Monat: November 2020

When selecting or replacing an ERP system you need to plan in detail or you could struggle with endless change requests and spiraling support costs.

A properly
planned ERP project mitigates risks and dramatically increases the chances of
success.

Choosing the
right ERP requires a full analysis of business requirements and processes. You
will need a team responsible for gathering requirements and preparing tender
documentation.

For process mapping and requirements gathering it is important to have a systematic approach with experienced resources that are fully versed with the company’s current and future directions.

Five keys steps:

1. Establish exactly why you need a new ERP system
2. Define clear goals and research best processes using process frameworks
3. Select the software and integrator, utilizing ERP comparison sites like erpfocus.com
4. Implement and go live, monitoring outcomes against goals
5. Factor in training, ongoing education, and improvement

Why do you need a new ERP? – There are often multiple reasons; perhaps the current system is no longer supported and it is now becoming a challenge to maintain a competitive edge. An older ERP is difficult and expensive to manage and is heavily reliant on IT to keep transactions flowing. In addition, license costs will increase as the system become trapped on older versions making it important to assess the costs of maintenance versus a new system. Finally, an old ERP may struggle to meet evolving compliance needs or it simply won’t integrate with the latest software systems.

High-level assessment

• Map out processes that your new ERP needs to support. Use a process framework such as APQC to compare with industry best practices.
• Identify key areas where your current ERP is falling short, e.g. CRM or Supply Planning
• Forecast your existing growth and the functionality you’ll need to support this.
• Prioritize functionality and ensure that these functions will be future proof.

Should I choose cloud or on-premise ERP? – There has been a major shift in interest towards the cloud model from those selecting an on-premise ERP. Whilst the cloud is new and exciting, especially in the ERP space, don’t overfocus on it. If it meets your requirements, great. If not, there are plenty of excellent on-premise ERPs that will.

Cloud offers lower upfront costs since computing resources are typically leased monthly, but as the software is off-premise it can be more challenging/costly to make changes, so you need to be sure that your processes are optimized.

Shortlist potential
solution integrators – This is one of the biggest steps during the ERP
selection process. There are numerous ERP integrators so making a
shortlist should be easy, especially as you will be seeking references from
comparable business types. ERP software comparison engines are available
that will help you produce a shortlist of potential systems from the mainstream
ERP suppliers.  They’re also
helpful for researching what your competitors are using!

Demonstration of understanding – Once decided on your final three integrators, invite them to demonstrate their products. Use a script to control the direction of the demo. Invite representatives from all key business streams since they have to assess the usability of the solution. Mark each area against a scoring metric to ensure that any gaps are weighted accordingly.

Project planning – Be realistic in your project planning to avoid milestones that are simply not achievable. For example, data conversion often takes longer than expected due to legacy data complexities. Go-Live and ongoing training – Basic user training is usually provided just prior to user acceptance testing (UAT). In addition to the solution integrators’ personnel, consider hiring specialist software consultants to coach your internal teams, and to provide training throughout all of the project phases rather than waiting for UAT. Once your new ERP is live, do not make the mistake of thinking you are finished, it is essential that training and operational feedback is ongoing until stability and ROI goals are met.

The post Selecting or Replacing your ERP Software appeared first on ERP News.

Working on a daily basis with a wide spectrum of companies, I believe there are a set of fundamental considerations for ERP selection that hold true regardless of company size—large enterprises with thousands of employees across the globe will face more complexities compared to smaller organizations—industry, and business model.

The first step is to conduct a holistic process review across the business. This analysis will help you determine urgent pain points, bottlenecks hampering productivity, and general areas of improvement. Depending on the resources at your disposal, my recommendation is to involve an external consultant to help you arrive at a truly subjective and unbiased conclusion.

