Business – Seite 4

2. November 2020

How To Develop a Security Awareness Training Program

The modern cyber landscape is fraught with security risks. It seems like there is a new report of a major company that has suffered a malware infection, a ransomware infestation, or an account breach via phishing almost daily.

You need to secure your systems to prevent security risks, but that isn’t enough anymore. The human element is one of the biggest areas of concern and should not be overlooked when protecting your systems and data from attack.

Educating your employees with security awareness training will help them recognize and report potential threats before they fall victim to them.

What is Security Awareness Training?

Security awareness training is a combination of education, communication, and simulated attacks to educate and reinforce the positive security practices you are trying to instill in your staff.

Security Education

The cornerstone of any training program is effective training materials. You can develop these internally, use free resources such as the CDSE Security Awareness Hub, or partner with awareness training platforms such as SANS or InfoSec Institute.

This is the portion of the security awareness training that is most visible to employees, and what they think of when they hear about your program, but it is only a portion of the overall training they are actually receiving.

Security education can include the following:

Video modules
Assessment tests
Informative documentation
Slide shows

Communication

Creating a way for your employees to ask questions and report suspicious activity is very important. This will help you have a better understanding of malicious activity coming at your organization, and will help your employees demonstrate positive security behaviors.

Ensure your chosen method of communication is working. In other words, make sure it cannot be easily ignored, and it is effective in getting participation in your program.

Simulated Attacks

It is not enough to simply educate your staff. Present employees with controlled, real-world tests of the information they are learning to simulate dangerous everyday security situations. This can be done a number of ways, depending on the contents of your training materials.

Here are the four types of simulated attacks:

1. Phishing Simulations

Phishing is often the easiest method of attack to fall victim to, which means phishing simulations must be included in your program. A carefully crafted email can have the real appearance of being something of immediate importance. Maybe it is an urgent need for money, or a password reset that needs to happen before you lose healthcare benefits. This is where email security comes into play.

If you’re successful in your security awareness campaign, your staff will know to check the headers of the emails and inspect the links being asked to click, especially when there is a sense of urgency.

Include the following types of phishing emails in your security awareness training program:

Urgent needs for password resets
False document shares
Files to download and open.

If you’re really doing things right, this should be a challenge to you because you have other security measures in place that make your legitimate phishing campaign truly challenging to get to your intended targets.

Additionally, don’t make the phishing emails easy to spot, because real phishing attacks won’t be.

2. USB Drop Campaigns

To perform a USB drop campaign, pre-install several otherwise innocuous USB drives with tracking software, and then leave the drives in public areas both inside and outside of the office. Once these drives are connected to a computer, they report back who and when the drives were accessed. The software we’re using is benign and for simulation purposes only.

You may ask yourself why this is an important test, but as the Department of Defense can likely attest, it is effective.

3. Social Engineering

In an effort to stay connected, so many expose so much of their lives online today through social media without giving it a second thought. A clever attacker uses this data to hand-craft a method to get their foot in the door. An initial tidbit of information to prove they have a reason to be involved or stay connected, and hackers will continue pursue collecting key bits of information to further to their goals.

As the administrator of a security awareness training program, your goal should be to attempt to gain information about the inner workings of your organization through examining the social media presence of your employees. Pick an employee with a strong social media presence, and attempt to glean information about the inner workings of the company from the presence. Be on the lookout for any types of sensitive information shared that could be a security risk.

If that doesn’t work, and you offer customer support, attempt to contact that support to further your goals. Be polite but also be rushed. Make the support agent feel like they are in a rush to bail you out from your impending troubles.

4. Physical Security Breach

Physical access is full access in most cases. If an attacker can breach your physical security and gain access to the hardware that contains your data, then they have all that much more advantage to securing that data for their own nefarious needs. A good cyber defense is built on the shoulders of a solid foundation of physical security.

