1 6 01 NEWS EDITORMAY I EICAR European Expert Group for IT -Security Office Hauptstrasse 4 D Neubiberg Germany I FROM THE BOARD CHAIRMAN S CORNER 02 I NEWS FROM THE EICAR LEGAL ADVISORY BOARD July 03 I HANDLE WITH CARE - BUT DON T PANIC 04 I MICROSOFT SECURITY INTELLEGENCE REPORT, VOLUME 4 05 I FIVE STEPS TO IMPROVE YOUR ANTIVIRUS DEFENSE 06 I EICAR VIRUS PREVALENCE TABLE FEBRUARY I WHY WE DON T HAVE FEDERATED CONSUMER ONLINE IDENTITY 08 I STRATEGIES FOR ITIL SUCCESS OVERCOMING RESISTANCE TO CHANGE 09 I MOBILE AND REMOTE WORKING: IS IT SECURE? 1 0 I LITIGATION HOLDS 08 CONSULTING EDITOR: Rainer Fahs, Manuel Hüttl Eddy Willems CONTRIBUTORS Prof. Dr. Nikolaus Forgo, Dennis Jlussi, University Hanover; Richard Saunders, Microsoft; Mike Davies, VeriSign; George Spalding, Pink Elephant; Ken Turbitt & Atwell Williams, BMC Software; Ian Kilpatrick, Wick Hill Group; Ralph Kreter, Mimosa Systems EDITORIAL ADRESS Ter Borchtstraat 17 B-1982 Elewijt (Zemst) Belgium DESIGN
2 1 FROM THE BOARD CHAIRMAN S CORNER Rainer Fahs The EICAR Conference 2008 is just ahead of us and we all are looking forward to meeting with Birds of a Feather from all over the world to come together in a small French city called Laval. We have to be grateful for the arrangements Eric Filiol did with the French Forces for EICAR. Remembering the financial fiasco of 2007 and the uncertainties of not knowing when and how it would be resolved and how much financial damage would have been left, it was a tough decision to be made to go ahead and plan and arrange for a 2008 conference. Like a true military leader, used to make decisions, Eric stepped in and proposed to hold the EICAR 2008 conference in facilities offered by the French Forces at Rennes. Later on, due to internal decisions of the French Forces, which could not be influenced by Eric, the venue had to be changed to Laval. Recognising that Laval is not exactly a major city and a tourist attraction, we had to consider the advantage of the offer, the use of the facilities with no charge to EICAR, which was certainly the main driving factor for having a conference at all and accepting the generous offer from the French Forces. After the decision was made and Eric also volunteered to take on the responsibility as conference organiser, Vlasti Broucek, though already withdrawn from his position, offered his support and we gratefully accepted his offer. Eric and Vlasti did a great job in publishing the Call for Papers, establishing the paper review team and the procedures resulting in high quality papers submitted for our conference. More papers have been submitted as could have been accommodated in the program enabling us to select based on sheer quality of the papers. Unfortunately, papers had to be rejected and I would like to thank the authors for their efforts to submit the papers and encourage them to submit again at the next opportunity. In parallel Manuel Hüttl was busy finding sponsors for the conference and we noted a considerable change in the attitude of potential sponsors. It seems that the time of opulent budgets for the PR people in industry are over. Budgets are tight and the reasoning for spending have to be very sound and must be based on value added effects for the companies. Since the EICAR conference is not and never was a marketing event, it is extremely difficult to convince industry partners to sponsor our even. Having said this, we are even more grateful for those partners sponsoring the event in Laval On the same token, we noticed another trend and that is in the attendance of the conference. This trend is even worse! The number of paying participants is decreasing and it looks at the moment as if we will not be able to cover the actual expenses for the conference within the conference budget, meaning that EICAR members will have to pay in the end. EICAR has always waived the conference fee for presenters on the conference. This has been a long time tradition and I would fully support this for future events since it is a bit of a reward to those going through the efforts of preparing a presentation and, putting it under the scrutiny of a high level audience. However, this regulation was always limited to presenters and it is somehow regrettable to note that people cancelled their plans to enlist for the conference after it was clear that EICAR would not waive their conference fees. This trend is fatal for EICAR and its conference. It is not rocket science to plan a conference, but there are some basic arithmetic s involved. It is very simple and a matter of fact that a conference has some costs that need to be covered and there are limited options to get the funding. we can either try to cover the conference as a whole from the member s fees, which
3 2 NEWS FROM THE EICAR LEGAL ADVISORY BOARD will lead to higher fees, or we will have to get sufficient sponsoring for the conference, which was the case for the last years but seems to be not that easy any more. The third option is to cover the conference costs from the conference fees and here is the problem. If we have a conference with about thirty speakers and about 5 10 Board members and admin supporters or conference organising staff, all not paying conference fees, we would need at least the same number (30 40) paying the conference fee. If that is not the case (and that is obviously the case for this year), we will produce a deficit. The arguments about the location being an attractive location or not have been given some preference that I do not support. It always was our attempt to put a conference with high quality presentations together in support of research in the AV and other areas of IT security and our conference committee has been successful in succeeding this path for his year. It looks