if you are unfamiliar with how to limit scripting and active content—see below for resources.)
  5. Keep backups of important files. Sometimes cleaning infections can be very easy; sometimes they can be very difficult. You may find that an infection has affected your computer so much that the operating system and applications need to be reinstalled. In cases like this it is best to have your important data backed up already so you can restore your system without fear of losing your data.
  6. Regularly scan and clean your computer. If your organization already has configured this on your computer, do not disable it. If you need to scan your computer yourself, schedule regular scans in your programs. Also, several trusted anti-virus and anti-spyware vendors offer free scans and cleaning. Access these types of services from reputable companies and from their webpage, not from an unexpected pop-up.

For more information, please visit:
Partial List of Rogue Security Software: http://en.wikipedia.org/wiki/Rogue_software
Free Security Checks: www.staysafeonline.info/content/free-security-check-ups
Pop-ups: www.msisac.org/awareness/news/2008-12.cfm
Web Browser Attacks: www.msisac.org/awareness/news/2008-07.cfm
Malware: www.onguardonline.gov/topics/malware.aspx
Spyware: www.onguardonline.gov/topics/spyware.aspx
Free Check for File Infection: www.virustotal.com/

Domain Name System Security

by David Kreindler

 

"We take for granted that when we type "vermont.gov" into our web browsers, the corresponding address that our computer receives from a DNS server is really the address of the State's web site server. But how do we know for sure? The answer is: currently, in general, we do not."

We all depend on the domain name system (DNS) as the Internet's "address book". Instead of having to memorize the network address of a web site that we want to visit, we use a human-friendly host name and let our computers look up the address that corresponds to the name. So instead of telling our web browser to fetch a page from "206.16.212.90," for example, we simply ask for "vermont.gov." Before the web browser can request the web page, it must translate the host name into an ip address, which it does by querying a DNS server.

The DNS is a distributed, hierarchical directory in which responsibility for individual domains is delegated to authoritative DNS servers. You can think of the DNS as an upside-down tree: root servers know where top-level domains (TLDs), like .com, .org, .gov and .us, are hosted. In turn, the authorities for the TLDs know where second-level domains, like vermont.gov and vt.us are hosted. When a DNS server is queried for the address of vermont.gov, it initiates a sequence of its own queries — called "recursive" queries — beginning at a root server, which provides information about the .gov DNS servers. It then queries a .gov DNS server for information about the vermont.gov DNS servers, and, finally, it queries a vermont.gov DNS server for the address that corresponds to the host name.

DKreindlerGraphics

For efficiency, a DNS server (and most computers) will cache DNS responses that it receives. So the second time somebody asks a DNS server for the address of vermont.gov, instead of repeating the sequence of recursive queries, the DNS server can simply fetch the answer from its cache, make sure the information is up-to-date and then return the cached address.

We take for granted that when we type "vermont.gov" into our web browsers, the corresponding address that our computer receives from a DNS server is really the address of the State's web site server. But how do we know for sure? The answer is: currently, in general, we do not. The domain name system was not designed for security. After all, there is nothing confidential about DNS information. In fact, the whole point of the DNS is to make information publicly available. Unfortunately, confidentiality is just one aspect of security. What has been missing from the DNS is a way of ensuring the integrity of the information.

Even assuming that an authoritative name server has not been compromised — that it is answering queries with correct information — there is a group of vulnerabilities in the DNS protocol that allows for the injection and propagation of incorrect information. This phenomenon is called cache poisoning. Though there are ways of mitigating cache poisoning vulnerabilities, until recently there has been no way for a computer or its user to validate the response received from a DNS server.

DNS Security (DNSSEC or NSEC) is a set of extensions to the DNS standards and protocol that aims to provide a way for a security-aware DNS server to validate responses that it receives. The extensions utilize public-key cryptography and a chain of trust in much the same way as secure web sites use certificates and "SSL" to encrypt and — more importantly — authenticate themselves to web browsers. A DNSSEC-secured zone utilizes cryptographically "signed" records, which a security-aware DNS server can validate by following a chain of trust up through the DNS hierarchy to a trusted authority.

In August 2008, the federal Office of Management and Budget issued a memo (M-08-23) mandating the deployment of DNSSEC by federal agencies in the .gov domain by the end of 2009. The first step in that deployment, getting the .gov TLD zone signed and established as a trust anchor, was completed in January. Though Vermont is not required by the OMB memo to implement DNSSEC, with the cooperation of the .gov TLD administrators, we have been able to implement DNSSEC for all of the .gov second-level domains that are hosted on the Govnet name servers, including vermont.gov, vt.gov and four others. From now on, any computer user on the Internet with access to a security-aware DNS server will know that when they ask for the address of vermont.gov, the answer they receive will be the answer we intended for them to receive.

Enterprise Resource and Planning

by Mike Morey

ERP 

There are many definitions of what an Enterprise Resource and Planning (ERP) system is and does. Some who use an ERP system focus on the resources side of the system. These could be the people, the physical assets and or funding streams, while others may be more focused on the planning aspects of the system - subject areas like budgeting, delivery time and purchasing. What makes up a company’s ERP system has much more to do with the business they are in than just the acronym ERP. Manufacturers rely on their ERP systems for supply chain and order flow, while financial institutions utilize their ERPs for general ledger and customer service.

