InformationWeek Stories by Tim Wilson

InformationWeek Stories by Tim Wilsonhttp://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2012-09-17T08:00:00ZHow Cybercriminals Choose Their TargetsAttackers look for companies with poor defenses and a lack of security skills, so no business, not even an SMB, is immune.http://www.informationweek.com/news/240007409?cid=RSSfeed_IWK_Authors  <div id="inlineGreenPromoTop"> <div class="greenBand"></div> <div class="inlineGreenPromoContent"> <a href="http://www.informationweek.com/gogreen/091712smb/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/supplement/041/smallcov.jpg" alt="InformationWeek Green - Sept 17, 2012" title="InformationWeek Green - Sept 17, 2012" align="left" class="greenIssueImage" /></a> <a href="http://www.informationweek.com/gogreen/091712smb/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" title="InformationWeek Green" align="right" class="greenLeaf" /></a> <div class="greenPromoText"> <a href="http://www.informationweek.com/gogreen/091712smb/?k=axxe&cid=article_axxe_os">Download the InformationWeek SMB September special issue on cybersecurity</a>, distributed in an all-digital format as part of our Green Initiative (Registration required.) </div> </div> <div class="greenBand"></div> </div>   Whom do hackers want to hack? This might be one of the most misunderstood questions in IT security. And misperceptions here often lead businesses to make poor decisions about their defenses. Logic tells us that cybercriminals are like Willie Sutton--they go where the money is. Banks and other financial companies, as well as businesses with lots of credit card data, would be the prime targets, right? And the bigger they are, the better targets they make. This same logic is often applied to attacks on end users. If you're going to target a user, make it a high-level executive, a wealthy individual, or an IT administrator who has access privileges to many different systems. Go for the users with the keys to the safe. All of these assumptions are perfectly logical. But they're also all wrong. Most cybercriminals just aren't all that selective. True, banks handle lots of transactions, but any company with money is a good target, and a company that sells snack foods or construction equipment may have far fewer defenses. Similarly, the perception that cybercriminals target only big companies is a myth. Large companies have more money, but they also have big security teams and high-priced defenses. Small and midsize companies have fewer security skills and little in the way of security budgets, which makes them natural targets for cybercriminals who don't want to work too hard. As you'll see in this special issue of InformationWeek SMB, smaller businesses frequently overlook core security practices that leave their data--and their finances--at risk. People Of Interest There are similar myths on the end user side. While it may be logical to provide extra protection for CEOs and password administrators, the notion that highly placed employees are the only people spear phishers and other targeted attackers go after is mistaken. Sophisticated cybercriminals know they don't have to crack the CEO's passwords to get access to valuable data. Line-level employees, contractors, even employees' relatives can be part of the target base. These guys aren't choosy, as long as the target is a step closer to the information they seek. Cybercriminals are looking for low-hanging fruit. Their targets are companies with poor defenses, a lack of security skills, and vulnerable end users. They're looking for unlocked doors and open windows. The path of least resistance will always be the one most beaten down by bad guys. There are many other reasons a cybercriminal might target your company and your employees, but the message is the same: No business, no individual is immune. Whether you're Sony or a mom-and-pop shop, you may be a target today. How you respond to that threat could make the difference between being safe and being breached. 2011-05-26T04:44:00ZMore Sony Problems Reported; Company Launches ID Theft ServiceDebix gets the call to help thousands of PlayStation Network users affected by breach.http://www.informationweek.com/news/229700071?cid=RSSfeed_IWK_AuthorsAmid further reports of compromises, Sony said yesterday that it has launched an identity theft protection offering for users who might have been affected by the breach of its PlayStation Network earlier this month. Sony has brought in Debix to offer the AllClear ID PLUS identity theft protection program, which will be offered to PlayStation Network and Qriocity customers who are concerned about the exposure of their personal data in the hack of the network earlier this month. "AllClear ID PLUS is a premium identity protection service that uses advanced technology to deliver alerts to help protect you from identity theft," Sony told users in a blog. "The service also provides identity theft insurance coverage and hands-on help from expert fraud investigators." Users who have been on the PlayStation Network since April 20 will be eligible for a free year of the service. Sony on Tuesday reported yet another security breach, saying 8,500 user accounts had been compromised. The breach, which occurred through Sony Music Entertainment Greece, affected artist websites where fans can sign up for newsletters. The sites were taken down immediately, the company said. The compromised records contained email addresses, phone numbers, user names, and passwords. The sites, which were hosted by a third party, will be relaunched after a security review, the company said. The news of the hack in Greece follows the report of vulnerabilities found on the Sony website in Japan.  <center><a href="http://www.darkreading.com/authentication/167901072/security/privacy/229700005/more-sony-problems-reported-company-launches-id-theft-service.html"><img src="http://twimgs.com/informationweek/Ben/DarkReadingLogo.jpg" width="175" height="37" border="0" align="center"></a> Read the rest of this article on <a href="http://www.darkreading.com/authentication/167901072/security/privacy/229700005/more-sony-problems-reported-company-launches-id-theft-service.html">Dark Reading</a>.</center> 2011-05-18T15:49:00ZDespite Reports, Sony Says PlayStation Network Was Not Hacked AgainPassword reset issues cause network downtime, but no new hacks occurred, company says.http://www.informationweek.com/news/229502476?cid=RSSfeed_IWK_AuthorsReports that Sony has suffered yet another hack are greatly exaggerated, the gaming company said today. A report on <a href="http://sony.nyleveia.com/2011/05/17/warning-all-psn-users-your-accounts-are-still-not-safe" target="new">Nyleveia.com</a> earlier today stated that new vulnerabilities had been discovered on the Sony PlayStation Network and that user account data was at risk. Several news outlets followed the initial story with reports that the PlayStation Network, which was down for almost three weeks following a series of three hacks, had been compromised again. In several updates, however, Nyleveia reported that the exploit was a new discovery and that its reports were intended as a warning to users that they should reset their passwords. "If the current downtime for the web based forms results in the exploit being patched, then our job is done and the potential thieft of countless user accounts has been nipped in the bud as early as humanly possible," the site says. Sony conceded that it did block PSN login access to a number of users on its site, and the PSN password reset site was also taken offline for a period of hours. "Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being," the company said. In a later statement on it its <a href="http://blog.us.playstation.com/2011/05/18/update-on-psn-password-reset-process/" target="new">company blog</a>, Sony said that the systems had been restored and no new hacks had occurred.  <center><a href="http://www.darkreading.com/security/privacy/229502465/despite-reports-sony-says-playstation-network-was-not-hacked-again.html"><img src="http://twimgs.com/informationweek/Ben/DarkReadingLogo.jpg" width="175" height="37" border="0" align="center"></a> Read the rest of this article on <a href="http://www.darkreading.com/security/privacy/229502465/despite-reports-sony-says-playstation-network-was-not-hacked-again.html">Dark Reading</a>.</center>  In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. <a href="http://www.informationweek.com/gogreen/050911/index.jhtml?k=axxe&cid=article_axxe_os">Download it now</a>. (Free registration required.) 