Only when you understand the problem can you start scanning the market for a solution. However, you choose to approach this phase—whether a selection consultant is brought in or whether you rely on in-house expertise—I would strongly advise the following criteria are met:

• A software
  vendor that is willing and able to engage with the different stakeholders in
  your business to assess the potential value that can be derived from the
  investment along with the total cost of ownership. Working towards a shared
  goal will dramatically increase the likelihood of achieving success. I
  recommend asking questions about the projected time-to-value of any ERP
  investment.
• The
  software itself should be evaluated to ensure an ideal technical fit, delivered
  in a solution that is easy to use. Key questions to pose are: How quickly can
  the software be deployed? How easily can the software be configured to support
  my unique needs, now and in the future? Is the solution scalable to accommodate
  future growth? How well suited is the solution to handle the national and/or
  international laws and restrictions that regulate my industry? How easily does
  the solution integrate with third-party, best-of-breed systems?
• The
  software vendor should be able to produce multiple reference customers that are
  willing to help you validate the claims in the steps above. These reference
  customers should ideally be active in your industry and therefore be able to
  give you an earnest assessment of the solution’s industry fit.

When the selection has been made, it is
crucial to work with your software provider and implementation partner, if one
has been selected, to establish a realistic implementation project that all
parties can commit to.

Ultimately, it will be transparency and
frank communication that will determine the outcome of your ERP project. Just
like in any complex transformation project, there will likely be compromises
and unexpected developments to deal with. These eventualities will be much
easier to handle if you are working towards a shared vision of success with a
vendor that you trust.

The post What are the Key Steps for Selecting the Right ERP Software? appeared first on ERP News.

The modern cyber landscape is fraught with security risks. It seems like there is a new report of a major company that has suffered a malware infection, a ransomware infestation, or an account breach via phishing almost daily.

You need to secure your systems to prevent security risks, but that isn’t enough anymore. The human element is one of the biggest areas of concern and should not be overlooked when protecting your systems and data from attack.

Educating your employees with security awareness training will help them recognize and report potential threats before they fall victim to them.

What is Security Awareness Training?

Security awareness training is a combination of education, communication, and simulated attacks to educate and reinforce the positive security practices you are trying to instill in your staff.

Security Education

The cornerstone of any training program is effective training materials. You can develop these internally, use free resources such as the CDSE Security Awareness Hub, or partner with awareness training platforms such as SANS or InfoSec Institute.

This is the portion of the security awareness training that is most visible to employees, and what they think of when they hear about your program, but it is only a portion of the overall training they are actually receiving.

Security education can include the following:

• Video modules
• Assessment tests
• Informative documentation
• Slide shows

Communication

Creating a way for your employees to ask questions and report suspicious activity is very important. This will help you have a better understanding of malicious activity coming at your organization, and will help your employees demonstrate positive security behaviors.

Ensure your chosen method of communication is working. In other words, make sure it cannot be easily ignored, and it is effective in getting participation in your program.

Simulated Attacks

It is not enough to simply educate your staff. Present employees with controlled, real-world tests of the information they are learning to simulate dangerous everyday security situations. This can be done a number of ways, depending on the contents of your training materials.

Here are the four types of simulated attacks:

1. Phishing Simulations

Phishing is often the easiest method of attack to fall victim to, which means phishing simulations must be included in your program. A carefully crafted email can have the real appearance of being something of immediate importance. Maybe it is an urgent need for money, or a password reset that needs to happen before you lose healthcare benefits. This is where email security comes into play.

If you’re successful in your security awareness campaign, your staff will know to check the headers of the emails and inspect the links being asked to click, especially when there is a sense of urgency.

Include the following types of phishing emails in your security awareness training program:

• Urgent needs for password resets
• False document shares
• Files to download and open.

If you’re really doing things right, this should be a challenge to you because you have other security measures in place that make your legitimate phishing campaign truly challenging to get to your intended targets.

Additionally, don’t make the phishing emails easy to spot, because real phishing attacks won’t be.

2. USB Drop Campaigns

To perform a USB drop campaign, pre-install several otherwise innocuous USB drives with tracking software, and then leave the drives in public areas both inside and outside of the office. Once these drives are connected to a computer, they report back who and when the drives were accessed. The software we’re using is benign and for simulation purposes only.

You may ask yourself why this is an important test, but as the Department of Defense can likely attest, it is effective.

3. Social Engineering

In an effort to stay connected, so many expose so much of their lives online today through social media without giving it a second thought. A clever attacker uses this data to hand-craft a method to get their foot in the door. An initial tidbit of information to prove they have a reason to be involved or stay connected, and hackers will continue pursue collecting key bits of information to further to their goals.