We can think of the ERP as a consolidated group of electronic processes that attempt to reduce redundancy between functions and deliver a unified view of all business processes. An ERP system is all about standardization and consistency. Even as the central nervous system for business processes, in their electronic form the ERP can not be expected to solve all processing issues. The ERP still needs to follow the 80 – 20 rule, ok maybe 90 – 10 rule, where 10 percent of the process may just be better suited outside the ERP. It is all about the complexity. Spreadsheets still have their place.

Now the fun begins. How complex is a system that can place an ad in a paper recruiting for a position, interview and track several people for the position, hire the person into the position, coordinate the benefits and pay for this person (these can change with sometimes little rhyme or reason), balance this persons salary against a financial budget, coordinate with third party vendors for health care and finally manage the person through retirement. That is only a piece of a business process. If we have 600 different end-to-end business processes all interacting with one another, then complexity is almost a given. If on top of that the business processes change very often then there is a tremendous amount of effort in coordinating all the ERP process interactions.

The State of Vermont’s ERP system is PeopleSoft and several other systems of this same nature. They are complex, not particularly agile and require a lot of planning themselves. Another important facet of an ERP system is that it contains critical data, both financial and personal, that needs to be available and secure. Often these systems are mandated by law to contain certain controls around how changes are made to them, how often third parties audit them and how other systems will interact with them. If you are interested in more Oracle People-Soft information you only need to go to the oracle website and you will find enough information to keep you busy reading for months. At the end of your reading journey, you may feel more comfortable with what the People-Soft ERP solution is supposed to Accomplish, or if not, at least see the extreme complexity that ERP systems are trying to overcome.

Voice and Data Cabling

by Ruthann Sullivan

DataCabling 

All Voice and Data cabling installation and repairs must be requested through the Department of Information and Innovation Telecommunications office. By “repair” we do not mean that DII is responsible for policing or identifying or removing or otherwise rehabilitating wiring that was abandoned due to renovations, nor are we responsible for cables previously installed by any other entity, or installations that were previously done by some other entity that do not meet industry standards.

DII Telecom will insure that the State and industry wiring standards are followed going forward and insure coordination within the Department requesting the work. We will also work closely with BGS when projects require low voltage activities. We can partner with your Department to find the right resources to assist in those efforts when suspected by Information Technology representatives or identified by Electrical Inspectors. The responsibility for the cost to install or deinstall older installations rests with the department or agency where the work was done unless other agreements with landlords or BGS have been made.

The State employs two Telecommunications Specialists who perform technical work involving the installation and maintenance of telecommunication systems and cable plants throughout state government facilities. Their work includes installations, repairs, modifications and disconnections of telephone systems, individual Centrex and business lines and high speed circuits. They foster common carrier and vendor partnerships involving maintenance of equipment, installation of voice & data circuits and are usually the onsite representative in the resolution of disputes over non-performance with vendors.

In addition to the Telecommunications Specialists, the State has seven contractors, five in Vermont and two from out of State, who can be engaged for small to large construction or renovation projects. For more information on these companies see the following website: http://dii.vermont.gov/DII_Divisions/Customer/Install_Repair/Voice_and_Data_Cabling_Systems

Five Systems That Will Change the World

by Ron Petty

FiveSystems 

Okay, maybe not “the world”, but at least they will improve some of the services that DII provides to its’ customers.

As you may be aware, DII recently joined forces with the IT staffs of BGS, Libraries, DHR, and Finance. In addition to adding some valuable members to our happy family, we’ve also been able to incorporate some valuable Enterprise- level systems. Some of those systems, in addition to other projects that DII is already working on, are outlined below:

Citrix – BGS and Finance both currently use Citrix, as do other departments throughout the state. DII has plans to create an Enterprise-level Citrix farm that can be utilized by other departments who previously did not have this as an option. You can learn more about Citrix here: http://www.citrix.com/

McAfee ePolicy Orchestrator (for Desktops) – McAfee ePO is used by several departments across the state, so landing on McAfee as a desktop solution for DII and our customers seems like a good choice. DII is currently in the project planning phases of creating an Enterprise-level ePO solution for its Desktop environment. You can learn more about McAfee ePolicy Orchestrator here: http://www.mcafee.com/us/enterprise/products/security_compliance_management/epolicy_orchestrator.html

Alloy Software (Asset Management) – As DII’s customer base continues to expand, so does its’ need to better manage its’ rapidly growing number of assets. Alloy Software, also used by BGS, provides us the ability to centrally manage our Enterprise infrastructure. You can learn more about Alloy Software here: http://www.alloy-software.com/

SharePoint – Microsoft Sharepoint is a server system that is part of the 2007 Microsoft Office System. Sharepoint contains many features that DII customers can utilize, such as content publishing, content and document management, busi- ness intelligence, business process and forms, and much more. You can learn more about Sharepoint here: http://www.microsoft.com/sharepoint/prodinfo/what.mspx

Enterprise Vault – If you’re like me, you often get messages about running out of email space on Exchange. And while we try to keep our mailboxes cleaned up, there are inevitably times when it simply fills up. Enterprise Vault takes messages out of your Exchange mailbox, moves them to a database, and gives you a link to click to retrieve them. This keeps your mailbox size down, which in turn, also keeps Exchange running smoothly. You can learn more about Enterprise Vault here: http://www.enterprisevault.com/

Employee Bio - Tavis Morse

by Peter Jaquith

TavisMorse 

In this month’s BIO we are introducing Tavis Morse from the DII / HR PeopleSoft group to you. Please take this opportunity to get to know a little more about Tavis.