2011-01-29T00:00:00ZBotnets Come Roaring Back In New YearAs Rustock and Waledac begin pumping spam again, botnet experts say the bad guys will be up to their old tricks -- with some new twists -- in 2011http://www.informationweek.com/news/229001005?cid=RSSfeed_IWK_AuthorsAfter a brief hiatus at the end of 2010, botnets are back. And they might have a few new tricks up their sleeves. Security research lab NetWitness earlier this month reported increased activity on the Rustock botnet, while Websense flagged a new spam push from the well-known Waledac network. These spikes come less than a month after many research labs reported a downturn in spam activity in the final quarter of last year. As the new year rolls out, security experts expect botnet operators will be back in full force. Joe Stewart, director of malware research at SecureWorks, says he doesn't expect to see new attacks but rather incremental development and improvement on what's already out there. "The politically motivated attackers have started some new trends, such as opt-in botnets [and] JavaScript cross-site bots. I expect these tools to become easier to use, more effective, and more resilient in 2011," he says. In its blog, anti-malware technology vendor Dasient predicts 2011 will bring "a large botnet cyberwar" that will be won by Zeus, the Trojan toolkit that became botnet operators' favorite mode of attack in 2010. "2011 will likely be the year that large botnets will start more aggressively competing to sustain their growth, and users will get caught in the middle," Dasient says. Zeus has proved its ability to grow larger than other botnets and is also one of the most profitable botnets targeting financial institutions, the company says, adding that Zeus will hold its ground against other botnets that try to attack it. As botnets become more common, many operators will simply steal infected PCs from other operators rather than build their own networks, says Dasient CTO Neil Daswani. This infighting started last year, when operators began distributing malware that actually patches vulnerabilities in the PCs it infects, making it more difficult for other botnet operators to use those flaws to infect the same PCs. "Once the user's machine is caught in a battle between botnets, it may begin to experience slowness and unreliability that botnets have generally been able to hide in the past," Daswani says. Social Attacks Another emerging trend is the use of social networks for botnet command and control, says Christopher Elisan, a senior research analyst at Damballa, which makes technology for defending against botnets and other advanced threats. In the past, operators did their command and control using IRC or other channels that were relatively easy to bring down, "but you can't take down a social network," Elisan says. The recent surge in politically motivated distributed denial-of-service attacks, such as those in support of WikiLeaks, will likely gather momentum in 2011. Some of those attacks are built on the opt-in-style approach, which lets users who support a cause set their PCs to participate. This botnet-building method can be difficult to defend against because the attacks emanate from devices and software not previously associated with botnets. DDoS attacks also change the way botnets are used, Elisan says. While the operator of a large botnet typically parses out portions of the network to support a number of spam campaigns, a DDoS exploit might use all of the botnet's nodes in one attack. When the largest networks are used for this type of focused attack, they can be nearly impossible to defend against--a sobering thought for large businesses that will likely be the next targets. On the other end of the spectrum, attackers are increasingly using smaller botnets to avoid detection and infect specific targets. "We've seen botnets as small as 10 computers," Elisan says. "The smaller it is, the less footprint it makes and the harder it is to detect." Some small botnets might be given node names and addresses designed to look like everyday network designations, enabling them to hide in plain view of network administrators who don't know what to look for, he notes. While small botnets might be useful for covert data gathering, larger ones will continue to be used for broader attacks, such as spam campaigns and DDoS exploits. But are there uses for botnets that haven't yet been conceived? Daswani is convinced that there will be at least one new botnet application this year. There's already some use of botnets for keystroke logging, he says, and more audio and Web logging is expected.2010-10-02T00:00:00ZSecurity Researcher Wins Prestigious MacArthur "Genius" GrantDawn Song, head of the Berkeley lab that developed BitBlaze, will get $500,000 for more researchhttp://www.informationweek.com/news/227600050?cid=RSSfeed_IWK_AuthorsA security researcher was among 23 individuals who received the prestigious MacArthur "genius" Fellow awards yesterday. The award winners, which each receive $500,000 to spend over five years of research in a promising field, come from all disciplines, ranging from economics to science. The award is given by the John D. and Catherine T. MacArthur Foundation. Dawn Song, 35, an associate professor in the Department of Electrical Engineering and Computer Sciences at the University of California-Berkeley, is being recognized for her innovative work on protecting computer systems from malware. The MacArthur Foundation cited Song's approach of identifying security breaches by identifying underlying patterns of computer system behavior that can be applied across whole classes of security vulnerability, rather than focusing on specific errors in programming logic. "The call was out of the blue and such a pleasant surprise," said Song, about learning the news. In an interview with the MacArthur Foundation, she discussed the potential impact of the award on her ability to pursue unconventional research. "To me, life is about creating something truly beautiful, and in order to do that, often it involves taking a path that is less traveled," she said. "The MacArthur fellowship will allow me to take that path to explore new territory that other people have not walked." One of Song's project topics is analogous to biological defenses against infection. Much like our human immune system is constantly on the lookout for invaders, the BitBlaze program developed by Song's lab scans and analyzes binaries of vulnerable software and malicious code, and automatically identifies the root cause of attacks to generate defenses. Song's lab is now working on the next generation of BitBlaze, making it more scalable and powerful than its predecessor. Her group is also exploring how to extend this technology to other areas, such as networked medical devices and systems. Another area Song plans to pursue is better protection of users' privacy when they go online. "A lot of sensitive data about people are being collected on the Internet, such as users who use online social networks or cloud-based services," Song said. "A big question is how we can protect users' privacy without hindering their ability to use these services." Song's work in security and privacy issues has already garnered her quite a bit of attention, earning her a National Science Foundation CAREER Award for young faculty, an MIT Technology Review Award for being among the world's top young innovators, a Guggenheim fellowship, an Alfred P. Sloan Research Fellowship, and the IBM Faculty Award, among many others. Before coming to UC Berkeley, Song was an assistant professor at Carnegie Mellon University. She obtained her Bachelor's degree in physics from Tsinghua University in China in 1996, her Master's in computer science from Carnegie Mellon University in 1999, and her Ph.D. in computer science from UC Berkeley in 2002. 2010-07-03T00:01:00ZNew Approaches To Government ITThe job of CIO in government has become more challenging and more visible. InformationWeek Government recently hosted the Government IT Leadership Forum, where more than a dozen CIOs and CTOs shared their strategies. Here are highlights from the event.http://www.informationweek.com/news/225702117?cid=RSSfeed_IWK_Authors  <div style="margin:0; padding:0; border-top:dotted 2px #00319a;" <a href="http://www.informationweek.com/gogreen/020810/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/government/002/smallcov.jpg" alt="InformationWeek Government - July 2010" width="65" height="87" hspace="0" vspace="0" border="0" align="left" style="margin:12px 33px 8px 15px;" /></a> <a href="http://www.informationweek.com/government/"><img src="http://twimgs.com/infoweek/government/iw_gov_logo_story_digipromo.jpg" alt="InformationWeek Government Logo" title="InformationWeek Government Logo" width="150" height="88" hspace="0" vspace="0" border="0" align="right" style="margin:8px 10px 8px 10px;" /></a> <div style="margin:20px 0 0 0; font-size:1.1em;" align="center"> <a href="http://www.informationweek.com/gogreen/070510/index.jhtml?k=axxe&cid=article_axxe_os">Download the entire July 2010 issue of InformationWeek Government</a>, distributed in an all-digital format (registration required). </div> </div> <div style="clear:both; margin:0; padding:0 0 0 0; border-bottom:dotted 2px #00319a;"></div>    The job of CIO in federal government has become more challenging and more visible. Uncle Sams top IT decision makers are looking to secure systems, improve project performance, and deliver new services in an era of open government. On June 15, InformationWeek hosted the Government IT Leadership Forum in Washington, where more than a dozen CIOs and CTOs shared their strategies on these and other priorities. Here are highlights from the event. Tackling The Tough Issues Head On Federal CIO Vivek Kundra gave the opening keynote atInformationWeek's Government IT Leadership Forum. Following is an except from his speech. People can go online using consumer technologies, and they're able to conduct their day-to-day activities in a manner that's almost frictionless. Yet when it comes to dealing with their government, we tend to take them back a decade or two or three. This gap in technology, unfortunately, is a result of the federal government focusing in the wrong areas in terms of the investments that we've been making. Part of what we're trying to do in the Obama administration is bring the Darwinian pressure that's apparent and present in the consumer space to federal government. How do we innovate? How do we deploy technology? How do we make sure that it doesn't take years in terms of rolling out some of these innovations? We've begun that journey. There are a number of success stories across federal government where great work is happening. We just announced a simple move by the Department of Treasury, essentially going paperless, saving hundreds of millions of dollars over the next five years. More importantly, it's also going to prevent fraud on an ongoing basis. Across the federal government, what we've seen, as a function of heavy investments, is that people have tried to address this problem over the last 50 years. There have been OMB memos and legislation. It's not because of a lack of investments. We've spent as a federal government over $500 billion [on IT] over the last decade, yet too many times we end up with large-scale IT failures. For far too long, what ends up happening is we throw good money after bad money. When IT managers across the federal government begin to make investments, one of the challenges is that long procurement cycles and complexity lead managers to oversize the IT project. Once that project is oversized, new stakeholders are brought in, which leads to exponential complexity in terms of requirements and definition.   <div style="margin:0; padding: 0 0 10px 10px; width:185px; float:right; text-align:center;"> <img src="http://twimgs.com/infoweek/government/002/02GOVkundra_r.jpg" alt="Federal CIO Vivek Kundra" title="Federal CIO Vivek Kundra" width="175" height="175" hspace="0" vspace="0" border="0" /> <div style="margin:4px 0 0 0; padding:0;" class="artCaption">Time to get tough on agencies and contractors that don't deliver results, Kundra says</div> Photo by Wordbiz, Flickr.com </div>   Then, when the project isn't working well, you end up having more oversight, which ends up generating more paperwork, and more research is expended on overhead rather than solving the root cause of the problem itself. We've seen this across the board, and what we've tried to do is convene the brightest minds across the country. The president in January invited top CEOs across the private sector to a summit in the White House to talk about how the government can apply some of the best practices in the private sector. A number of themes emerged; key was to simplify, making sure that we have smaller time frames for deliverables. As I've been looking at federal IT investments across the board, we've found investments where people have spent five to seven years essentially blueprinting, and what you end up with are architectural documents that nobody really implements. There's also a challenge when it comes to human capital, as far as making sure we've got the right talent in federal government to make sure that these complex agreements and contracts are actually managed well. We decided to take this issue head-on from an execution perspective. When I came in, one of the first things I received was a document that contained over $27 billion of IT investments that were over budget or behind schedule. We decided to say, "We can't manage this when we look at these investments once a year."  <center>To read the rest of the article, <a href="http://www.informationweek.com/gogreen/070510/index.jhtml?k=axxe&cid=article_axxe_os">Download the July 2010 issue of InformationWeek Government</a></center>  2010-07-03T00:01:00ZNew Approaches To Government ITThe job of CIO in government has become more challenging and more visible. InformationWeek Government recently hosted the Government IT Leadership Forum, where more than a dozen CIOs and CTOs shared their strategies. Here are highlights from the event.http://www.informationweek.com/news/225702116?cid=RSSfeed_IWK_AuthorsThe job of CIO in federal government has become more challenging and more visible. Uncle Sams top IT decision makers are looking to secure systems, improve project performance, and deliver new services in an era of open government. On June 15, InformationWeek hosted the Government IT Leadership Forum in Washington, where more than a dozen CIOs and CTOs shared their strategies on these and other priorities. Here are highlights from the event. <hr noshade /> Tackling The Tough Issues Head On Federal CIO Vivek Kundra gave the opening keynote at InformationWeek's Government IT Leadership Forum. Following is an except from his speech. People can go online using consumer technologies, and they're able to conduct their day-to-day activities in a manner that's almost frictionless. Yet when it comes to dealing with their government, we tend to take them back a decade or two or three. This gap in technology, unfortunately, is a result of the federal government focusing in the wrong areas in terms of the investments that we've been making. Part of what we're trying to do in the Obama administration is bring the Darwinian pressure that's apparent and present in the consumer space to federal government. How do we innovate? How do we deploy technology? How do we make sure that it doesn't take years in terms of rolling out some of these innovations? We've begun that journey. There are a number of success stories across federal government where great work is happening. We just announced a simple move by the Department of Treasury, essentially going paperless, saving hundreds of millions of dollars over the next five years. More importantly, it's also going to prevent fraud on an ongoing basis. Across the federal government, what we've seen, as a function of heavy investments, is that people have tried to address this problem over the last 50 years. There have been OMB memos and legislation. It's not because of a lack of investments. We've spent as a federal government over $500 billion [on IT] over the last decade, yet too many times we end up with large-scale IT failures. For far too long, what ends up happening is we throw good money after bad money. When IT managers across the federal government begin to make investments, one of the challenges is that long procurement cycles and complexity lead managers to oversize the IT project. Once that project is oversized, new stakeholders are brought in, which leads to exponential complexity in terms of requirements and definition. Then, when the project isn't working well, you end up having more oversight, which ends up generating more paperwork, and more research is expended on overhead rather than solving the root cause of the problem itself. We've seen this across the board, and what we've tried to do is convene the brightest minds across the country. The president in January invited top CEOs across the private sector to a summit in the White House to talk about how the government can apply some of the best practices in the private sector. A number of themes emerged; key was to simplify, making sure that we have smaller time frames for deliverables. As I've been looking at federal IT investments across the board, we've found investments where people have spent five to seven years essentially blueprinting, and what you end up with are architectural documents that nobody really implements. There's also a challenge when it comes to human capital, as far as making sure we've got the right talent in federal government to make sure that these complex agreements and contracts are actually managed well. We decided to take this issue head-on from an execution perspective. When I came in, one of the first things I received was a document that contained over $27 billion of IT investments that were over budget or behind schedule. We decided to say, "We can't manage this when we look at these investments once a year." Public Feedback That's one of the reasons we decided to make sure that we were being transparent and open about how these investments are performing. We launched the IT Dashboard, and a lot of the CIOs I see in this room have your faces right next to [your] IT projects. What's been really useful is we've actually gotten the American people engaged, and they're giving us feedback on these investments and how they're performing. That was step one, sort of the first brick in a foundation that we're trying to lay, but that's not sufficient. We moved forward and said, "We need to make sure that we've got essentially an office of analytics within OMB that's looking at these investments." We launched the TechStat sessions in January. We recognized that there are a number of problems across federal government where we haven't been tough enough in making sure that we're holding ourselves and contractors accountable for results. So these TechStat sessions have unearthed a number of issues that we're addressing. We've seen the ability to take on IT investments like at Veterans Affairs, where they went after 45 IT projects, halted those that weren't performing, and terminated 12 of them. New Areas Of Focus Across the board, what we're trying to do as we look forward is make sure that we address some of these persistent issues. As part of the 2012 budget process, there are three major areas that we've focused on. No. 1 is around infrastructure. The president has committed to a net-net, zero-growth policy when it comes to data center infrastructure. That policy is going to be reflected in the 2012 budget and ongoing years. And there's a shift toward cloud computing to make sure that we're deploying technology faster and cheaper, and that we're thinking through all the elements around security, privacy, data portability, and interoperability. <div style="margin:0; padding: 0 0 10px 10px; float:right; width:200px;"> <div style="margin:0; padding:8px; background-color:#dfdfdf;"> <center>IT Dashboard</center> <li>Launched in May 2009 as a way of exposing the status of federal IT projects </li> <li>Provides data on 7,000 IT investments, including 800 deemed 'major'</li> <li>Highlights projects in need attention or of significant concern</li> </div> </div> The second area we're focused on is IT project management. Projects that are behind schedule or over budget--CIOs are directed to review those projects before they're submitted for the 2012 budget process. Third is cybersecurity. The State Department spent over $133 million over six years to generate paperwork reports. Unfortunately, that doesn't make the State Department more secure. What makes us more secure is real-time security monitoring--continuous monitoring--and acting on data. That's why agencies are directed as part of the budgeting