As the administrator of a security awareness training program, your goal should be to attempt to gain information about the inner workings of your organization through examining the social media presence of your employees. Pick an employee with a strong social media presence, and attempt to glean information about the inner workings of the company from the presence. Be on the lookout for any types of sensitive information shared that could be a security risk.

If that doesn’t work, and you offer customer support, attempt to contact that support to further your goals. Be polite but also be rushed. Make the support agent feel like they are in a rush to bail you out from your impending troubles.

4. Physical Security Breach

Physical access is full access in most cases. If an attacker can breach your physical security and gain access to the hardware that contains your data, then they have all that much more advantage to securing that data for their own nefarious needs. A good cyber defense is built on the shoulders of a solid foundation of physical security.

For this test, have a trusted friend / colleague / employee from a foreign location attempt to gain access to your facility without pre-announcing them. Have them attempt to leverage human kindness to gain physical access through the following ways:

• Following another employee inside the building through a secure access point
• Stating that they forgot their access credentials
• Catching a door as an employee leaves

Be certain to inform the appropriate personnel before attempting a physical security test so that your trusted partner does not find themselves in actual trouble if they succeed.

Response to Simulations

If a member of your organization falls victim to one of your simulated attacks, you shouldn’t respond harshly. Instead, remember that you are trying to train them to be more security-minded. Offer them additional training that is centered around the method that tricked them.

Remember, the goal here is to build a healthy paranoia that starts with every user who has physical or virtual access to your critical business systems.

The goal of a security awareness training program is to educate employees about security best practices, not humiliate or punish them for failing simulated attacks.

In Conclusion

A successful security awareness training campaign can be measured by turning failures into successes. A combination of training content and real testing can result in a mindfulness towards security that will only serve to strengthen your overall security posture. At the end of the day, you can have all of the best security tools money can buy, but they will only be so good without the help of a security-aware staff.

The post How To Develop a Security Awareness Training Program appeared first on Liquid Web.

How can you secure the server that hosts your business’s data?

That’s one of the top questions companies big and small have struggled to answer since cybersecurity became a hot topic.

In today’s security environment, anybody is a potential target for an attack and, unfortunately for most, the next malware infection is right around the corner.

Whether caused by a bad password, lack of antivirus or firewall, or open ports, the high volume of cyberattacks, often targeted at specific industries and companies, forces companies to show initiative.

It’s become imperative to come up with a comprehensive security strategy to safeguard proprietary data and prevent web server security compromise. The secret to any strong security strategy is understanding the main risks and vulnerabilities that could compromise its integrity.

The three most prevalent risks in security in 2020 are DoS attacks, Code Injection, and Cross-Site Scripting.”

But just what are these three security risks?

Three Malicious Risks to Stay Secure From in 2020

Denial-of-Service (DoS) or Distributed-Denial-of-Service Attacks (DDoS)

In a DoS or DDoS attack, offenders will overflow your server with junk data or falsified requests. The server is then forced to try to authenticate. This type of attack taxes server resources, making the websites inaccessible.

These attacks can bring down a network without having to gain internal access. Worse, there is no way to prevent these attacks from occurring and no way to anticipate whether you’ll be a target.

If customers don’t have access to your business, then you could lose money and major points on brand reputation.

Code Injection

Code injection is when a vulnerability is exploited by an attacker and your site or application is changed for their own purposes. This usually leads to clients using your site or application and becoming compromised themselves.

Cross-Site Scripting

Cross-site scripting, also known as XSS, is a web application vulnerability that allows hackers to send misleading or malicious requests to your browser.

Between the various types of attack your business could face, a layered defense is critical to protect all assets that can be accessed through your web server.

8 Key Steps to Make Your Web Server Secure

1. Use Encrypted Information Transfer

Avoid insecure communication protocols such as telnet or plain FTP. Instead, use secure protocols such as sFTP or FTPs, SSH, and HTTPS. If using SSH, one tip is to change the SSH port to something other than the default port 22, which will help secure against brute force attacks scanning for vulnerable servers across the Internet. It’s not a guaranteed fix against those attacks, but can greatly reduce the chances of suffering from a brute force attack.

