Sunday, 28 January 2018

2018 SME trends – Cloud migration tops the list!

Has the Cloud question hit your business till now? If yes, then you might’ve already pondered a lot about the pros and cons of moving your business to the cloud. There are many ways to do this and there are many outfits like Dolphin 24x7 who can help you with migrating to the cloud. The drill is simple but it is the decision that weighs in as tough! While the optimized cost may play as your biggest case when considering migration, control and security issues would tell you to hold back. Read on to find out how SMEs are considering this question in 2018.

Every business around the globe, no matter what size, relies on its IT infrastructure to support its operations. In most cases, the associated costs quickly spiral up and inflate beyond what most small businesses can afford. Cloud migration is like a ray of light for SMEs who find themselves stuck in the rut of infrastructure costs.But is Cloud the next best decision for your small business? Well, to answer that you have to consider pros and cons on a subjective level. Here’s our post breaking it down for you. If you’d rather cut to the chase, then read the verdict right here.

Top 3 reasons to migrate

1. COST

Invariably, the top reason for moving to the cloud is the bundled cost optimization. Given that moving to the cloud can help your organization operate at the same capacity while effectively reducing thecost incurred; the decision of moving to the cloud sounds like a no-brainer. Cost savings coupled with smooth operations can be crucial for a small business’ growth. The money you’d generally be spending on hardware, software, and laborcan now be put to use in another crucial areaof the business – Digital Marketing perhaps?Although it may seem that the costs of the Cloud will inflate as you grow, the bottom-line here is that you only pay for what you use and this is where your decision to migrate truly shines through. While you may incur initial costs of making the shift, engaging in the learning curve, and getting used to a newer way of operations, these ingeniously balance out by eliminating the overhead costs associated with owning and operating hardware.

2. SCALABILITY

Scalability is imperative for any infrastructure investment made by SMEs especially. For a small business, scalability could mean keeping a lot of worries at bay. Moving to the cloud is a sure shot way to ensure scalability.

Adding new servers, data storage, newer partitions, increasing computational power is as easy as a few button clicks!
Now your infrastructure can grow with your business, and that too without having to heavily rely on a technically dexterous in-house IT team.
Running a small business is like riding a sine wave and cloud helps you keep up with the peaks and lows. It allows you to scale up or scale down as necessary and save costs with the pay-as-you-use model.

3. ANYWHERE, ANYTIME ACCESS

The flexibility in accessing your cloud setup is unparalleled to any on-premise installation. This is pure ease-of-use and mobility, which by far are the two biggest driving factors for SMEs in today’s market! Your mobility defines the growth of your business and cloud can bring that to the table.

Top 3 drawbacks

Most healthcare and financial outfits steer away from migrating to the cloud for the sole reason that their data would sit in the hands of a third-party. Certain business processes and compliance regulations force these organizations to keep the cloud decision at bay.
Organizations that rely on thecloud have reported their share of issues which entail congestions, downtimes, and reliability. Any organization with a high need for availability invariably decides against Cloud. But there is a certain breathing space that hybrid cloudsetups can offer to such companies.
Backups with cloud providers have proven unreliable. Organizations relying on Cloud need to do due diligence and take adequate backups to ensure business continuity.

The Verdict

When it comes to SMEs the rewards far outweigh the risks!

Weigh the rewards vs. risks and if you’re undecided, take help from experts at Dolphin 24x7. You could choose a hybrid installation if you have control issues (pun intended). The associated cost savings and scalability options are a definite feather in the cap for any small business.

Why Dolphin24x7

Dolphin24x7 has a proven track record of performing flawless Cloud migrations for clients all over the globe. Remote Infrastructure Management is at the core of our business and we do it beyond perfection. Our always available team helps you smoothly transition to cloud and even provides adequate handholding to help flatten out the learning curve.

Call us at +1-516-717-2049 or email us at info@velaninfo.com for instant IT support!

Friday, 19 January 2018

WHAT TO EXPECT – GOOGLE’S ADVANCED PROTECTION PROGRAM

Wrapping up Cyber Security month and very close to the 1 year anniversary of the phishing attack on John Podesta’s emails, Google rolls out the Advanced Protection Program “for those who need it the most” – we’re still figuring why they keep iterating that bit. Well nevertheless, you can enroll in it whether or not “you need it the most”. Read on to explore what the new program is all about and how it will save the galaxy.

Ok, it will not save the galaxy. At the onset, this advanced security program uses:

Small wireless or USB devices (security keys)
Digital signatures
Public-key cryptography

Alphabet’s Google Inc has taken up quite a few advancements in the wake of Oct ’17 (Security Checkup, Safe Browsing Real-Time etc.) and APP is one of them. APP uses physical devices such as USBs to work out a Two-Factor Authentication during log-in. So while attempting to sign-in on any new device, you’ll have to enter your password AND use the “key” registered with your account.