process to make sure that their budget reflects presidential priority in terms of investing in tools, not in paperwork reports. So those three key areas are going to be central to our federal IT strategy. We want to be able to close this technology gap because our society and the public expect that their federal government will be as user friendly as their experiences in their day-to-day lives. <hr noshade /> NASA Looks To Optimize Its Innovations NASA's new CTO for IT, Chris Kemp, wants to more fully exploit the myriad technology innovations created by the space agency's researchers, scientists, and technologists. Two months into the new position, Kemp shared his strategy for channeling that innovation in new ways. NASA CIO Linda Cureton announced Kemp's appointment to CTO for IT, a newly created position, in May. Kemp is responsible for NASA's enterprise architecture division and for introducing new and emerging technologies. He's also charged with forming a council of CTOs from NASA field centers and mission teams that will foster innovation across NASA. Kemp was previously CIO of NASA's Ames Research Center in northern California. Before that, he worked for Escapia, a Web company, and Classmates.com. Speaking at InformationWeek's Government IT Leadership Forum, Kemp said one of his goals in his new job is to connect the previously "disconnected pockets of innovation" at NASA, which spends close to $2 billion annually on IT and technology development. NASA's 10 field centers must look for opportunities to establish ties with tech companies in their area, he said. Ames Research Center, for one, is near the offices of Google, Microsoft, and Yahoo. "It's a unique opportunity we should take advantage of," he said. Kemp has experience creating such industry partnerships. As director of strategic business development at Ames, prior to serving as CIO there, he struck collaboration agreements with Google and Microsoft, resulting in NASA's high-resolution imagery of the moon, Mars, and other planets and stars being made available on the Web through Google Earth and Microsoft's WorldWide Telescope. NASA must also find ways to accommodate a new "unconstrained" generation of employees who are mobile, always connected, and avid users of social media and crowdsourcing applications, Kemp said. "The challenge here is that the culture at NASA and a lot of other agencies isn't ready for this," he said. Cloudy Future At Ames, Kemp was project leader for a cloud computing pilot project, called Nebula, that's being expanded to Goddard Space Flight Center in Maryland. Nebula's hardware and software are housed in a mobile shipping container with a capacity of 16 petabytes of data storage and 12,000 CPU cores. The Nebula project, however, caused political, budget, and personnel disruptions within NASA, and "it wasn't pleasant," Kemp said. His point is that disruptive technologies are just that--disruptive. It goes with the territory for CTOs, he said. Kemp favors "elegant" technologies over complex systems with many moving parts. It's important for CIOs and CTOs to understand the "as is" state of IT infrastructure in assessing where emerging technologies will fit, Kemp said. "This is all driving toward a repeatable process for evaluating the current state of NASA's IT infrastructure and articulating our future road map," he added. That process involves the development of technology prototypes, followed by case studies, and then, where appropriate, investment. Kemp plans to use metrics to gauge the effectiveness of IT pilot projects at NASA. He advocates completing pilots within three to four months and considers "failure" to be part of the process. "The idea is to fail fast," he said. "Movement is key." -- John Foley (jpfoley@techweb.com) <hr noshade /> Progress In Intelligence Sharing "I wish we knew what we know." That aphorism, attributed to the late Lewis Platt, former CEO of Hewlett-Packard, sums up the conclusions of a Senate Select Committee on Intelligence report, which found that the U.S. intelligence community had more than enough information to keep a would-be bomber from boarding a Detroit-bound commercial airliner last Dec. 25. Intelligence sharing has been a priority of the U.S. government since 9/11, another occasion when the intelligence community failed to connect the dots, but technology, policy, and cultural barriers remain. Can the intelligence community evolve from a need-to-know culture--which has kept intelligence information in silos for generations--to a need-to-share approach? IT leaders at three government agencies--the Department of Homeland Security, the Defense Intelligence Agency, and the CIA--offered signs of progress at InformationWeek's Government IT Leadership Forum, but they agreed that much remains to be done. Improving information sharing has been "a long slog," said Margie Graves, deputy CIO of DHS and formerly with the Transportation Security Administration. Created after 9/11, DHS comprises 22 organizations, including TSA, Citizenship and Immigration Services, and Customs and Border Protection. Graves helped write the original DHS business plan for IT consolidation, five years ahead of the current government-wide data center consolidation initiative. DHS is consolidating 24 data centers into two and uniting 12 e-mail systems, with a goal of creating more manageable services and reducing costs. From an intelligence perspective, however, consolidation is akin to creating larger haystacks, and it doesn't fundamentally address the problem of finding needles. For that, DHS has taken the lead in promoting the National Information Exchange Model, an XML-based data modeling and schema framework for information sharing among government agencies. Originally spearheaded by the Department of Justice, NIEM is now being led by DHS with participation from DOJ, the FBI, and the Office of the Director of National Intelligence. Ten agencies are participating and another seven are under review. NIEM is a starting point for shared metadata and data models that will enable intelligence agencies to map one database to another. Graves said NIEM has helped DHS create a "person-centric" view that standardizes the attributes of an individual, including name, date of birth, and place of birth. "Now Customs and Border Patrol officers at a border crossing can look at a federated query that pulls from 13 separate data sets," Graves explained. Work is under way on a similar federated query that will let Citizenship and Immigration employees pull together information from 11 data sets. Access Management Across the 16-agency intelligence community, obstacles to information sharing remain entrenched. Identity access management, a requirement for verifying users and authorizing access to restricted resources, continues to be one big challenge. Keeping information from falling into the wrong hands has been a cornerstone of the intelligence community's need-to-know culture. The downside is that information remains in silos, making it impossible to connect the dots. Following the Intelligence Reformation Act of 2004, it became obvious that without access management, the Defense Intelligence Agency would never be able to interoperate with its partners in the intelligence community, said Casey Henson, the DIA's CTO. There's been progress on the IT front. In recent years, the DIA, National Reconnaissance Office, and National Security Agency have built and now share a security management system and an identity access management system. The systems can publish and consume Web services, so other agencies will be able to take advantage by adapting their architectures. "It's the three of us using it today, but within the next 12 to 18 months we'll probably double that and we could triple it within [another] six to 10 months," Henson said. The technical barriers are the easiest to remove. A need-to-know culture keeps agencies focused on their own agendas. "Every agency says, 'I have unique needs.' Then their IT providers say, 'I will give you the 100% solution for that need, but you have to give us all this money to create a unique solution,'" said Don Burke, the "doyen" of Intellipedia, an intelligence-community-wide wiki launched by the Office of the Director of National Intelligence in 2006. Intellipedia is an example of the kind of "systems of common concern" the intelligence community must encourage and support, Burke said. More To Do Siloed thinking is changing, if slowly, at DHS. As recently as three years ago, DHS component organizations would focus on promoting their own system as a focal point for intelligence sharing, but the conversation has turned to adopting frameworks and architectures that enable everybody to participate. "Getting to the point where we can talk about standards and interoperability and changing the architecture is a major step forward," Graves said. In an example of what data sharing can do, the arrest of the Times Square bomber could be tied, in part, to a suspicious activity reporting initiative that now reaches across DHS agencies, Graves said. The Office of the Director of National Intelligence is trying to promote cross-agency collaboration, too. For more than 18 months, it has been convening monthly meetings of the 16 intelligence agency CIOs. Yet every terrorist incident serves as a reminder of the urgent need to do more. The fallout of the failed Christmas Day bombing and damning Senate report was the resignation in May of Dennis Blair, director of national intelligence. In nominating retired Air Force general and DIA veteran James Clapper to fill that post, President Obama emphasized the need to analyze and share intelligence more effectively, and to act on it. Said Obama: "Our intelligence community needs to work as one integrated team that produces quality, timely and accurate intelligence." -- Doug