A web server or firewall that supports any of these protocols will ensure all information going back and forth is encrypted for protection from third-party interference, which is absolutely critical if your website involves online transactions. Secure communication protocols are vital for web servers that operate with payment information for online transactions.

A website that is PCI Compliant promises customers that your business has taken all the necessary steps to protect their data when shopping online. The Payment Card Industry’s Data Security Standards (PCI-DSS) require businesses to protect customer data through requirements for both their hosting infrastructure and server configuration. We offer a PCI scanning service that can verify your server meets all the PCI-DSS requirements, so you can reassure your customers their data is safe.

Also, have an SSL certificate installed on your website to ensure all transactions between you and customers are secure. SSL certificates are the standard for online security, encrypting online transactions to prevent data exposure to hackers. Liquid Web’s SSL certificates even come paired with Netcraft’s phishing detection to provide real-time alerts that warn site owners when their websites become compromised, ensuring even more protection for your customers’ sensitive data.

2. Adopt Complex Passwords and Multi-Factor Authentication Across the Entire Organization

No matter how many times security experts explain the importance of a strong password, weak passwords such as “admin123,” “123456” or an easy-to-crack dictionary word are still way too common.

Strong passwords are basic and effective, and just as important as using secure communication protocols. Organizations should use different, unique passwords and never reuse the same password for multiple accounts.

Helping your employees learn and implement password security best practices will go a long way to securing your infrastructure.

Make sure you update them at least every 90 days and never share them with anyone. No matter how strong they are, though, the only-password approach is becoming less dependable. A new layer of security is to introduce a multi-factor authentication strategy which leverages something as ubiquitous as a text message to further secure data resources.

3. Consider Linux as an Operating System for Your Web Server

Getting started with a new operating platform introduces a steep learning curve, which is why most companies, depending on their size and resources, need either an inside specialist or external help to continue running Windows.

While Windows remains a massively popular operating system, Apache powers a majority of the worlds web servers. As an open source Operating System, this allows any and all users to review its base code and provide updates and fixes for potential security flaws.

Switching to one of the several flavors of Linux (Ubuntu, Debian, Red Hat) could potentially open additional avenues for your web server needs.

4. Consider Layers of Security for Both Hardware and Software

Wherever possible, use a VPN and a firewall on all web applications and endpoints, including your server. This goes doubly if your organization is sharing the environment or space with another company.

A virtual private network (VPN) is a tunneled private network of remote sites or users utilizing a public network, like the Internet, to connect to each other. A VPN uses encryption to secure your computer’s connection to the Internet, and guarantees that all of the data you’re sending and receiving over the VPN is secured from any potential prying third parties. A VPN can be extremely useful for a growing business to increase productivity without sacrificing security.

A firewall acts as the first line of defense for your server, protecting your data by filtering traffic according to a customizable set of rules. With the firewall in place, a barrier is created between your server and the rest of the Internet. Any traffic that attempts to connect to your server is analyzed, and if it is deemed malicious, that traffic is blocked.

Another important consideration for uptime protection is DDoS Attack Protection. Our DDoS Attack Protection system works to differentiate between legitimate and malicious traffic by monitoring a selected network of IP addresses and analyzing traffic that attempts to reach the server. In addition, our Support team works with our customers during attacks and regularly tweaks the system to ensure it is working effectively.

Also, if you have not done so already, immediately install an antivirus solution to get advanced protection against malware, ransomware, or unauthorized remote access, and run routine security scans.

You may additionally want to consider protection against brute force attacks. Brute Force Detection (BFD) is a service on your server that watches various log files for brute force attacks, which is an attack attempted via rapid logins using a dictionary file. Specifically, BFD looks for several failed login attempts in a short period of time from the same IP address. If detected, the guilty IP address will be blocked in the server’s firewall.

Hardening a server could take hours, but a server protection package like the one available to Liquid Web customers will optimize your security settings in no time.

Add additional security services and modifications to your server with ServerSecurePLUS, an exclusive Liquid Web product. ServerSecurePLUS greatly enhances the security, reliability, compatibility of your server through daily CXS scans and a number of server hardening initiatives including email protection, service hardening, brute force detection, and secured access via SSH, FTP and RDP. Saving you hours of installation time or the hassle of hiring a system administrator, ServerSecurePLUS guarantees that your server’s important data will be protected.

