Category: cybersecurity

Posted on

Prey or Empowered? Small Businesses and IT Security

Now more than ever, small businesses need to be vigilant with their information technology security. Small businesses may not be the big fish in the sea, but there are plenty of them out there to catch. Small businesses tend to make the best targets because they often fail to perform security audits, they may not be willing to invest in the resources needed to protect themselves, and they frequently don’t even carry the right insurance coverages. To hackers, small businesses are easy prey.

“Don’t think you are too small to be affected,” says Erik Knight, the founder and CEO of SimpleWAN. “Every place you have an employee or office is a potential entry point. Take it seriously; if you have something worth taking, a hacker will try to take it.”

https://www.forbes.com/…

There are a few things every business can do to improve the security and privacy of their data. It isn’t an option any longer; these are essential elements in an overall security strategy that can make the difference between staying in business and not.

Use strong passwords, not easy-to-guess words, phrases or sequences (1234 is not a strong password). Passwords should be unique, more than 8 characters in length, and have a mix of numbers, letters, and special characters.

Keep software updated. Whether it is the operating system on your computer or the software you use to write letters, having up-to-date software matters. Developers don’t just upgrade software to fix bugs or introduce new features; software often gets updated because of security issues or vulnerabilities.

Keep networks and connected devices secure to make sure that the computers and connections aren’t introducing weaknesses into your system. Not only are password controls and software updates needed, but firewall security and good anti-virus/anti-malware solutions are also a must. Keeping an eye on the server matters, but the connecting points and end points are where many vulnerabilities exist.

Set up two-factor or multi-factor authentication to further secure logins. 2FA and MFA is like having ID besides just your driver’s license to prove you are who you say you are. Your password, like your DL, is just one factor; you need one more thing to prove your identity for 2FA, like a code from your phone or maybe your fingerprint. The point is that there should be more than just a username and password to access important data.

Restrict use of personal email or social media on work devices. This gets a little trickier with smaller businesses, as many don’t or can’t support providing users with all company-owned devices. There are tradeoffs to allowing users to bring their own devices (byod) versus using company-owned devices. When mobile devices are part of the mix along with desktop and portable computers, it becomes even more complicated and the risk potential increases.

Use encryption for data in transit and data at rest. Encryption is like scrambling the data and then unscrambling it when you access it. In transit, data may be encrypted by a VPN so that it is protected over the wire (in motion) as it is sent and received on the network. RDP is also encrypted, but this remote access method’s main purpose is to keep the data from leaving the server in the first place. At rest, like when it is sitting on a hard drive or other storage location, data can also be encrypted. To open the file or file system, you need a key to decrypt it.

Keep all data backed up and create a way to rapidly recover your server and systems in the event of failure or compromise. Backups are great right up until you find they are as damaged or unrecoverable as your main system, so make sure to have a policy of testing your backups periodically. There are many ways to back up and protect your data, including external drives and cloud storage. If data gets lost or corrupted, you want to be able to restore it from a backup. Regularly audit your backup and data security practices to help identify weaknesses that make the business vulnerable.

Educating employees on the importance of cyber security is among the most important steps a business can take to protect itself. Keeping passwords secure and secret, knowing how to spot a phishing email and what to do and not do with it, not clicking on suspicious links in emails, not sharing personal or confidential information online, and what to do in the event of a breach are all things that should be regularly discussed with workers and supported by written policies.

Managed Azure cloud servers from Noobeh help you keep your business information more secure. Our services demand high levels of security and privacy, and we help our customers keep their data and systems safer and more secure by handling some of the requirements for them.

  1. Strong password policies and MFA is our standard setup, and software updates and patching are part of the service.
  2. Working on the cloud server keeps data on the server and not traversing the network or downloading to individual PCs, so information stays secure and separate from whatever a user runs on their local devices.
  3. Data on the Azure virtual machines is encrypted at rest, and additional encryption is available to add more layers of protection. Data in motion is encrypted, but very little data actually traverses the wire.
  4. Servers and data are backed up regularly with snapshots and file level backups, allowing for simple file restores as well as comprehensive system recovery.

For small businesses, Noobeh has the solution for creating a more secure and better protected IT environment where applications and data can be available to those who need them without compromising the investments already made in training and process development. Moving software and data to a private cloud server allows companies to continue using the software they rely on, just in a better way. Instead of being easy prey to hackers, our customers benefit from higher levels of IT administration, management and protection that empowers them to work the way they need to – any time, anywhere.

jm bunny feetMake Sense?

J

Posted on

ZERO TRUST – Every Email is Suspect

Electronic mail has become a standard for communications around the globe. Email can contain not just text, but can deliver documents, photos and videos and other media. Email allows people to contact others at any time and respond on their own schedule. Where previous methods of communicating with someone far away were expensive and time-consuming, email allows people to stay in touch no matter where they are as long as they can connect to the internet.