Henschen (dhenschen@techweb.com) <hr noshade /> FISMA Meets Continuous Monitoring Federal agencies are fed up with the FISMA compliance process, complaining that it's outdated and expensive. They have a point. Compliance with FISMA--the Federal Information Security Management Act--means collecting loads of data on systems and devices and submitting lengthy reports to auditors. At InformationWeek's Government IT Leadership Forum, federal CIO Vivek Kundra outlined a plan to move away from paper-based FISMA compliance and invest in continuous-monitoring technology. I can't help wondering, though, if the "choice" between FISMA compliance and continuous monitoring is a false one, having seen time and again that compliance efforts can force a wholesale shift toward better security. At the same time, no security environment--compliant or not--is safe without some form of continuous monitoring. During a forum session on cybersecurity, Ron Ross, project leader for the National Institute of Standards and Technology's FISMA implementation project, emphasized that the newest guidelines will include continuous monitoring as a core component. "Continuous monitoring isn't a strategy. It's a tactic," Ross said. "It's part of a risk management framework." Other risk management steps include selecting the right set of controls and making sure those controls are implemented correctly, he said. "In order to make continuous monitoring effective in what it's intended to do, you've got to be monitoring the right stuff," Ross added. "And the stuff you put in has to be effective. Those controls really are what provide the strength to withstand cyberattacks." What Ross is saying is that a new emphasis on monitoring shouldn't be seen as an abandonment of the compliance effort, or as an either/or choice in IT security. Any effective strategy for agencies will have to include both FISMA compliance and continuous monitoring, even if one occasionally takes priority over the other. -- Tim Wilson (wilson@darkreading.com) <hr noshade /> Project Management Push The Obama administration is increasing pressure on CIOs in federal government to improve IT performance. Its approach--including the IT Dashboard and hands-on project reviews--are leading to changes in the way projects get managed. The IT Dashboard puts "community pressure" on CIOs and other agency officials, said Education Department CIO Danny Harris, during a session titled "Feet-To-The-Fire Project Management" at InformationWeek's Government IT Leadership Forum. Agencies have long had internal IT investment review boards and vetted their budgets with the Office of Management and Budget, but IT project management wasn't out in the open as it is now. Federal CIO Vivek Kundra launched the Web-based IT Dashboard in June 2009, exposing the ongoing performance of federal IT projects. Kundra's office is also running metrics-driven TechStat sessions where the federal CIO and agency CIOs talk through troubled projects. And, beginning with fiscal 2012, CIOs are required to review projects that are behind schedule or over budget before they're submitted to the budget process. Such efforts are forcing changes in the way IT projects are viewed. If an initiative is deemed "a dog," the decision must be made to end it and re-allocate those resources, Harris said. The IT Dashboard has made CIOs accountable to agency secretaries, and secretaries to the public. "It doesn't get any more powerful than that," said Harris. Agency CIOs such as Roger Baker of Veterans Affairs and Jerry Williams of Housing and Urban Development are now taking the concept further with agency-specific IT dashboards. CIOs are also attending one another's TechStat sessions and sharing best practices. Kundra indicates more can be done, pointing to areas "where we haven't been tough enough" in holding agencies and contractors accountable for results. -- J. Nicholas Hoover (nhoover@techweb.com)2010-05-22T00:00:00ZSymantec To Buy VeriSign's Authentication Business For $1.28 Billion VeriSign will refocus business on Internet infrastructure, naming services http://www.informationweek.com/news/225000008?cid=RSSfeed_IWK_AuthorsVeriSign, one of the best-known names in computer security, today took a step away from the security business by selling its authentication services business to Symantec for $1.28 billion. VeriSign's authentication business, which includes the Secure Sockets Layer (SSL) encryption certification services, a managed Public Key Infrastructure (PKI) platform, and the company's ownership stake in VeriSign Japan, contributed approximately $101.9 million to VeriSign's revenues last quarter -- about 39 percent of the company's business. Symantec's acquisition follows the $300 million purchase of encryption pioneer PGP and the $70 million purchase of GuardianEdge, which were announced simultaneously just three weeks ago. "The security space is consolidating in a way that favors larger players that offer lots of products and services in an integrated package," said Mark McLaughlin, president and CEO of VeriSign, in an investor teleconference this afternoon. "If you want to succeed in this market, you have to have a broad range of services, as Symantec does." "For 15 years, VeriSign has pioneered the SSL and related authentication services business," said Jim Bidzos, VeriSign founder and executive chairman. "Today Symantec is the best company to drive this business forward." The agreement provides that Symantec will acquire the assets of VeriSign's Authentication Services business, including its ownership stake in VeriSign Japan, as well as certain brands and trademarks, such as VeriSign’s "check mark" logo. Symantec has indicated that it expects to offer positions to most of VeriSign's authentication employees to support the business. VeriSign has agreed to support the business after the transaction's close by providing transitional services to Symantec. Following the close of the transaction, VeriSign expects to eliminate some positions that will not move to Symantec and that will not be required for its future operations. The boards of both VeriSign and Symantec have unanimously approved this transaction, which is not subject to financing contingencies or shareholder approval. The transaction is expected to close in 60 to 90 days or upon receipt of regulatory approval. Following the close of this transaction, VeriSign's remaining business will consist of its Naming Services business, which contributed approximately $162 million, or 61 percent, of the company's revenues in the quarter ended March 31, 2010. "We will continue to focus on the growth strategies we've previously articulated for our domain name and infrastructure availability businesses," McLaughlin said. "These include leveraging our existing infrastructure capabilities for new services, expanding internationally, and pursuing new top-level domain opportunities." "Trust and identity are key to the future of securing and managing information," Symantec said in its announcement. "VeriSign is the leading provider of digital authentication services, enabling trusted interactions within and across businesses, consumers, applications, and processes. With identity security, Symantec solutions can enable information access control, enhanced data security, and better enforcement of compliance policies." 2010-03-25T17:04:00ZCEOs Paying Attention To Security, Study SaysCIO is the person most frequently held responsible for data protection, Ponemon survey sayshttp://www.informationweek.com/news/224200408?cid=RSSfeed_IWK_AuthorsTop-level executives are beginning to grasp the importance of security, according to a study published today. Eighty-one percent of C-level executives think that investing in a security strategy can greatly reduce or mitigate the risk of data loss or theft, according to the survey of 115 C-level executives in the U.K. conducted by Ponemon Institute and sponsored by IBM. "In the face of growing security threats, business leaders are finally recognizing that a strong data protection strategy plays a critical role to their bottom line," says Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "Today, C-level executives believe the cost savings from investing in a data protection program is substantially higher than the estimated value of recovering from a breach." Seventy-seven percent of C-level executives reported that their organizations have experienced a data breach at some point, while all respondents disclosed that they have had their data attacked in the past 12 months. Seventy-six percent think that reducing potential security flaws within business-critical applications is the most important aspect of their data protection programs. C-level executives believe good data protection practices can support important organizational goals, such as compliance, reputation management, and customer trust. Only a small percentage of the CEOs surveyed, just 18 percent, are very confident that their organizations will not suffer a data breach within the next year. Executives in the study estimated the average data breach cost per compromised record at about $250. CEOs estimated that cost to be closer to $300 per compromised record. Three-quarters of respondents reported that one person is considered to be in charge of data protection for their organizations. That person is considered by most to be the CIO -- especially by the CEO. More than half (51 percent) of C-level executives believe the purpose of data protection programs is to increase brand or marketplace image. "We are witnessing C-level executives implement security strategies at a much higher rate than ever before," said Daniel Sabbah, general manager of IBM Rational. 