5. Maintain Scheduled Updates and Backups

Keep updated, real-time backups of all data, databases, and applications. And test the process! There’s nothing worse than finding out your backups have been failing until after you need them. Additionally, while having local backups is great for quick restores of simple data, keeping an offsite backup is the best way to ensure data recovery in the event of a catastrophic system failure.

Also, always check for web application updates to prevent software vulnerabilities. Security and software updates are not to be taken lightly and should be run as soon as they are available, especially if known to be critical, such as OS or control panel updates. Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched.

If your website utilizes a content management system (CMS), then one of the most important things you can do to keep your server secure is to regularly and responsibly update the CMS and any plugins you may have. However, it is important to keep in mind that it might not be necessary to upgrade every time you discover a new update for your CMS. Pay attention to how your plugins may be affected, and discuss how the latest update might protect your data with your IT Support.

6. Restrict Access to Servers and Directories

By restricting access to the servers and directories to only those who need it, you are controlling risk and limiting potential damages. Taking extra measures to prevent mismanagement or third-party unauthorized access on a physical level also means fewer potential issues.

Liquid Web data centers restrict physical access to staff members to prevent any negligence that could cause outages or affect your business. In the same way, permissions to change and delete files and directories should be set so that only administrators with appropriate clearance have more than read access.

7. Control Root Level Access on Your Server

Consider disabling the root user login in the SSH server entirely. The root user gives full, unfettered access to your server to anyone wielding it. It’s massively powerful and should be used only when absolutely necessary.

One of the common methods that brute force attacks use when attempting to gain access to your system is to focus specifically on root passwords. Creating a new user and using an alternative login that you can switch to root when needed will both protect your server and allow you to still have access to root-level functions.

On a Liquid Web dedicated server, you have full root level access and are the only one who has full control over what happens on your server, so you can choose who gets that access and who doesn’t.

8. Choose Dedicated Servers for Top Protection

Even if you have a modest budget, dedicated servers deliver a specific level of protection for your data. Not only do they protect your sensitive information and ensure high server performance, but they also come with two top perks: they deliver both physical security, and can be customized according to your configuration needs.

Liquid Web’s Dedicated Servers can easily be equipped with locked security cages, and include options for hardware firewalls as well as the standard bundled offerings, which provide services such as backups and protection against Distributed Denial-of-Service attacks.

The post How to Make Your Web Server Secure appeared first on Liquid Web.

In my last post, I started with a conversation about the general business impact of IP addresses, their purpose within Internet business, and introduced dedicated IP vs shared IP addressing.

In this article, we’ll continue these concepts while remaining focused on the business side of the operation. The conversation will center around the three core facets of Internet business required to stay relevant: stability, resource utilization, and reputation.

Let’s get started!

What Is an IP Address?

IP is short for Internet Protocol and is the address for any domain on the Internet. It is represented as a 32-bit number formatted into four 8-bit fields that are separated by periods.

IPs can host many domains, so we can conclude that IPs are the closest point at which we can separate traffic. Keeping stability, resource utilization and reputation in mind, we can start to attack the business impacts of proper separation of traffic so we can allocate resources effectively.

What Is a Dedicated IP Address?

A dedicated IP address is a domain address that serves as your home on the web. Your dedicated IP is not shared with any other domains. Simply typing the dedicated IP address into a browser’s search bar will take a user directly to your site.

When deciding between dedicated IP vs shared IP, remember that dedicated IP addresses will make the most impact on your dedicated server or VPS server’s stability and thereby your company’s reputation (make sense?). Here are a couple guidelines:

1. Dedicated IPs Should Be Isolated to a Single Client.

A dedicated IP, by definition, is an IP address dedicated to a single client. Keep it that way. It will help you later with reporting, tracking, and representation of each client.

2. In Some Cases, a Dedicated IP Address Should Be Isolated to a Single Domain.

One of the most significant advantages to using a dedicated IP address is that bandwidth outside the server can be tracked and identified more granularly.