The core focus of the program

Phishing Defense:The use of physical security keys have been around for decades and are rest assured an extreme safeguard against phishing attacks. This type of 2FA is your best bet against phishing. The keys use public-key cryptography and digital signatures and any attacker would need both, your password AND the physical key to break into your account.
Limit data access to trusted apps (read Google apps):Google trusts no third-party apps currently when it comes to your data on Google. It will slowly add more trusted aps to their whitelist but not as of now. Google understands that falling victim to phishing, happens accidentally. With APP it ensures you will not inadvertently grant access to malicious applications.
Keeping the hackers out:It is very common for hackers to impersonate you and then try to break into your account using Account Recovery techniques. With APP in place, these hackers will most certainly get locked out. Account recovery can take a few days since extra steps will be put in place. This could be a pain if you’ve legitimately lost access but is well worth it.

APP: Highlights& Know-how

You’ll pay for the physical keys/USBs – buy from Amazon.
One USB key for desktop and one Bluetooth-LE-enabled key for mobile (around $50 total). The good news here is that Google’s Advanced Protection Program is FREE.
The keys that you purchase should be approved by FIDO Alliance.
Say goodbye to iOS apps. Not literally but they’re not supported by the key-based authentication program. This could mean some restriction on browsers, cloud-syncing etc. where you depend on third-party apps. You could however use Gmail, Chrome etc. on your iOS devices.
SMS codes & Authenticator app will no longer work.
Google has a step-by-step guide online for enrolling in this program: https://landing.google.com/advancedprotection/
How good are you with keys?I keep losing stuff all the time! As an advancement, there should be an app to help find the keys/USBs if they go missing.
Remember, this is somewhat like having a physical lock on your account – a physical key along with a password is the only way.

If you’re looking at tightening the security of your infrastructure, then head over to our contact form here, or call us at +1-516-717-2049. We’re maven of remote infrastructure management and we’ve helped numerous clients hacker-proof their infrastructure!

Dolphin Tech Tips - Connection Denied Remote Login

Hey folks! This post is the first in a series of tech tips that we techies at Dolphin are going to be rolling out.These tech tips are aimed at helping our reader tackle common issues with ease without the need of involving the IT or support team. We’re going to start with a fairly common issue and resolve it in 5 steps!

We’re Dolphin 24x7, a remote infrastructure management outfit full of tech whizzes who promise quick and efficient support. Right from handling IT tickets to cPanel, server management, etc., Dolphin’s got you covered.

Server Management Issue

Unable to remote login into another computer/virtual machine. So here’s what the error on your system looks like:

We’ve seen that “aha” moment on our users’ faces quite so often when we resolve these tickets, that we decided to cut the chase and put it online.

Solution

This needs to be solved at the computer that you’re trying to remote into. Yep, the problem is rarely with the system you’re using to access the remote computer. All you have to do is add “Remote Desktop Users” group or add individual users to remote into the said computer. It’s a simple logic of letting in just a marked group of friendly people in your house. So if you wish to access your computer from another computer, your comp needs to recognize it and allow it. Here’s how you can do it in 5 quick steps:

Go to Control Panel (make sure large/small icon view is enabled) and click on
Click on Remote settings on the left panel.A System Properties window will open.

Make sure remote connection is allowed.Check Allow connections only from computers running Remote Desktop with Network Level Authentication

Click on Select Users& click on Add to add the user(s) or group(s) that you would like to give remote access to.
Done!

Hope this post was helpful. Do let us know what resolutions you’d like to see posted.

Need IT support? Reach out to us @ +1-516-717-2049 or fill in this form to request for a tech tip.

Dolphin 24x7 can help you with reliable remote infrastructure management. Reach out to us for IT support outsourcing, cPanel, Server Management, etc. Click here to check out our service platter.

Tuesday, 26 December 2017

Application Security – What Why and 10 Best Practices - Part - 2

Staying on top of application security isn’t easy as pie and in most cases often done wrong without professional guidance. To have a plan in place is the very beginning of establishing a tough front against attacks like the massive DDoS attacks from Oct ’16. We’ve outlined 10 best practices to consider when taking an organized approach to web application security. When you sit down with your IT team and create a strong plan, do keep these in mind.

CTA: Skip the read and contact us for robust Application Security!

Button: Let’s connect

This post is a continuation of our previous post wherein we’ve introduced Application Security and the need for it. We’ve also discussed a few nuances to understanding it deeper. In case you missed that one or want to understand Application Security, head over to Part 1.