2009-11-23T20:44:00ZEmployees Willing To Steal Data; Companies On The AlertSeparate studies offer a scary glimpse into the minds of employees, management http://www.informationweek.com/news/221901507?cid=RSSfeed_IWK_AuthorsEmployees know it's illegal to steal company data, but they're prepared to do it anyway. Companies know their employees are a chief threat to their data, but most aren't doing much about it. These are the takeaways from two separate studies published today by security vendors Cyber-Ark and Actimize. Taken together, the studies paint a sobering picture of the state of trust and security within the corporate walls. In its study, Cyber-Ark surveyed some 600 workers in the financial districts of New York and London and found that most workers are not shy about taking work home -- and keeping it for their own use. Eighty-five percent of the respondents to the Cyber-Ark survey said they know it is illegal to download company data for personal use, but 41 percent said they already have taken sensitive data with them to a new position. About a third of respondents said they would share sensitive information with friends or family in order to help them land a job. Almost half of the respondents (48 percent) admitted if they were fired tomorrow they would take company information with them, Cyber-Ark says. Thirty-nine percent of people would download company/competitive information if they got wind that their job were at risk. A quarter of workers said the recession has made them feel less loyal toward their employers. Of those who plan to take competitive or sensitive corporate data, 64 percent said they would do so "just in case" the data might prove useful or advantageous in the future. Twenty-seven percent said they would use the data to negotiate their new position, while 20 percent plan to use it as a tool in their new job. Customer and contact lists were the top priority for employees to steal, registering 29 percent of the respondents. Plans and proposals were next (18 percent), with product information bringing up the rear (11 percent). Thirteen percent of savvy thieves said they would take access and password codes so they could get into the network once they've left the company and continue downloading information and accessing data. According to the second study, which was compiled by security vendor Actimize, most companies know about the threat from employess and are worried about it. Eighty-two percent of those surveyed, approximately a quarter more than in 2007, see the threat of employee fraud growing, and 78 percent see the employee fraud problem increasing due to the slower economy. The Actimize study, which was conducted by third-party firm Infosurv, found more than 69 percent of respondents view full-time employees as the highest risk segment -- seven to 14 times more risky than part-time, offshore, outsourced, or temporary employees. The respondents to the Actimize survey, who all came from the financial services industry, are increasingly alarmed with employee sabotage, Actimize said. Seventy-two percent of respondents stated they are moderately to extremely concerned that laid-off or disgruntled employees will plant malicious software scripts or destroy company property. Eighty-four percent of the financial respondents said the industry is likely to experience a rogue trading loss of more than $100 million in the next 12 months, as it did last year at Societe Generale. While fears of insider threat run high, however, many companies appear to be at a loss as to what to do about it. Sixty-seven percent of those surveyed think a half or less of employee fraud cases are actually caught. When ranking top ways they uncover employee fraud, 34 percent admitted they discovered the fraud "accidentally." More than three-quarters of respondents said the nature of employee fraud is becoming more sophisticated, yet less than 30 percent use the latest generation of tools to protect against employee fraud, Actimize said. This is actually a significant improvement from 2007, when only 8 percent used the latest generation of technologies to combat employee fraud. Fifty-eight percent of respondents rated the financial industry's ability to detect employee fraud as "poor" or "somewhat acceptable," which is also a noticeable improvement from 2007. "As the research shows, regardless of the direction the economy takes in the near future, financial institutions are expected to be increasingly concerned about the threat of criminal employee behavior," said Paul Henninger, head of the financial crimes product group at Actimize. "Luckily, there is evidence that the industry is improving its ability to investigate and catch employee fraud." 2006-01-27T00:00:00ZSun's Founders Recall The Early DaysThe Computer History Museum recently hosted the four Sun founders, who shared memories of the first few months of the company's success. CEO Scott McNealy would answer Sun's five sales phone lines all day, then head back to the warehouse to build machines and write purchase orders.http://www.informationweek.com/news/177104511?cid=RSSfeed_IWK_Authors They haven't appeared together in public for years, so it was a real treat last month when the Computer History Museum played host to the Fab Four--the four founders of Sun Microsystems, that is: Vinod Khosla, Bill Joy, Andy Bechtolsheim, and Scott McNealy (left to right, above). The four were in good humor, and they had a few new memories to share. Joy, for example, revealed that Sun has tried to acquire Apple Computer three times over the years, once through an outright acquisition and twice through mergers. Joy said he gets along well with Apple CEO Steve Jobs and considers it "a personal disappointment" that the companies never built a stronger relationship. McNealy was less complimentary about Apple, comparing the iPod to the invention of the answering machine. "I guarantee you it will be hard to sell an iPod five or seven years from now, when every cell phone can access your entire music library wherever you are," McNealy said. In contrast, McNealy had kind words for Joy, who was an open-source pioneer, inventing the process of community software development. "He has never gotten credit for it," McNealy said. The four remembered the first few months of Sun's success, when McNealy would answer Sun's five sales phone lines all day, then head back to the warehouse to build machines and write purchase orders. Sun's fortunes are obviously not as rosy today, but Joy said the industry's move toward open systems--combined with hardware guru Bechtolsheim's return to the company--could help it turn a corner. "It gives me a lot of hope," Joy said. McNealy reportedly turned red a couple of times during questions about the current state of Sun's business. "We made some mistakes during the bubble, but we also put some cash in the bank," he said.2006-01-27T00:00:00ZReady for Some Football?Here's our take on the Top 11 dumbest things to do at your CIO's SuperBowl party.http://www.informationweek.com/news/178601887?cid=RSSfeed_IWK_Authors11 Dumbest Things to do at your CIO's Super Bowl Party <img src="http://i.cmpnet.com/nc/1702/graphics/1702lastmilea.gif" align="center"> 11) Use your laptop to redirect the satellite TV signal to old reruns of Maude 10) Mention that the CIO's high-tech projector looks like the one the IT department bought during last year's technology refresh 9) Wrap the cocktail wieners with old pieces of DLT tape 8) Show security video of the CIO and his new "assistant" as half-time entertainment 7) After a great play, say, "If only our software worked that well!" 6) Change the channel, then tell the CIO he'll have to get management approval to change it back 5) Rip out your new blade server rig and install it in the CIO's kitchen to heat the nacho cheese dip 4) Suggest that everybody try converting players' jersey numbers to hex, binary and octal code 3) Yell out, "Hey, the data center called and asked how to turn off the fire sprinklers!" 2) Shave the NFL logo into the hair of the CIO's pet poodle 1) Invite your local Hell's Angels chapter along for the free food Special thanks to our color commentators--Stephen Cole, Cheryl Fritsch, Steve Harvey, Eric Huemoeller, Gregory Mamayek, David Mohrman, R.L. Noble and Douglas Rockney--for their suggestions from the back of the playbook. You folks really know how to get sacked. <img src="http://i.cmpnet.com/nc/1702/graphics/1702lastmileb.gif"> »Nissan won the hearts of computer gamers--though probably not the highway patrol--last month when it unveiled the Nissan Urge, a concept car that includes a built-in Xbox 360 on the driver's side. And we thought cell phones and PDAs were distracting. Imagine trying to get around the guy who's about to graduate to the next level of Project Gotham Racing 3. To be fair, Nissan says the game won't work unless the car is in park--but we're guessing gamers will soon devise a workaround.<img src="http://i.cmpnet.com/nc/1702/graphics/1702lastmilec.gif" align="left"> »So you think your data center has everything? Bet you don't have a pet! Dogs and cats are too hairy, and they wouldn't like the frigid temperatures in your server room anyway. Birds leave seeds (or worse) on your keyboard. Fish could get things wet ... unless you build your own! Engineers at Japan's National Maritime Research Institute have developed prototypes of several "fish robots" that can liven up your workspace. <a href="http://www.nmri.go.jp/eng/khirata/fish/index_e.html" target="new">You'll find the plans here</a>. Build one today--they're quiet and very well-behaved. top  <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td bgcolor="#000066" width=100%><IMG SRC="http://i.techweb.com/cmpnet/blank.gif" WIDTH=1 HEIGHT=1 border=0 vspace=0 hspace=0></td> </tr> </table>  LOL Have a IT-related Chuckle you want to share? Spotted some strange tech? Want to contribute to the latest Top 11 List? <a href="http://www.networkcomputing.com/lastmile/">Drop on by the Last Mile Repository!