Yet email is not a fully secure communication medium, and a lot of people are just now figuring out just how vulnerable they may be. What was once considered a trusted means of communication has now become something to be suspicious of. For most users today, it is best to approach emails with a high degree of suspicion (zero trust), especially if they ask for personal information or contain links or attachments.

With email, someone could intercept the messages or even store messages without your knowledge or control. The smallest human error can have ripple effects that turn into waves of trouble because messages cannot usually be taken back. And then there are the threat actors, of which there are too many and they are far too clever.

Phishing has become a highly popular method of cyber-attack, probably because it works so well. It involves tricking people into giving away sensitive information like credit card numbers, social security numbers, and passwords. Phishing is fueling (phueling?) opportunities for malware infections and identity theft which can lead to financial loss, reputation damage and more. Any information an attacker can gain helps them get even more information and go deeper into the organization.

Protecting against phishing attacks requires vigilance and following best practices such as using strong and complex passwords, and two-factor or multi-factor authentication (MFA). Also, it is crucial that users avoid clicking on links in emails, and everyone should verify the email authenticity before responding, especially if sensitive information is involved.

To check the identity of the sender, mouse over (put your cursor over) the email address and it may show you the actual sender address. While the email may say the message came from somebody you know, you may find that the actual sender address is an obscure email address you don’t recognize.

Mouse over links in the email but don’t click on them. When you hover your cursor over the link, it may show you the actual url the link goes to. Like with email addresses, links can be named something other than the actual url. If it is a url or website name you recognize and trust, then type the url into your browser instead of clicking on the link, just in case.

Use multiple channels for communication. This means you should not just communicate with co-workers and others using email. It is always a good idea to have some other form of trusted means of communicating with someone, such as via telephone or a messaging application. When you receive an email requesting sensitive information or an email with file attachments, you should communicate with the sender on one of your other communication channels to verify the authenticity of the email or attachment.

Never ask the sender to verify their identity over the same channel as the original communication. If it is a hacker, you’ve just verified to them that they reached their target.

jm bunny feetMake Sense?

J

Posted on

QuickBooks Desktop Enterprise 2024 Security Improvements: Now with 256-bit encryption

Intuit’s release of QuickBooks Enterprise and other desktop editions for 2024 have a variety of new features, and among them is an improved level of security for your business data. Upgrading from 128-bit encryption, QuickBooks Desktop 2024 now has AES 256-bit encryption.

256-bit encryption is the strongest and most robust encryption standard commercially available. It’s widely used because it’s virtually impenetrable to brute-force attacks. 256-bit encryption is an encryption technique that uses a 256-bit key to encrypt and decrypt data. Plain text is converted to a cipher, and the encryption key is required to decrypt the data and return it to readable plain text.

256-bit encryption is used in most modern encryption algorithms, protocols, and technologies, including AES in wireless security, processor security, file encryption, and SSL/TLS.

According to Intuit, “You can be confident your data is protected with our enhanced security using industry-leading AES 256-bit encryption. QuickBooks safeguards your reputation by protecting critical customer and vendor data, such as business financials, banking information, and credit card details.

This means we translate your information into a code that only we can read to make sure only you and Intuit have access to your information. The type of encryption we use is called AES-256 (Advanced Encryption Standard with 256-bit keys) and it ensures the highest level of cryptographic security.”

With a series of robust security steps and a complex 256-bit decryption key, AES 256-bit standard is nearly impossible to break using brute-force methods and has been approved for the handling of confidential data by the U.S. Government.

A brute force attack is when a hacker tries different combinations until they arrive at the correct combination – the key. The larger the key size, the more difficult it becomes to break the encryption. We’re talking about 256-bit keys. There are 984,665,640,564,039,457,584,007,913,129,639,936 (that’s 78 digits) possible combinations. Even if you use Tianhe-2 (MilkyWay-2), which was the 4th fastest supercomputer in the world in 2022, it will take millions of years to crack 256-bit AES encryption.

In case you’re interested: The fastest supercomputer in the world, ranked in June 2023, is Frontier, an HPE Cray EX system run by the US Department of Energy, Frontier incorporates 3rd Gen AMD EPYC™ CPUs representing 8,730,112 cores that have been optimized for high-performance computing (HPC) and AI with AMD Instinct™ 250X accelerators and Slingshot-11 interconnects. Its HPL benchmark was 1.194EFLOPS (EXA – 1 quintillion – floating point operations per second). (via networkworld.com). Frontier is faster than Tianhe-2, so breaking the key could take a little less time.