PS: We’re Dolphin24x7 - infrastructure setup and management experts. We’re capable of executing most infrastructure management tasks remotely! So, whether you’re sitting in the Arctic or the Bahamas or any latitude for that matter, Dolphin24x7 can help you effectively manage web hosting, server management, helpdesk support, SharePoint, application security, DevOps etc.

Enough about us, without much ado we’re going to dive into outlining the 10 Best Practices for Web Application Security.

Here’s a list to help:

Establish basic security
Start with a blueprint
Create application inventory
Prioritize applications
Identify and prioritize susceptibilities
Adjust the privileges that your application use
Use cookies securely
Implement HTTP with SSL/TLS
Other little tips
Awareness trainings

1. Establish Basic Security

When it comes to implementing Application Security, it’s safe to assume that it will take anywhere between a few weeks to a few months even for a fairly small organization. There’s much to do and you must already realize that with the above-stated list. To successfully prepare a list of web applications and outline all nitty-gritty associated, you will take a substantial amount of time. In the interim, it isn’t wise to leave your business exposed and vulnerable. We recommend that you put in place, a few basic security measures even before you kick-start the actual process.

a. Remove unnecessary functionalities from applications. Uncalled and unused functionalities are best turned off. They pose a risk being identified and not modernized to handle potential threats. So turn them off for good.

b. A web application firewall (WAF) is the simplest and the most basic countermeasure, which helps protect against most exposures. A WAF can not only block unwanted traffic, but also helps steer clear from the likes of XSS, SQL injection etc.

2. Start with a Blueprint

There are three ways to deal with application security:

You choose to do so manually
1. through a cloud solution
2. through software that you have on site
Choose a local managed service provider
Choose to employ a remote team of specialists

Start with understanding who you’re going to engage with and then move on to charting out the steps. Create a simple blueprint of your organization and define where you’d start. Outline your organization’s goals, and if your organization is large enough, identify and include names of people responsible in the blueprint.

3. Create Application inventory

Create a detailed inventory of all the applications your organization relies on. This could be a daunting task even for a small organization. While you may think you already have a list, there are many applications running right now, which you don’t ever remember installing. We call these rogue applications that go unnoticed unless a critical issue arises.

While creating the inventory, ensure that you also note down what the purpose of each application is. Chances are that when you’re done with this inventory, you’d be able to point out many redundant and pointless apps. “Do not miss even a single application” goes without saying!

Important note:

While creating the inventory, also make note of the permissions each of these applications employs. We will discuss more on this in #6.

4. Prioritize these Applications

Regardless of what you perceive, we’re going to tell you that the inventory is going to be pretty long. So the next step would be to break it down using proper prioritization.

Use these 3 categories to sort your apps:

a. High

b. Medium

c. Low

What goes into high, medium and low? “High” should ideally comprise of applications that deal with sensitive data (such as customer data) or are liaising with external entities. These apps are the most likely and vulnerable targets for hackers.

“Medium” should contain apps that are used for internal purposes and occasionally interact with sensitive information.

“Low” as you might’ve already guessed, is a list of apps that have far less exposure and while they aren’t pressing, they must be included down the road.

5. Susceptibilities: Identify and Prioritize

With your application inventory ready, the logical next step would be to identify the susceptibilities of these applications. As you put together your list of web applications, you need to prioritize the identified vulnerabilities. This basically means which of the risks need mitigation and which of these you’d accept.

Simply put, you’ll create action plans for the susceptibilities that are marked high priority and risk acceptance for the other.When Sucuri analyzed 9000infected websites in Q2 ‘16 and categorized them by platform here’s the result:

Keep in mind that when actual testing happens, you may realize that you overlooked some of the issues. It happens and shouldn’t stop you from hitting the brakes temporarily in order to recheck your list and plan again. Since you’re starting from scratch now, it will be a lot easier down the road. So move on to testing now and give it your best shot!

6. Adjust Application privileges to a minimum

Every web application runs using specific privileges. These privileges provide it access to both, local and remote computers. It is imperative that we adjust these privileges to a bare minimum in order to avoid threats or attacks via the applications.

user Profiling

Adjust user privileges as well for every application. For most application only the admin or the super admin would need complete access. You need to button it down for all other users. If a user need for permission arises at a later point, it can be addressed via a proper workflow/process. Most users can accomplish their regular tasks with minimal permissions except some high-level business users. Perform a little routine of user-profiling to address this.

7. Use Cookies Securely

Cookies are incredibly convenient for businesses and users alike – there are an overwhelming set of advantages when your application uses cookies. For instance, cookies help greatly in retargeted advertisements and for providing a personalized experience to returning patrons. But cookies also are a major weak-link that hackers are great at exploiting.