</a>2005-08-12T00:00:00ZCritics Say Open-Source Ratings Don't Measure UpCarnegie Mellon and partners have a template for evaluating the business readiness of open-source applications. But be wary of making any decisions based solely on it.http://www.informationweek.com/news/168601718?cid=RSSfeed_IWK_AuthorsYou've been eyeing that open-source software for months now, but you're reluctant to make your move. It looks viable, and the price certainly is right, but is it mature enough for your organization? A new benchmarking group aims to help you decide. Carnegie Mellon University, Intel and open-source software certifier SpikeSource earlier this month launched Business Readiness Ratings, a proposed standard template for evaluating open-source applications. The three sponsors have defined a set of parameters and metrics for measuring the maturity of just about any open-source software, ostensibly making it easier for businesses to decide whether they should bet the farm on the emerging applications. The ratings are designed to operate in open-source fashion, gathering feedback from developers over the Internet about each application's performance against the established metrics, then posting that feedback as a guide to others. Essentially, it's a report card template, and each developer who evaluates the software gets to grade the application. As IT professionals, we applaud the sponsors for their efforts to help enterprises navigate the increasingly bewildering sea of open-source applications available for download. As hardware and software reviewers, however, we caution enterprises against making any decisions solely on the BRR. For one thing, technology testing--and we've learned this the hard way--is not a one-size-fits-all proposition. Some software is too complex for small businesses, but works brilliantly in a well-staffed and highly skilled enterprise IT environment. Other applications don't deliver enough functionality for a large corporation, but are very effective in a mom-and-pop shop. The concept of "business readiness" is totally dependent on the size and nature of the business, and users should be wary of any evaluation process that attempts to apply a single rating to all open-source apps in all business environments. Second, some BRR metrics are subjective. At Network Computing, we strive to keep our testing processes objective--if it can't be measured empirically in the lab, we often reject it as a criterion for evaluation. But the BRR employs criteria, such as "end user UI experience," that will clearly be a matter of opinion. True, the applications will be reviewed by a number of developers, but technology decisions should be based on hard data, not on popular vote. We see the BRR as a potentially useful data point for open-source software evaluation, but probably not much more than that. It might help you decide whether and when you want to test an emerging app, but it can't replace the value of doing the testing in your enterprise. 2005-04-08T00:00:00ZUnderstanding IT PricingWhen it comes time to make purchases out of their discretionary budgets, many IT people consult only one or two sources before choosing a supplier. But with just a few extra minutes of online research, significant savings could be yours.http://www.informationweek.com/news/161500856?cid=RSSfeed_IWK_AuthorsYou're in the middle of a project when you realize you're missing a crucial component: a network device, a client machine, a piece of software or some other IT commodity. It's well within your discretionary budget--you could easily buy it without going through the purchasing department or getting sign-off from a dozen executives. But you don't want to overpay for the thing, either. So what are you gonna do? In the past, you went to your local computer store or reseller--and paid whatever it asked. Today, there is a growing and often bewildering list of IT retail sources and shopping Web sites, all promising the lowest price. Comparison sites, online catalogs, electronic auctions, value-added resellers, even the manufacturers themselves--they line up in your Google search like snake oil salesmen at a state fair, each hawking the best products at the lowest price. So what are you gonna do now? If you're like most IT professionals, you probably have a favorite source or two. According to Nielsen// NetRatings, which tracks Web site activity, two sites most frequented by IT decision-makers are CDW and Newegg.com, both popular computer-catalog stores. In a recent straw poll of Network Computing readers, 55 percent of respondents said they compare prices from three or fewer suppliers before making a commodity purchase. Even in today's world of screaming Web sites, most IT people still do the better part of their business with just a few primary suppliers. <table width="200" border="0" cellpadding="6" align="left" class="black11"><tr><td> <table width="200" border="0" cellpadding="5" cellspacing="1" bgcolor="#cccccc" class="black11"> <tr> <td bgcolor="#ffffff" class="black11"> Company Roll Call <ul> <LI> <A HREF="http://www.buy.com" class="black11" target="_blank">Buy.com</a> <LI> <A HREF="http://www.pricegrabber.com" class="black11" target="_blank">PriceGrabber</a> <LI> <A HREF="http://www.shopping.com" class="black11" target="_blank">Shopping.com </a> <LI> <A HREF="http://www.shopzilla.com" class="black11" target="_blank">Shopzilla</a> <LI> <A HREF="http://www.tigerdirect.com" class="black11" target="_blank">Tiger Direct</a> <LI> <A HREF="http://www.ebay.com" class="black11" target="_blank">eBay</a> <LI> <A HREF="http://www.pricewatch.com" class="black11" target="_blank">PriceWatch</a> </ul> </td> </tr> </table> </td></tr></table> "For computer hardware, we usually go directly to the hardware vendor," says John Millonig, a systems consultant at CHS, a Fortune 500 company specializing in foods, grains and petroleum products. "We use a specific VAR [value-added reseller] for the majority of our other purchases." CHS does make small purchases online at CDW and locally at Office Depot and Comp USA. Most enterprises shop locally when they want to avoid shipping time, but buyers agree that the lowest prices are generally found online. This limited-vendor buying strategy is common in IT, because people are afraid to buy from sources they don't know. Many are also befuddled by the plethora of technology purchasing and price comparison sites on the Web, which may well include fly-by-night shops operated out of somebody's basement. Better to be safe. But the "safe" bet these days isn't always the most cost-effective. In fact, our research shows that IT departments could be paying 25 percent to 50 percent less for commonly purchased items by doing some simple Web research before making a choice. And we're not talking about buying knockoffs, used equipment or plug-compatibles, either. What's more, buying from a previously unknown vendor doesn't have to be like sending a check into a black hole. There are many sites that can help vet retail vendors, providing reviews, feedback and customer satisfaction ratings. Although you might feel uncomfortable at the prospect of buying from an unfamiliar online seller who might not provide quality goods--or any goods at all--these "seller ratings" can tell you a lot about a potential supplier. If you follow a few simple steps, you can save your company serious money--without risking your job in the process. To show you what we mean, we've shopped for a few of the most commonly bought items in IT, just to give you an idea of the range of prices and customer ratings you can find on the Web. This "minireview" is far from scientific or complete, but it provides a snapshot of the vehicles available for comparing prices, as well as a sense for how much your enterprise can save. Needle in a Haystack We were blown away by the number and diversity of sites on the Web that advertise the best price for a given IT commodity. Some of them are well-known; others appear to be little more than local garage sales. Some offer detailed feature comparisons of functionally similar products from multiple vendors; others give only a single, one-line product listing in each category. There was simply no way to research all the sites, so we settled on six. Three of them--PriceGrabber.com, Shopzilla.com and Shopping.com--were cited in our interviews with IT professionals, price-comparison site operators and online catalog vendors. Another, PriceWatch.com, was listed as the most popular price-comparison site in the Nielsen//NetRatings list of sites most trafficked by IT executives. For comparison's sake, we threw in representatives of the two other popular multivendor selling avenues: online-auction leader eBay and online technology catalog TigerDirect.com. We simulated a search and purchase in three categories: network devices, PC hardware and packaged software. Although many of these sites offer used, leased or refurbished gear, our test focused only on new, in-the-box products, so we could make an apples-to-apples comparison. This test was designed to show the range of results and prices--your experience will vary, depending on the sites you choose and the item you're seeking. Our first test was to compare prices for a Cisco 831 Ethernet router, which lists for about $500. The 831 is not Cisco's most popular router, but because it's a medium-priced product that doesn't have a wide variety of configurations, it lent itself well to apples-to-apples comparisons. This is a price-hunting key--be sure you're comparing items that are truly the same in size, memory, speed and options. Of our six test sites, eBay turned up the lowest price, with a single new Cisco 831 listed at $349. That price was offered under eBay's "Buy It Now" option, so it would have been possible to purchase it