Breaking encryption with no known flaws is kind of like guessing a password. If you make enough guesses, you might eventually get the password right. With strong encryption, this can take a long time. AES-256 is the most secure version of AES and is virtually unbreakable by brute force based on current computing power. It’s also considered quantum-resistant, which means that quantum computers aren’t expected to crack the cipher.

How long would it take to crack 128-bit encryption using a brute force attack? Most security professionals would answer “1 billion years”, but that’s just an estimate. A machine that can crack a DES key in a second would take about 149 trillion years to crack a 128-bit AES key. According to researchers, with the right quantum computer, AES-128 would take about 2.6110^12 years to crack, while AES-256 would take 2.2910^32 years. For reference, the universe is currently about 1.38×10^10 years old, so cracking even an AES-128 encryption with a quantum computer could take hundreds of times longer than the universe is believed to have existed.

While Intuit is improving the security of the information it stores and transmits between its systems, your company should be equally concerned with the security and protection of all your business applications and data. Using strong password policies, multi-factor authentication, and SSL for secure web app access, Noobeh’s QBonAzure services provide layers of protection on top of the $20Bn in security investments made by Microsoft.

We take data security seriously, providing solutions to address access, security, privacy and protection for business applications and data. When your QuickBooks Enterprise deployment needs a solid foundation that offers agility and performance as well as strong platform security, we have that.

Visit MendelsonConsulting.com/cloud to learn more.

jm bunny feetMake Sense?

J

Posted on

Business Data Loss is a Growing Problem

The portable computer was the secret business weapon of yesterday and is today’s essential business tool. The processing power, portability, storage, and connectivity available with laptops, tablets and smartphones has created a seamless extension to the office. Business users can work with their applications and data from just about anywhere. While mobile devices are valuable when it comes to conducting business, they also pose additional security risks. Increased efficiency, mobility, and accessibility can also mean an increased potential for a data breach or business data loss.

The workforce of today is mobile enabled. Business users, owners and managers, accounting advisors and business consultants can access all the information and analytical capability they need to perform their jobs and make informed business decisions, capturing and collecting important information while keeping productivity at the highest levels no matter where they are.

“87% of businesses rely on their employees to use their personal mobile devices to access company apps”, according to a post by Perillon. Some studies have estimated that as much as 80% of the data a company has (like customer files, contracts, financial data, product specifications) might be stored on portable devices. This means that mobility comes with risk, which is why Mendelson Consulting and Noobeh cloud services utilize cloud-based platforms and services to keep data safe and secure.

According to business data loss statistics compiled by Businessdit.com, the two most common causes of data loss are hardware failure (40%) and human error (29%). Overall, malware causes 35% of all data loss, taking advantage of the 21% of files that businesses are not protecting at all.

The stats show that it takes approximately 206 days on average to even detect a data breach, the costs of downtime and losses average around $1,410 per minute for small businesses, and 22% of SMBs close after a ransomware attack.

Data loss or theft can create big business and legal problems, too. Customer or client privacy may be compromised, sensitive information may be exposed, and confidential plans may be made public if a business doesn’t take steps to secure mobile data.

“The average cost of a data breach in 2021 was $4.24 million. That’s a huge increase from the $3.86 million cost in 2020. And it’s only going to get more expensive in the future. Companies need to be prepared to deal with the fallout from a data breach, which can include everything from legal costs to damage to their reputation.”

Businessdit.com

There’s an old saying that there are only two types of businesses: those who have lost their data and those who will. Imagine the potential chaos, risk exposure, reputation damage and the expense of losing your valuable business data or having it exposed to unauthorized parties.

While computing mobility delivers a host of advantages to the business and the user, care must be taken to ensure security, privacy, and confidentiality of the business information and protecting against business data loss.

Increased exposure to liability is a reality for any mobile business, and the risk is only multiplied by the number of systems a company has in the field. Smart businesses reduce risk by deploying secure yet versatile platforms for their workers that allow data to be stored and protected in centralized environments rather than on individual computing devices.

Via the cloud, businesses of all kinds are reaping the benefits of new and innovative service delivery, achieving the freedom and functionality a mobile working model demands. Mendelson Consulting and Noobeh cloud services have the cloud solutions and managed IT services that provide the mobile capability businesses need, but with the additional protection, additional security, and ongoing management that the value of the data demands.

jm bunny feetMake sense?

J

Posted on

QBonAzure: QuickBooks on Microsoft Azure Delivers Great Success for Small Business


For any business, the resilience and agility of IT systems can mean the difference between performing adequately and performing with great success. When a business elects to run their QuickBooks applications and data on the Microsoft Azure cloud via QuickBooks on Azure (QBonAzure) from Noobeh, they gain numerous advantages not available with locally installed IT.