For example, if this IP address is the target of a DDoS attack, and this IP hosts several domains, it’s often impossible to identify the specific site being targeted. Most often in these situations, the case is that the entire IP address needs to be mitigated or black-holed, not the individual domain.

If this action causes downtime for the targeted client, all of the domains hosted on that IP are now being affected. A tarnish point on your client’s stability equals one on your stability, therefore your reputation.

What Is a Shared IP Address?

A shared IP address is one that is shared among multiple different domains. A shared IP address is most used by smaller businesses that use a managed WordPress host or shared hosting providers.

As you consider dedicated IP vs shared IP, bear in mind that shared IPs can make the most impact on your resource utilization (i.e. your bottom line). Shared IPs should host multiple domains. Not doing so only leaves you spending more money than necessary.

Keep these in mind:

1. Ensure Transparency When Placing Clients.

Shared IP addresses get a bad rap. Being upfront about your resources with clients will help ensure a long and healthy relationship with them.

2. If Possible, Avoid Using the Server’s Main or Primary IP Address as a Shared IP for Hosting as Well.

Often the primary IP address of a server is set up as the catch-all IP for all services. Mail, DNS, FTP, Databases; all these services run on that IP address.

Going back to the example of a malicious attack: should the main IP of the server also be the shared IP address, and if utilizing a null-route or black-hole to address the attack is the only response, you stand to lose access to all those domains as well as all the other services running on that IP.

3. It’s Okay to Load IPs Up With Domains, Just Be Cautious With the Anticipated Traffic.

As far as server resources are concerned, there’s no difference between shared IP vs dedicated IP addresses. From NIC configuration to power consumption, processor, or memory utilization, there is no impact from the number of IP addresses hosted on the server.

The same is true with the domain-to-IP ratio. You can have hundreds of domains on a single IP and see no issues with performance. You only have to worry if you have traffic that should be segregated from other clients and is not.

Main Differences Between Dedicated IP and Shared IP

One of the major sticking points in resource utilization is the price. Each IP address is a flat, monthly fee, and the amount is not going to be stable forever. To understand their impact on our business, we need to know how each type of IP, dedicated IP vs shared IP, is used, and the effect it has on our budget.

Let’s start by considering a single dedicated IP.

Following our best practices, this IP would host an individual client and only one domain. IP addresses at Liquid Web are 2 USD per IP, per month. That’s not bad! That’s a 24 USD investment for a single customer per year. Let’s assume you end up with twenty-five new clients in a year, a decent factor. This would equate to 600 USD per year in IP addresses alone if you were to put every new client on a dedicated IP address.

However, if you were to accurately identify clients and decide that they didn’t need this level of service, you could have put all twenty-five of those clients on a single IP address saving you 576 USD per year. That’s significant funds that could have been reinvested in your business’s growth and infrastructure.

Further, if you compound that amount year over year, including continued growth, it’s easy to see where proper business IP structuring pays off. Keep this principle in mind as you consider dedicated IP vs shared IP addressing for your clients.

Benefits of Dedicated IP Address

Now that we have a foundation of what IPs are, how to use them, and the price points, we can look closer at why it is sometimes worth it to spend a little extra for dedicated IP hosting.

Classification for Stability and Reputation

Client classification requires an in-depth understanding of the environment, the client, and the client’s needs. Remember, IP addressing is about traffic segregation.

In a shared IP, the reputation of all domains are tied into the IP’s overall reputation. This could mean that one domain’s poor sender reputation could negatively impact the emails of all other domains at the shared IP. Potentially, a company with good email practices could still see its emails getting filtered into spam folders because of the actions of other domains on the IP.

A dedicated IP address assures businesses that they are entirely responsible for their domain’s reputation and not subjected to punishment for the improper actions of other domains. For many, the extra cost of a dedicated IP is worth the peace of mind of being in control of their own reputation.

With that in mind, there are three questions to consider when deciding between shared IP vs dedicated IP addressing for a new or current client.

1. Does the stability of this new client require isolation from other clients/sites?

Potential clients who answer ‘yes’ to this question could be customers who are of a higher business priority or who are sensitive to their stability. Often, clients of this caliber are willing to pay for the extra insurance dedicated IPs offer.