without waiting for the end of an auction. However, the dealer had only three instances of customer feedback, so there was a possibility it wasn't legitimate. Among the other sites, Shopzilla (formerly BizRate) came up with the next-best price: $366, offered by a seller with certification from the site and more than 300 customer reviews. Shopzilla provided a total of 33 sellers for the Cisco 831, with prices ranging from $366 to $546. One seller had more than 75,000 reviews; several had fewer than 20. The prices were difficult to compare because some vendors offered variations on the configuration, and some listed the product with different SKUs, which caused them to be listed separately on the site. PriceGrabber.com returned the most sellers, with 34 choices, but the price range was $429 to $520. PriceWatch gave only one seller, with a price of $425. Shopping.com offered nine listings, including two higher-end Cisco 837s that should not have been there, at a range of $451 to $541. A TigerDirect.com search for "Cisco 831" yielded no results, but a further search under several categories of modems did turn up a listing for $499. Shipping, of course, plays a factor in comparing prices for low-cost commodity items. Although many sellers offer free shipping, some charged as much as $25 to ship the Cisco 831. All three of the price-comparison sites let you enter a ZIP code on a price page and then recalibrate prices to include shipping. On all six test sites, we could move directly to the seller's shopping cart in one click, so there wasn't much difference in the checkout process. Living Large with Laptops Next, we shopped for a notebook PC. We chose the Toshiba Tecra A2-S119 (list price $949) for the test, partly because it has a narrowly defined configuration and partly because it is relatively new on the market, having been introduced in October 2004. We wanted to see which sites could provide a range of prices on a newer product. The best price tag was on Shopping.com, where a dealer listed the notebook at $879. But that price turned out to be a red herring, because the dealer wanted $29 for shipping. The next-best price was a deal listed identically on Shopping.com, PriceGrabber.com and Shopzilla: an offer of $895, from Buy.com. Interestingly, though the Buy.com listing had more than 95,000 reviews on Shopzilla and was named that site's "Smart Choice," it received only two and a half stars (out of five) on PriceGrabber.com after more than 1,200 user reviews. The three price-comparison sites each generated 18 to 25 sellers for the Toshiba unit, and prices ranged from $879 to $1,185. PriceWatch listed only one seller at a respectable price of $905. EBay listed three units ranging from $950 to $1,050, but the low price came from a seller with just five feedback ratings, only four of them positive. TigerDirect. com listed four Tecra M2 models, but the A2 was not available. In our third pricing test, we hunted for a popular software package. We wanted an application that is common to companies of every size and industry, so we settled on virus scanning. We chose McAfee's VirusScan 9.0, because it's a relatively new release and it seemed to be listed on more sites than Symantec's counterpart product. VirusScan 9.0 comes in several different bundles, so we decided to focus on the retail, single-user client package, which lists at about $50. For a single copy of VirusScan 9.0 retail edition, TigerDirect listed the best price: $19.99 with free shipping. All the comparison sites generated a similar range of prices for the retail VirusScan package, somewhere between $40 and $60. Both Shopzilla and Shopping.com listed their "smart" choices at around $41. In this case, however, there were some very interesting off-retail offers. PriceGrabber.com, for example, listed 15 OEM sellers of the software with prices ranging from $6.50 to $27.50. PriceWatch returned several sellers offering volume discounts that would bring the per-copy price down to as low as $9. EBay listed one seller with 197 copies of the software at $4.75 each--but they would come without their retail boxes. Clearly, the options for buying packaged software are more varied than in hardware or networking gear. Each price-comparison site listed more than 40 dealers for VirusScan 9.0, and many other sites listed prices for OEM or used software. The range in prices was also greater, stretching from $4.75 to $59. And, of course, software prices are tougher to benchmark, because many vendors offer their own, unpublished volume discounts. Looking for Mr. Good Deal There was no clear winner in our review of IT buying sites. Although PriceGrabber.com and Shopzilla offered the most choices in networking gear, Shopping.com returned the most results for the latest laptops. PriceGrabber.com offered the best list of OEM and retail sources for software. That's the most important lesson we learned from the test: You shouldn't always rely on a single site to give you the best price. Yes, you can get some good choices by typing one URL, but you could conceivably save another 25 percent to 50 percent by taking another 10 minutes and checking a few more URLs. Whether you're using an online catalog, a price-comparison site or eBay, you should always factor in the credibility and reliability of the online seller. Many of the multivendor comparison sites offer independent customer feedback, which can help screen out questionable sellers. But no matter what its site rating, an online vendor should also be judged by its warranty and/or service offerings. A company like TigerDirect, which offers money-back guarantees and goods under warranty, is a sure thing. A one-time seller on eBay may offer items "as is," with no warranty at all. There are many shades of gray in between, and you must decide what level of service you want before clicking the "buy" button. When using price-comparison sites, such as Shopzilla and Shopping.com, be aware that dealers can pay a premium to appear at the top of the search list, whether or not they have the best price. Some comparison sites list only dealers that have paid a fee--they don't offer a full Web pricing search. Look for sites that return a respectable number of dealers for your item and provide some means of vetting the dealers to ensure that they're legitimate. You should also be aware that some companies operate more than one price-comparison site. Shopping. com, for example, also runs Dealtime and PriceTools; PriceGrabber.com owns another site called BottomDollar. These companies clone their sites in order to expand their reach and generate more advertising dollars, but this sort of replication makes life more confusing for users. With a little extra research, however, you truly can save money on those small IT items, and you don't have to go to Joe's Cut-Rate Computer Stuff.com to do it. Just look beyond the same old sites and take advantage of the Web's search capabilities. Tim Wilson is Network Computing's business technology editor. His background includes four years as an IT industry analyst, most recently with Enterprise Management Associates, and more than 14 years as a journalist specializing in networking technology. Write to him at <A HREF="mailto:twilson@nwc.com">twilson@nwc.com</a>. Making Cents of IT Pricing Everyone knows the Internet has changed the economic landscape and leveled the competitive playing field. Even grandmothers are cruising Amazon.com and eBay these days, so it should come as no surprise that the best IT deals are to be found surfing the Web. However, most IT professionals trust a handful of favorite sites to deliver the low prices--and in doing so, they miss out on big-time savings. In this month's Affordable IT installment, Tim Wilson shows you ways to save money and avoid risk. We run through sample purchases of several common IT products, using sites like <A HREF="http://www.buy.com" target="_blank">Buy.com</a>, <A HREF="http://www.pricegrabber.com" target="_blank">PriceGrabber</a>, <A HREF="http://www.shopping.com" target="_blank">Shopping.com </a>, <A HREF="http://www.shopzilla.com" target="_blank">Shopzilla</a>, <A HREF="http://www.tigerdirect.com" target="_blank">Tiger Direct</a>, <A HREF="http://www.ebay.com" target="_blank">eBay</a> and <A HREF="http://www.pricewatch.com" target="_blank">PriceWatch</a> to score the best deals. Even Grandma would be impressed. <a href="/affordable_it"> You can find all our Affordable IT articles here.</a> How to Find the Best Price Look beyond your usual sources. Having good supplier relationships is important, but there's no law that says you have to buy everything from a single source. If you're hunting on only one or two sites, you could be costing your company money. Know what you're looking for. The Web can be a great place for comparative research on different vendors' product features, but the canny price hunter will search for a specific product in a specific configuration. Do your comparison after you've selected the product you want. Include all price factors in your equation. Often, two products may appear similar in price, but add-on costs--options, shipping or state taxes--may change the numbers. Be sure you understand all the costs before you compare prices. Use sites that hold their vendors accountable. Many sites give dealers some sort of rating based on feedback from other customers. Take a close look at customer reviews, both positive and negative. If a prospective dealer hasn't generated much feedback, stay away--a low price is not much good if you never actually receive the product. Vary your search patterns. Some sites collect more pricing data on consumer-type goods, such as PCs and handhelds, while others have more information on business gear, such as networking devices and management software. Use a variety of resources to find pricing data.