however, as if a great number of potential EICAR conference attendees are giving preference to the quality of the conference venue rather to the quality of presentations. EICAR members have to make a decision for the future. If preference is given to the location, it is questionable whether or not an organisation like EICAR is required to satisfy this requirement. EICAR was not established as a conference organising organisation and members at the next annual members meeting will have to make a decision on the future of EICAR and the conference organisation for the upcoming years. NEWS FROM THE EICAR LEGAL ADVISORY BOARD led by Prof. Dr. Nikolaus Forgo The EICAR Legal Advisory Board was founded upon the increasing role of legal issues in the context of information technology. Legislation does have an important impact on information security. It is crucial for the interaction between technology, organization and psychology that legislation is well understood and clearly transferred within the business workflow as well as the development lifecycle. The purpose of the EICAR Legal Advisory Board is to contribute to a better understanding of the problems involved in mastering information technology and their impacts on criminality and to propose elements of solution for individuals, organisations and society as a whole. The Legal Advisory Board will react on latest issues in terms of IT law that do either have an impact on the society as a whole or on the IT security industry and its protagonists. The Board will not provide legal counsel but will develop neutral and factual statements, position papers or comments. There is a team of experts representing the EICAR Legal Advisory Board that will be lead by Prof. Dr. Nikolaus Forgo. The Legal Advisory Board recently announced its first comment on the 202 of the German StGB. It describes the usage of hacker tools and the legal issues around it. Prof. Dr. Nikolaus Forgo
4 HANDLE WITH CARE - BUT DON T PANIC HANDLE WITH CARE BUT DON T PANIC CRIMINALISATION OF HACKER TOOLS IN GERMAN CRIMINAL LAW AND ITS EFFECT ON IT SECURITY PROFESSIONALS 3 Dennis Jlussi, University Hanover Implementation of 202c StGB 202c StGB (StGB = Strafgesetzbuch, German Criminal Code) has been implemented by the 41st amendment to the Criminal Code (41. StrÄndG) and is in effect as of August 11, The 41. StrÄndG also amended 202a, 202b, 303a and 303b StGB, which in substance criminalise illegal access to, and interception and interference of data and sabotage of computer systems and so make up the core computer crimes. 202c criminalises the preparation of those computer crimes, as committed by the production, procurement or distribution of hacker tools. 202c is Germany s transposition of Article 6 of the Council of Europe s Convention on Cybercrime, but the express exception for IT security tests, as in Article 6 (2) of the Convention, has not been transposed. Therefore, there is legal uncertainty among IT security professionals and concern about possible criminal proceedings. These concerns are not without any reason, because Article 6 (2) was not transposed into the wording of 202c and the German legislation could not be based on a constant legal practise, as there is no relevant higher jurisdiction about long existing similar preparation crimes (i.e. devices for counterfeit of banknotes or passports). Nevertheless, the risks of acting criminal can be minimised by complying with a few guidelines. So, in summary, there is no reason for panic, but hacker tools should be handled with care. Avoid the use of hacker tools 202c names two classes of hacker tools: Passwords (etc.) on the one hand and, on the other hand, computer programs that are primarily designed for committing computer crimes ( 202a, 202b, 303a, 303b). This is determined by an objective intended purpose, which is the purpose that would become obvious to a neutral and competent person. Therefore, IT security tools that are commonly recognised are not hacker tools, even not if the tools can also be used with bad intent (dual use tools). On the other hand, malware and exploits are in the scope of 202c, as the objective purpose of those programs is harmful, even though those tools can also be used for testing. Also, sharing information in human language is not a crime; descriptions of algorithms and procedures can be legally distributed among IT security professionals. Therefore, common IT security tools and descriptions in human language should be used preferably, if possible. Get an explicit authorisation If a hacker tool has to be used, an explicit authorisation is needed for justification. But, in German criminal law, 202c protects against abstract endangerments already. When a crime is only prepared, there is no effect on any intended victim s individual rights. Therefore, a consent to the acts of 202c as such is legally impossible. Nevertheless, 202c requires the preparation act to be promotive for an intended computer crime ( 202a, 202b, 303a, 303b). A justification by consent in terms of those sections is possible; if there is such consent, there cannot be any intent of committing a computer crime, and therefore, the preparation is legal. The authorisation has to be issued by a person with respective authority or procuration; if corporate computer systems may be used by staff for private use, the works council should also be involved. Journalise and secure the usage To be able to come up against any criminal proceedings, the procuration (including free downloads) and the intended use of hacker tools should be journalised as well as the actual use; the journal should be permanent and inalterable. Furthermore, unauthorised use of hacker tools should be avoided by secure storage and file access permissions.