2. Does the stability of my other clients require isolation from this new client?

This is a question of trustworthiness. The Internet is often compared to the wild, wild west. It’s young, accessible, and incredibly popular.

That means it’s bound to attract all kinds of traffic and the only person standing up for your reputation is you. It’s easier to segregate less reputable traffic at the onset rather than try to do so later.

3. Is there a potential for any malicious activity aimed at or sourced from the new client?

Here, we’re considering both stability and reputation. Now, having malicious traffic sourced from a client is difficult to foresee. A hack, an ill-tempered former employee: these are unfortunate and unforeseeable issues of circumstance.

A history of attack, however, is a bit easier to see coming and potentially thwart before it causes your business problems. Be diplomatic as you engage on this topic.

I’ve mentioned the dreaded DDoS attack several times now and have done so intentionally. These attacks are a severe threat and should be prepared for in advance as much as possible.

Further, there are some types of sites who tend to see more DDoS attacks than others. Bidding sites, blogs who lean toward controversial topics, or sites focusing on high competition industries are more likely to have issues than others.

Also, it’s completely acceptable to ask a client if they have had a history of DDoS attacks. Any reputable client will be forthcoming as it should be their desire to have a strong, healthy business relationship.

Also, don’t be put off if they’re honest and alert you to a spotty history. This doesn’t necessarily mean they’re bad clients. Remember, a DDoS attack is precisely that: a malicious attack. Often honest, well-intentioned people are the target of criminal activity.

With this information up front, you can start to protect you and your new client ahead of time.

Classification for Resource Utilization

The previous two questions were geared toward stability and reputation. If you can answer ‘yes’ to either of these questions, you can start to lean toward a dedicated IP address for this client and write the price off as the “cost of doing business.”

Resource utilization is a little more complicated and very much a function of forecasting. Once we’ve protected ourselves from any immediate issues by spending more on resources, a choice needs to be made on how we’ll allocate the rest of our budget.

You can discuss growth or other business opportunities with the client to get an idea of their needs going forward. If they’re planning on moving to a dedicated server within a given amount of time, or would like to expand to include a mix of shared IP and dedicated IP addresses, it may be a good idea to consider starting them on dedicated IP addresses. The remaining customers can likely be placed on a shared IP plan.

This planning reduces your overall cost, and allows you to have some reinvestment opportunities while also giving you some wiggle room as you and your clients grow together.

IP Classification Changes for Liquid Web Customers

Need to make changes to your clients’ IP addresses? No problem!

Starting with planning, Liquid Web’s method of IP allocation is relatively simple. If you need to migrate a customer from a shared IP to a dedicated IP, you can request a new IP through your Manage Interface. Just remember how valuable IP addresses are and vet every request carefully.

Fortunately, Liquid Web’s vetting process is also simple. You would just have to justify the reason you need a new IP then use it appropriately. Request only as many as you need ( a few, not hundreds) and supply the domain that’ll be using that IP. With a short explanation, your request should be granted quickly.

If you have a single server, remember how IPs work on hardware: one server can host many IPs. These IP addresses are probably housed on the same server, so migrating should just be a case of making a few adjustments in your server management interface. If the destination IP is hosted on a different server from the source IP, there may be a few technical caveats.

Our Helpful Humans can handle any questions, offer clarification, and start operations with no problem! Open a ticket, and you should be on your way to resolving whether to use dedicated IP vs shared IP for your customers.

In my final post of the series, I’ll be touching on some of the myths and dated information that still crops up across tech blogs.

Need Help Managing Multiple Sites?

Managing client sites and having trouble keeping up? Download our free guide on the 5 Insider Tips to Managing Multiple Sites.

The post Choosing Between Dedicated IP and Shared IP appeared first on Liquid Web.

If you’re in any way vigilant about online security, you undoubtedly have a different, complicated password for every protected online resource that you use. Also, because you’re vigilant, you might sometimes have trouble remembering passwords. But weak passwords won’t stand up to security issues from hackers.

Passwords are a pain, but strong passwords are also a necessary means of defense against hackers who won’t stop at anything to gain access to your accounts.

It’s worth the time and effort to keep hackers off-balance with smart, strong passwords that (hopefully) you can still remember. Hackers excel at exploiting weaknesses, and they have the time and the tools to keep hacking away.