For this test, have a trusted friend / colleague / employee from a foreign location attempt to gain access to your facility without pre-announcing them. Have them attempt to leverage human kindness to gain physical access through the following ways:

Following another employee inside the building through a secure access point
Stating that they forgot their access credentials
Catching a door as an employee leaves

Be certain to inform the appropriate personnel before attempting a physical security test so that your trusted partner does not find themselves in actual trouble if they succeed.

Response to Simulations

If a member of your organization falls victim to one of your simulated attacks, you shouldn’t respond harshly. Instead, remember that you are trying to train them to be more security-minded. Offer them additional training that is centered around the method that tricked them.

Remember, the goal here is to build a healthy paranoia that starts with every user who has physical or virtual access to your critical business systems.

The goal of a security awareness training program is to educate employees about security best practices, not humiliate or punish them for failing simulated attacks.

In Conclusion

A successful security awareness training campaign can be measured by turning failures into successes. A combination of training content and real testing can result in a mindfulness towards security that will only serve to strengthen your overall security posture. At the end of the day, you can have all of the best security tools money can buy, but they will only be so good without the help of a security-aware staff.

The post How To Develop a Security Awareness Training Program appeared first on Liquid Web.

2. November 2020

How to Make Your Web Server Secure

How can you secure the server that hosts your business’s data?

That’s one of the top questions companies big and small have struggled to answer since cybersecurity became a hot topic.

In today’s security environment, anybody is a potential target for an attack and, unfortunately for most, the next malware infection is right around the corner.

Whether caused by a bad password, lack of antivirus or firewall, or open ports, the high volume of cyberattacks, often targeted at specific industries and companies, forces companies to show initiative.

It’s become imperative to come up with a comprehensive security strategy to safeguard proprietary data and prevent web server security compromise. The secret to any strong security strategy is understanding the main risks and vulnerabilities that could compromise its integrity.

The three most prevalent risks in security in 2020 are DoS attacks, Code Injection, and Cross-Site Scripting.”

But just what are these three security risks?

Three Malicious Risks to Stay Secure From in 2020

Denial-of-Service (DoS) or Distributed-Denial-of-Service Attacks (DDoS)

In a DoS or DDoS attack, offenders will overflow your server with junk data or falsified requests. The server is then forced to try to authenticate. This type of attack taxes server resources, making the websites inaccessible.

These attacks can bring down a network without having to gain internal access. Worse, there is no way to prevent these attacks from occurring and no way to anticipate whether you’ll be a target.

If customers don’t have access to your business, then you could lose money and major points on brand reputation.

Code Injection

Code injection is when a vulnerability is exploited by an attacker and your site or application is changed for their own purposes. This usually leads to clients using your site or application and becoming compromised themselves.

Cross-Site Scripting

Cross-site scripting, also known as XSS, is a web application vulnerability that allows hackers to send misleading or malicious requests to your browser.

Between the various types of attack your business could face, a layered defense is critical to protect all assets that can be accessed through your web server.

8 Key Steps to Make Your Web Server Secure

1. Use Encrypted Information Transfer

Avoid insecure communication protocols such as telnet or plain FTP. Instead, use secure protocols such as sFTP or FTPs, SSH, and HTTPS. If using SSH, one tip is to change the SSH port to something other than the default port 22, which will help secure against brute force attacks scanning for vulnerable servers across the Internet. It’s not a guaranteed fix against those attacks, but can greatly reduce the chances of suffering from a brute force attack.

A web server or firewall that supports any of these protocols will ensure all information going back and forth is encrypted for protection from third-party interference, which is absolutely critical if your website involves online transactions. Secure communication protocols are vital for web servers that operate with payment information for online transactions.

A website that is PCI Compliant promises customers that your business has taken all the necessary steps to protect their data when shopping online. The Payment Card Industry’s Data Security Standards (PCI-DSS) require businesses to protect customer data through requirements for both their hosting infrastructure and server configuration. We offer a PCI scanning service that can verify your server meets all the PCI-DSS requirements, so you can reassure your customers their data is safe.