5 4 MICROSOFT SECURITY INTELLEGENCE REPORT, VOLUME 4 There is no and has never been a way to prevent prosecutors from being overeager. But, by complying to this guidelines, IT security professionals can continue doing their jobs without worry. Situation in other countries The Cybercrime Convention has been signed by 43 member and observer states of the Council of Europe, including all EU member states, Japan and the US. Although the transpositions into national criminal law can be unique, it is likely that analogue problems occur and similar measures have to be taken by IT security professionals. A detailed statement by the author (in German) can be downloaded at JLUSSI_LEITFADEN_web.pdf MICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 4 Richard Saunders, Microsoft W W W Microsoft Corporation has made a significant investment over the past few years researching and combating malicious and potentially unwanted software, and in developing technology to help customers mitigate the security risk that it creates. As part of this investment, Microsoft created a dedicated antimalware team that is responsible for researching malicious software (or malware ) and potentially unwanted software. In addition, this team is responsible for the release and maintenance of the Microsoft Windows Malicious Software Removal Tool (MSRT) and Windows Defender. This report provides Microsoft Corp. s view of the security threat landscape over the six-month period of July through December Like previous editions, this report examines software vulnerabilities (both in Microsoft and third-party software), software exploits, malicious software and potentially unwanted software. In addition, this volume of the report provides insight into spam and phishing, and includes a detailed look at Win32/Nuwar also known as the storm worm. This volume also includes a section on security breaches. Below is a summary based on the report s key findings; the full report is available at Further information about Microsoft s security research and response efforts is available at Key Findings The total amount of malware removed from computers worldwide via the Microsoft Malicious Software Removal Tool (MSRT) continued to increase during the second half of By the end of this period, the MSRT executed on more than 450 million unique computers per month worldwide, resulting in the removal of malware from one out of every 123 computers each month. The second half of 2007 showed a decline in new vulnerability disclosures by 15 percent, the fewest disclosures since the second half of In addition, total vulnerability disclosures decreased by 5 percent overall in In a product-by-product comparison during the last report period, newer Microsoft products appear to be at less risk to publicly available exploit code than older products. This is especially notable for Microsoft Office. During the second half of 2007, there was a 300 percent increase in the number and proportion of trojan downloaders and droppers that were detected and removed. This increase is larger than the significant increase observed between the second half of 2006 and the first half of 2007, which suggests that this malware category is becoming the tool of choice for some attackers.