Stop using Cookies? Hell no! Just be clever with adjusting the settings.

3 ways

Cookies shouldn’t be used to store sensitive information. E.g. user passwords.
Don’t keep everlasting cookies, no matter how appealing that sounds! Set expiration dates to avoid misuse by hackers.
Use adequate encryption to ensure your cookies aren’t easily readable by external sources.

8. Implement HTTP with SSL/TLS

This might seem a bland statement but trust us, this implementation is supremely helpful. The history of cyber-attacks statistically states that HTTPS implementation has innocuously helped in guarding against 30% of attacks!

So here’s what you should do - implement HTTPS! But that alone isn’t enough – that’s about half the job done. You need to work on the DNS side of things and redirect all your traffic to HTTPS! A pro tip would be to use an updated version of TLS instead of relying on SSL. There are numerous reasons why but that beats the purpose of this post. Remind us to blog on that another day ;)

9. Good to know

Here are a few“immediate” web application security suggestions that you can implement as a business or website owner. Follow these quick tips:

Implement x-xss-protection security header.
Implement a content security policy.
A string password policy is a must.
Apply subresource integrity (SRI) to resource’s

Application security - What Why and 10 Best Practices - Part - 1

85% of cyber-attacks target application vulnerabilities! With an application landscape ripe with an extensive variety, today’s developers leverage a potent mix of commercial, custom, and open source code in order to create quick and robust applications. With the rising complexity of these applications, application security has become profoundly important. This is the first post in a series of 2, where we’re going to holistically address the concept, importance and best practices of Application Security in today’s world.

What is Application Security and why we Need it?

Hackers use unlawful code to manipulate your applications and access, steal, modify, or delete sensitive data. Application security solutions help minimize the risk of security breaches using a structured methodology which involves an array of hardware, software, and operational policies. You need appropriate security measures built into your applications in order to shield your applications from crumbling to misuse.

Application security vs software security

Have you wondered whether the terms application security and software security imply the same thing?Are these two one and the same?

According to Gary McGraw (a computer scientist, researcher and author of 12 books), Software Security is much bigger in comparison to application security. He elucidates that software security is a proactive approach while application security is a reactive approach. Gary maintains that application security takes place once software has been deployed (which makes it reactive)while software security, takes place within the pre-deployment phase (which makes it proactive).

What are your thoughts on these? Do you think Application Security is merely reactive? Let us know in the comments. In the modern world of applications that range from simple productivity tools to intense gaming and enterprise-level apps, does application security still function only as a reactive approach?

What are Counter Measures?

Countermeasures, quite like the name suggests, are measures or actions taken to minimize the risk of a security breach. A basic countermeasure that most of you must be aware of is a Firewall!

Some common countermeasures are:

Routers
Encryption &decryption programs
Anti-virus programs
Spyware detection & removal programs
Biometric authentication systems.

What is Threat modeling

Before getting into Threat Modeling, we want you to ponder over what a “Threat” is, in the realm of application security.A threat is a malicious or unplanned event, which has the potential to compromise an enterprise’s assets. A DoS (denial-of-service) attack can be classified as a malicious event while the failure of a storage device is an unplanned event. Either ways, both of these are potential threats to your application.

If you’ve ever prepared for ISO 27001 certification in your enterprise, you’d find it easier to understand Threat Modeling. Allow us to try to break it down to you.

A rigorous process that involves the following steps:

Carefully defining all enterprise assets
Identifying what each application does (or will do) with respect to these assets
Creating a security profile for each application
Identifying and prioritizing potential threats that could affect these applications and in turn the enterprise assets.
Documenting what countermeasures or actions can be taken when faced with a threat.
Documenting adverse events that have occurred and the actions taken in each case.

If you remember the DDoS attack from back in Oct 16, we’re about to tell you that they have only grown over the past year! Here’s how DDoS attacks are projected up to 2020.

What can you do stay safe and steer clear of these malicious events that haven’t even spared big hosting providers like Dyn? We’re going to follow up on this post with 10 best practices for Application Security. While you watch out for our next blog post where we’ll discuss about the 10 best practices to consider in Application Security, we want you to reach out to us for any security concerns you may have with your existing applications!

Why Dolphin 24x7

We’re the infrastructure mavens who can help you with all-thing-infra. Right from modernizing infrastructure to setting up scalable robust ones, we can do it all! For server setup and management, web hosting support, help desk support and anything under the roof, call us at +1-516-717-2049 and rest assured, your infrastructure will be as tough as our expertise!