What is the Most Common Password?

The most common password in 2019 (which did not change from 2018) was 123456. Other common passwords included 123456789 and qwerty.

Anyone using any of these passwords are just begging to be hacked.

Hackers are everywhere, and they are constantly looking for your password vulnerabilities to attack.

What Password Mistakes Should You Avoid?

To protect your passwords, here are eight common password mistakes to avoid:

1. Consecutive keyboard combinations, for example, “zxcvb” or “qwerty”
2. Trending slang phrases or words spelled backwards
3. First name, family name, or names of your spouse or kids
4. No personal information, like your birthday or age.
5. Never recycle old passwords, use passwords only once.
6. Don’t use the same password for every account you possess.
7. Don’t let anyone watch you enter your password.
8. Always log off of your account if you leave your computer around or are on a public network.

These are all great helpful hints to keep you away from being hacked, which can often lead to an even worse turn of events, like identity theft or data theft/loss.

What Ways Do Hackers Use to Hack or Gain Passwords?

Brute Force Attacks

Brute force attacks are when hackers try to overpower your defenses, attempting combinations of usernames and passwords with software that recombines English dictionary words with thousands of variations in an attempt to access your website.

While WordPress is the most popular CMS, and therefore the most targeted for brute force attacks, other CMS platforms and login systems are also vulnerable to attack.

Avoid “Admin”

Avoid the default “admin” name for WordPress and other login systems. Hackers will always try using “admin.”

Also, don’t use common names or even your website name as the username. As tempting as it is to think a hacker won’t be able to spell your difficult last name, he/she can always cut and paste it from another source.

Social Engineering

Social engineering is a malicious tactic hackers use to manipulate their targets into divulging sensitive and confidential information. Social engineering can happen across many different platforms, including email, social media, and even the phone. Social engineering, when paired with spear phishing, can be extremely effective to unwary targets that are not on the lookout.

The entire point of social engineering attacks is to gain confidential information that could be used to gain access to systems, steal data, or steal your identity.

Unlimited Login Attempts

Website logins can be set to have either unlimited or a set number of login attempts. It never hurts to limit the number of login attempts you can make to access your site. Not only will this eliminate the threat of brute force attacks, but it keeps hackers from attempting to access their site through manual password entry from socially engineered attacks.

If you are using WordPress, you can download a plugin to do this for you, or even whitelist/blacklist specific IPs for access/denial of access. This way, you can be sure legitimate users can access your site while malicious hackers cannot.

8 Best Practices for Password Security

Here are the top eight security best practices for passwords in 2020:

1. Use different passwords for different accounts, so if one is compromised, the others are not.
2. Phrases using symbols like a smiley face “:)” instead of using the word happy, or replacing the word “to” with the number “2”. This can make your password more difficult to guess by playing around with short codes or phrases.
3. Try using passphrases with words that don’t normally go together instead of easily forgettable and non sensible long-character passwords. Passwords like “puppy airplane eating banana” are more easily remembered and less likely to be hacked. Also, swap in non-alphabetic and uppercase characters to strengthen the passphrase. Using the same example, we could easily strengthen the password to “Puppy 41rpl4n3 34ting B4n4n4” by substituting numbers for letters.
4. We recommend using at least twelve characters of interchangeable lower case, upper case, symbols, and numbers within your password. The longer, the better.
5. Always check the strength of your password. Most sites allow for a password analyzer to communicate how strong or weak your password may be. Definitely pay attention to the analyzer and alter your password accordingly.
6. Change your password every 90 days, at a minimum.
7. Employ Two-Factor Authentication (2FA), also known as Multi-Factor Authentication. This uses a text-based or application-based authentication method to verify your identity prior to access.
8. And lastly, invest in a password manager. Password managers use multiple forms of encryption to ensure that your passwords are even harder to crack, and allow you to only need to remember one password.

Take Password Security Seriously

The above password best practices will help you further secure your site. Granted, thorough password protection isn’t a quick task, but it’s worth the time and effort to keep hackers off their game while safeguarding your site and customer data from theft.

Secure Your Infrastructure Today With This Checklist

The post 8 Best Practices for Password Security appeared first on Liquid Web.