6 MICROSOFT SECURITY INTELLEGENCE REPORT, VOLUME 4 5 Between July 1 and Dec. 31, 2007, million pieces of potentially unwanted software were detected by the MSRT, resulting in 71.7 million removals. These figures represent increases of 66.7 percent in total detections and 55.4 percent in removals over the first half of Additional Findings S o f t w a r e Vu l n e r a b i l i t i e s The second half of 2007 marked a decline in the disclosure of high-severity vulnerabilities, while the full 2007 calendar year s high-severity disclosures continued to rise relative to previous years. Vulnerabilities requiring a low level of complexity to exploit continued to decrease in the second half of 2007, meaning the high-severity vulnerabilities disclosed are relatively harder to exploit, requiring at least some level of specialization. S e c u r i t y B r e a c h e s Exploits, malware and hacking accounted for no more than 23 percent of all security breach notifications recorded from 2000 through 2007, and they accounted for only 13 percent of security breach notifications during the second half of In the second half of 2007, 57 percent of the security breaches publicly disclosed involved lost or stolen equipment. M a l i c i o u s S o f t w a r e Malicious software has become an established tool for criminals, in pursuit of profit, to target hundreds of millions of computer users worldwide. The MSRT has proportionally cleaned malware from 60 percent fewer Windows Vista-based computers than those running Windows XP Service Pack 2. Similarly, the MSRT has proportionally cleaned malware from 91 percent fewer Windows Vista-based computers than those running Windows XP without any Service Pack installed. The prevalence of rogue security software continues to increase, with many common families delivered by trojan downloaders and other malware, as well as by conventional social engineering methods. The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family. As a general rule, more malware is found by the MSRT in developing countries and regions than in developed countries and regions. Win32/Nuwar, called the storm worm by some antivirus vendors, is a family of sophisticated trojan droppers and associated components discovered in early By continually updating and adapting Win32/Nuwar to thwart detection and removal efforts, its authors have created a botnet estimated to consist of more than a half million infected systems worldwide. Malware detections by country/region
7 6 FIVE STEPS TO IMPROVE YOUR ANTIVIRUS DEFENSE During the second half of 2007, the Win32/Nuwar authors continued to adapt their attacks both technically (by updating and developing the binary components that make up the Nuwar family of malware) and socially (by tailoring ed pitches and finding different ways to leverage the botnet s ability to send spam). The second half of 2007 was a period of consistent permutation and innovation for this threat. P h i s h i n g Phishing is still predominantly an English-language phenomenon. Typically, between 75 percent and 80 percent of the active phishing pages tracked by the Microsoft Phishing Filter in the second half of 2007 were English language pages, with European languages such as Italian, Spanish, German, French and Turkish accounting for much of the remainder. The top potentially unwanted software family detected in the second half of 2007 was Win32/Hot bar. Similar to malware infection trends observed across Windows operating systems, significantly less potentially unwanted software such as spyware and adware was found on Windows Vista-based systems than those with Windows XP Service Pack 2. Potentially unwanted software detections by country/region Once predominantly -based, phishing attempts are increasingly being posted to social networks, exploiting the trust users place in these networks and in the social contacts developed through them. P o t e n t i a l l y U n w a n t e d S o f t w a r e Adware remained the most prevalent category of potentially unwanted software in the second half of 2007, increasing by more than 66 percent, from 20.6 million to 34.3 million detections.  Microsoft Security Intelligence Report volume 4, www. microsoft.com/sir <http://www.microsoft.com/sir> Note: the disinfection figures in this table include figures for disinfections of a comprehensive list of categories of potentially unwanted software beyond the top five list used in other parts of this document; this difference explains the differences you may see between this table and other figures in this report. FIVE STEPS TO IMPROVE YOUR ANTIVIRUS DEFENSE Eddy WillemsW W W One of the most important security issues service providers and value-added resellers (VARs) can discuss with customers is their antivirus protection strategy. After all, viruses are an indiscriminate security threat. A lot of smaller companies don t worry about security because they are not likely targets for hackers. Viruses are so common, though, that infections can occur in big companies, small companies and at home. This Checklist provides five steps to walk through with customers to gain a better understanding of their antivirus protection strategy and to help correct deficiencies. 1. Verify that customers are using antivirus software.