Microsoft Azure is a highly available platform, meaning that it has built-in redundancy to ensure that applications and data are always accessible, even in the event of a hardware failure. Businesses running on the platform never have to worry about whether or not their server is aging and may fail due to hardware issues.

The platform also allows Noobeh to easily scale each client’s system up or down as needed, without the need for additional installation work. This allows each client business to quickly respond to changes in demand and grow their operations as needed.

With Microsoft Azure, Noobeh can provide from a broad range of security features that are built-in as well as enhancing protection with advanced features and services from Azure, Microsoft 365 and more. This all goes to help protect against data breaches and unauthorized access to sensitive information.

Azure has a global footprint, with data centers in multiple regions around the world. Noobeh provides services from all US-based Microsoft Azure regions, allowing businesses to host their QuickBooks in the location closest to their users, reducing latency and improving performance.

Azure also offers a wide range of services that may be integrated with QuickBooks or other business data, such as analytics, artificial intelligence, and machine learning. This allows businesses to gain deeper insights into their financial data and make more informed decisions.

For businesses focused on compliance, Azure meets a wide range of industry standards and regulations, such as HIPAA, SOC 2, and PCI DSS. This can help businesses meet their compliance requirements and avoid penalties.

Overall, hosting QuickBooks on the Microsoft Azure platform can provide businesses with high availability, scalability, security, global reach, integration, and compliance advantages that can help them run their operations more efficiently and effectively.

Noobeh cloud services and QuickBooks on Azure utilize only the Microsoft cloud for their client deployments so that each business client has the benefits of big enterprise technology without the big enterprise price.

jm bunny feetMake Sense?
J

Posted on

4 Rules of Thumb for Better IT Security

Your business is a target. The simple fact of being in business makes it so. There are a lot of bad actors out there who will go to great lengths to get your personal and financial information, and they have many different and innovative approaches to get it. There are some small steps any business can take to make a big impact in protecting business data.

Here we present our 4 Rules of Thumb for better IT security; a starting place if you’re looking for somewhere to begin.

We can’t stress enough that every business should make it a priority to implement some basic information/technology security standards and regular employee training. Having more discussion on the subject helps everyone in the company learn and shows that management is paying attention. Remember that business data isn’t just word documents and spreadsheets. It’s banking and financial and other information, employee information like social security numbers and direct deposit info, customer, vendor information and more. For even a small business, the possibility data exposure or loss isn’t trivial.

NOOBEH cloud services works to keep your QuickBooks on Azure cloud deployment more secure in a variety of ways, but we always start with a few essential policies. These rules and policies can mean the difference between a small IT annoyance or catastrophic failure and data encryption, loss, or exfiltration. If you haven’t implemented these four essential policies in your business IT environment, today is the day to start.

  1. Always use strong passwords, at least 10 to 12 characters, and make them complex. Require passwords to be updated periodically. Don’t reuse passwords and avoid common words or phrases.
  2. Don’t let users operate with permissions greater than required. In applications, consider restricting functionality based on the role or job requirements. On servers and PCs (Windows, Mac, whatever), make sure users are operating as “standard” users rather than system administrators. When you reduce the permissions granted to users you prevent their accounts from performing possibly harmful actions in the system, like installing malware or damaging programs, modifying settings, or even creating backdoor user accounts.
  3. Control user account information and manage it closely. Simply knowing what user accounts exist can give hackers and phishers enough information to begin targeting logins and applying methods to crack them. Part of this includes making sure to remove or disable accounts for user accounts that are no longer needed. Every unused account that remains enabled is just another point of vulnerability. Protect system and administrative accounts and directories (like Microsoft Active Directory). Make certain that you only grant access to sensitive system and account information when absolutely necessary, and only to a completely trusted source. Also make sure to have at least one “break the glass” (back door) admin account you can use if the regular administrative account(s) become compromised.
  4. Limit the installed software to what is needed for the business and keep it current. Make sure operating systems and applications are up to date, and keep browsers and plugins updated to make sure they don’t become the weak link.

Cyber criminals are delivering waves of cyber-attacks that are both highly coordinated and far more advanced than ever before seen. Endpoint attacks have become complicated multi-stage operations, ransomware hits small business and enterprises alike, and stealth crypto mining got criminals into unsuspecting corporate networks. The year has been awash with massive data leaks, expensive ransomware payouts and the realization of a completely new and extremely complicated threat landscape. The bad guys have upped their threat game in a big way.

Diligence is required to help protect valuable business information assets. Following these four rules of thumb will help the business avoid becoming easy prey and can provide a foundation for greater system security and a more streamlined approach to identity management, applications and access.

jm bunny feetMake Sense?
J