Tavis has been a member of the DII / HR team since July 2008 and currently works as a PeopleSoft Systems Administrator. One year ago, Tavis was working as an Exchange Systems Administrator with AHS in Waterbury, where he had worked for his first three years with the State. He says he was looking for an opportunity to challenge himself and learn some new skills. He saw just this opportunity arise within DII and decided to jump onboard.

Tavis is an alumni of Lyndon State College from which he graduated in 1990 with a Bachelor’s degree in Communications. He currently resides in Plainfield, VT with his wife Lisa, three daughters Kassandra (12), Madeline (11), Galadriel (10) and his son Aiden, who is 4. He very much enjoys gardening and hiking with his family and living under the shadow of Spruce Peak, a frequent destination for family hikes. The arrival of spring brings sugaring season to Vermont and the Morse family actively participates in this “sweet” springtime activity. But, the next project at the Morse home is to expand capacity to raise an additional 20 chickens. They are more than just egg layers as they have become great family pets too.

On a personal note, Tavis enjoys mountain biking and he recently began learning to play the fiddle. Yes, a man of many trades, system developer, chicken farmer and now musician! You may find Tavis frequenting Sarducci’s or other Italian eateries as he says he loves a good Italian meal. Tavis does not ascribe to any particular style of music. He instead says he simply enjoys listening to anything new that he hasn’t heard before.

When asked about a favorite book he cites The Diamond Age by Neal Stephenson for a technological look into the futuristic and complex world of nanotechnology.

Tavis is playing a key role in the HR/PeopleSoft upgrade project. He brings his valuable expertise and diverse interests to our group.

Welcome to the DII team Tavis!

Change, Change, Change

by Christine Hetzel, PMP

PMCorner 

Ever feel like you are pulling teeth trying to convince employees to adopt new business processes? Ever wonder why you seem to be having the same conversation, over and over again with various team members? Let’s face it, change is hard for everyone.

For those of us that are involved in and support technology projects, we all realize that technology is the easy part. The hard part always has been and always will be changing the way that people do and see their work. In part, this is because we always assume that the organization as a whole will automatically adopt the changes necessary to implement the change. The reality is that organizations or departments don’t change; the individuals within these organizations either embrace or reject the change. Although we are speaking specifically about change at work, the principles are the same in our professional or personal lives.

In an effort to increase the success of technology projects, the Enterprise Project Management Office (EPMO) at DII has embraced the Prosci (c) Change Management ADKAR Methodology (not to be confused with Configuration Management).

Awareness
of the need for change
Desire
to participate and support the change
Knowledge
on how to change
Ability
to implement required skills and behaviors
Reinforcement
to sustain the change

Let’s use the example of providing your department with a new database to replace a manual process. As implementers of technology, if we make the mistake of providing Knowledge to employees, in the form of software training without taking the time to build their Awareness of why this change needs to take place (i.e., more limited staff so the work needs to be completed faster), or to help them identify why they Desire to adopt the new process, this implementation will fail. Frequently employees will continue to utilize the manual processes and ignore the new database, or if forced will utilize both the manual and automated process. They haven’t internalized that this database can help them in their work and therefore, gained no efficiencies from this implementation.

In world of constant change that we live in, Prosci (c) is a wonderful resource. Check out their website: http://www.prosci.com/

Suggested books:
Change Management, the people side of change by Jeffrey M Hiatt and Timothy J Creasey
ADKAR, a model for change in business, government and our community by Jeffrey M. Hiatt

For more information about Change Management, feel free to contact me at the EPMO Office at your convenience, 828-1143.

“Change is inevitable - except from a vending machine.”  Robert C. Gallagher

Understanding Business Processes

by Rick Daniell

Puzzle 

When a Business Analyst embarks upon a new project, the very first mission at hand needs to be “understanding the business processes”. This period of information gathering and processing can significantly increase the chances of success and the quality of the end result. It does not matter if it is a new computer application, a system enhancement or a business process improvement; the first key is to understand the situation.

According to Ben Graham, who has been in the Business Analysis profession for well over 25 years, there are seven keys to understanding business processes.
1. Determine what documents, forms, reports and databases are utilized by the process.
2. Determine where the work is being done.
3. Determine who is doing the work.
4. Assess when and where most of the process time occurs.
5. Determine where decisions are made.
6. Identify where the process controls are.
7. Establish what steps are “value-added”.

This initial effort may seem like it is slowing the process down, but the investment is well worth the rewards.

I think the simple quote from W.Edwards Deming sums it - “You should not ask questions without knowledge.”