8 FIVE STEPS TO IMPROVE YOUR ANTIVIRUS DEFENSE 7 This one sounds obvious, but the first step to take with customers is to find out whether or not they are using antivirus software. When Microsoft released Windows Vista, most of the antivirus protection programs written for Windows XP no longer worked. I know of at least one major company that temporarily did away with its antivirus software so that it could move forward with a Vista deployment. I m sure that this is by no means common, but it does happen. Vista-compatible antivirus programs are plentiful now, and there is simply no excuse for leaving a PC unprotected. You may find, though, that you have customers who have simply forgotten that some of their PCs are unprotected. 2. Make sure antivirus software is up to date After you verify that your customer has antivirus protection software, make sure it s up to date. Smaller companies without a dedicated IT department often lack a true understanding of antivirus software. In such environments, you may find that people assume that once they are protected, they will always be protected. It s important that your customer understands that new viruses are constantly being discovered, and they must routinely update their antivirus software in order to remain protected. 3. Check to see how updates are being applied Next, check to see how antivirus updates are being applied. This may sound trivial at first, but this is a very important step in an antivirus protection strategy. Some organizations centrally manage antivirus definitions and automatically push them to the desktop; others allow each PC to download antivirus protection updates individually. If individual workstations are configured to download AV updates, it s important that updates are being applied in a reliable manner. I ve seen plenty of cases where end users are ultimately responsible for approving updates. In this situation, there are always a few machines left unprotected. I ve also seen situations where PCs are configured to download updates late at night. Unfortunately, half of the users turn off their PCs at the end of the day, and the updates are never downloaded. Today, most of the antivirus protection software on the market has evolved to the point that the situations I ve described don t apply. Even so, these types of situations are still sometimes an issue, and service providers need to make sure that customers are being adequately protected. 4. Use multiple scanning engines or defenses You need to find out whether customers are using multiple antivirus scanning engines. The basic idea behind using multiple scanning engines is to apply new virus signatures as soon as possible. When a new virus is discovered the antivirus vendors eventually come out with a signature for it, but you never know which antivirus company will be first. By using scanning engines from multiple vendors, you improve your chances of getting signatures for newly discovered viruses as quickly as possible. Most antivirus programs are designed so that they cannot be run alongside one another. But try to eventually have one other product or engine at another level. Another option is to use one antivirus protection product on desktops and a product from a different company on servers. When you use this type of model, no one machine is actually running multiple scanning engines, but you are still creating a two-tier protection model. 5. Check your customers antivirus licences product on desktops and a product from a different company on servers. When you use this type of model, no one machine is actually running multiple scanning engines, but you are still creating a two-tier protection model. One more important antivirus issue to take up with your customers is whether or not they have enough licenses to cover all of the antivirus software in use.
9 8 WHY WE DON T HAVE FEDERATED CONSUMER ONLINE IDENTITY Most companies add additional PCs and additional servers over time, and it s easy to forget that these new machines require software licenses. You can increase revenue while protecting your customers from piracy-related legal issues by helping them to understand the importance of purchasing a sufficient number of software licenses. QUESTIONS & ANSWERS Within this new column you can get answers from the specialists themselves. If you have some questions or some problems related to Anti-Virus or Security please send them to and we will try to give your questions to the most respected specialists in the Anti-Virus and Security world. No questions received this time. WHAT MEMBERS COULD DO! We ask you to send your statistics or incidents to us. Also, if you are looking at a new undetected specimen or if you have some problems with a document, spreadsheet or executable which could be infected, please send us this in a zipped file to the address vsample at wavci dot com. We can provide you with a solution within a few days from receiving this sample in case of infection. The samples or reporting of the statistics or incidents will be used for input for our report to the WildList. VIRUS PREVALENCE TABLE TOP 10 (TOP 10 February 2008 Version) 1. W32/Netsky 2. W32/Bagle 3. W32/ Mytob 4. W32/ MyWife 5. Psyme Trojan 6. Small Trojan 7. W32/ Mydoom 8. W32/Lovgate 9. W32/Stration 10. W32/Zafi - Virus Families - WHY WE DON T HAVE FEDERATED CONSUMER ONLINE IDENTITY Mike Davies, VeriSign What is a federated consumer online Identity? The general idea is that a consumer would have the ability to log on to one site and then automatically be able to log on to the different site with the same credentials (i.e. his or her identity would be transferable across multiple sites without the need to prove who that person was all over again). This of course makes the whole online commerce experience much easier and safer for the consumer and reduces the fraud that online companies experience. Why don t we have it now? I was involved in consumer authentication as far back as We were going to change the world with federated consumer online identities based on Public Key Infrastructure (PKI) technology. We didn t.
10 WHY WE DON T HAVE FEDERATED CONSUMER ONLINE IDENTITY 9 The reasons that my organisation at the time, and others since, failed are multiple but the major reason I think is something called Identity Proofing. Identity proofing Identity proofing refers to the process for deciding that the person who wants to start an online account at a site is really who they say they are. Think about an online book reseller such as Amazon. They ID proof a consumer by asking for valid credit card details with accompanying address data. That is fine for Amazon, but if that consumer then wanted to apply for a loan at an online bank they had no previous relationship with, the details provided to Amazon would not be enough for that bank to approve the loan. In other words the ID proofing needed for consumers at different sites varies. And ID proofing is expensive / time consuming. Imagine buying that book at Amazon, would you want to have to go through the same process that you did for an online loan to buy a book? What isn t different at the online book reseller and the online bank is the way that account is accessed after the account has been set up. Usually a username and password, sometimes referred to as a 1st factor of authentication. At sites such as online banking companies, the consumer might also be asked for second factor of authentication such as a password which can only be used once generated from a token (i.e. PinSentry from Barclays in UK) or a password from a number grid (i.e. TAN system in Germany). This second factor adds another layer of security which makes it very hard for a consumer to have his or her account taken over by a fraudster through techniques like Phishing. with the weakest security. So given that, I think it is fair to say that almost any online site where there is a value to the fraudster in gaining access to an account will start to experience This means that although the ID proofing element on each site may be different, the authentication methods used to access that account are starting to be a shared problem. Now when we take ID proofing out of a federated online identity, we can start to see that the remaining authentication elements can actually be federated. Look at Open ID. This federates the first factor of authentication (user name and password) across any site a consumer interacts with. Look at OATH (openauthentication.org) which federates the second factor of authentication across any site a consumer interacts with. I don t believe we will see a federated consumer online identity anytime in the near future, but like any problem, by breaking it down into smaller chunks we can start to see some major progress towards our goal of making it easy for a consumer to have secure online relationships which are easy for them to manage. About the Author Mike Davies is Director, Identity and Authentication services for VeriSign in Europe. To hear more about Mike s thoughts on Consumer Authentication go to his Blog at As the banks around the world have started to introduce second factor authentication the fraudsters have started to move towards other easier phishing targets like national tax revenue agencies, online gaming / gambling and even motorists associations! This trend will continue as fraudsters go for the sites
11 1 0 STRATEGIES FOR ITIL SUCCESS STRATEGIES FOR ITIL SUCCESS OVERCOMING RESISTANCE TO CHANGE George Spalding, Pink Elephant; Ken Turbitt, BMC Software; Atwell Williams, BMC Software According to Sharon Taylor, chief architect of IT Infrastructure Library (ITIL ) Version 3 (V3), ITIL is more than a series of processes that can be automated. She said the cultural part of ITIL cannot be automated. What Taylor is saying is that you cannot achieve instant success by simply building an ITIL-based repertoire of processes and deploying technology to support them. Success happens only if you also address the people side of the ITIL equation, along with the process and technology-related issues. ITIL V3 focuses on how organizations can adopt consistent, repeatable IT management processes for managing IT, integrate them across the IT organization, and understand how they touch business processes and services. Unfortunately, many organizations are so bogged down with day-to-day tasks that they don t often have the resources to develop standardized, repeatable, integrated processes for operations and support. In these environments, IT staff members may tend to create their own processes, and they are reluctant to give them up. This approach, unfortunately, promotes solo acts instead of teamwork, so it undermines integration and efforts at collaboration. Moreover, it reinforces a siloed approach to IT management. The resistance to change is perhaps the biggest obstacle to ITIL success. Promoting behavioral change is important to increasing the adoption of ITIL. Fortunately, it doesn t have to be a big-bang cultural change. In fact, a phased approach to ITIL adoption is best because it allows you to address people-related challenges through incremental behavioral changes. Business Service Management (BSM), an approach based on managing IT from a business perspective, facilitates ITIL adoption and promotes culture change. Defined and recommended within ITIL V3, BSM is an approach to running IT that combines best-practice IT processes and automated technology management with a shared view of how IT services support basic business priorities. With a BSM-focused approach and our six strategies for success, you can guide your IT staff through ITIL adoption with minimum disruption and pain. Strategy #1. Tackle Resistance to Change The key to getting people past resistance to change is managing objections effectively. To do that, you must first find out what the objections are, and then address and counter them in positive ways. You ll need a mandate from top management because it tells people that the change is inevitable. However, you still need to motivate people by showing them how the change will benefit them. An ITIL-based approach supported by BSM technology offers numerous advantages: Automating repetitive tasks and approaching more activities with business impact in mind enables IT people to perform their jobs more effectively and more easily, and with measurable and demonstrable results. IT staff add valuable skills to their repertoire when they learn industry best practices and gain a higher view of IT that enables them to better relate IT to the business. IT staff can demonstrate their contributions to business value using metrics that business managers understand. This raises visibility of IT value and the individual contributor s value to the organization, increasing job security.