Also, have an SSL certificate installed on your website to ensure all transactions between you and customers are secure. SSL certificates are the standard for online security, encrypting online transactions to prevent data exposure to hackers. Liquid Web’s SSL certificates even come paired with Netcraft’s phishing detection to provide real-time alerts that warn site owners when their websites become compromised, ensuring even more protection for your customers’ sensitive data.

2. Adopt Complex Passwords and Multi-Factor Authentication Across the Entire Organization

No matter how many times security experts explain the importance of a strong password, weak passwords such as “admin123,” “123456” or an easy-to-crack dictionary word are still way too common.

Strong passwords are basic and effective, and just as important as using secure communication protocols. Organizations should use different, unique passwords and never reuse the same password for multiple accounts.

Helping your employees learn and implement password security best practices will go a long way to securing your infrastructure.

Make sure you update them at least every 90 days and never share them with anyone. No matter how strong they are, though, the only-password approach is becoming less dependable. A new layer of security is to introduce a multi-factor authentication strategy which leverages something as ubiquitous as a text message to further secure data resources.

3. Consider Linux as an Operating System for Your Web Server

Getting started with a new operating platform introduces a steep learning curve, which is why most companies, depending on their size and resources, need either an inside specialist or external help to continue running Windows.

While Windows remains a massively popular operating system, Apache powers a majority of the worlds web servers. As an open source Operating System, this allows any and all users to review its base code and provide updates and fixes for potential security flaws.

Switching to one of the several flavors of Linux (Ubuntu, Debian, Red Hat) could potentially open additional avenues for your web server needs.

4. Consider Layers of Security for Both Hardware and Software

Wherever possible, use a VPN and a firewall on all web applications and endpoints, including your server. This goes doubly if your organization is sharing the environment or space with another company.

A virtual private network (VPN) is a tunneled private network of remote sites or users utilizing a public network, like the Internet, to connect to each other. A VPN uses encryption to secure your computer’s connection to the Internet, and guarantees that all of the data you’re sending and receiving over the VPN is secured from any potential prying third parties. A VPN can be extremely useful for a growing business to increase productivity without sacrificing security.

A firewall acts as the first line of defense for your server, protecting your data by filtering traffic according to a customizable set of rules. With the firewall in place, a barrier is created between your server and the rest of the Internet. Any traffic that attempts to connect to your server is analyzed, and if it is deemed malicious, that traffic is blocked.

Another important consideration for uptime protection is DDoS Attack Protection. Our DDoS Attack Protection system works to differentiate between legitimate and malicious traffic by monitoring a selected network of IP addresses and analyzing traffic that attempts to reach the server. In addition, our Support team works with our customers during attacks and regularly tweaks the system to ensure it is working effectively.

Also, if you have not done so already, immediately install an antivirus solution to get advanced protection against malware, ransomware, or unauthorized remote access, and run routine security scans.

You may additionally want to consider protection against brute force attacks. Brute Force Detection (BFD) is a service on your server that watches various log files for brute force attacks, which is an attack attempted via rapid logins using a dictionary file. Specifically, BFD looks for several failed login attempts in a short period of time from the same IP address. If detected, the guilty IP address will be blocked in the server’s firewall.

Hardening a server could take hours, but a server protection package like the one available to Liquid Web customers will optimize your security settings in no time.

Add additional security services and modifications to your server with ServerSecurePLUS, an exclusive Liquid Web product. ServerSecurePLUS greatly enhances the security, reliability, compatibility of your server through daily CXS scans and a number of server hardening initiatives including email protection, service hardening, brute force detection, and secured access via SSH, FTP and RDP. Saving you hours of installation time or the hassle of hiring a system administrator, ServerSecurePLUS guarantees that your server’s important data will be protected.

5. Maintain Scheduled Updates and Backups

Keep updated, real-time backups of all data, databases, and applications. And test the process! There’s nothing worse than finding out your backups have been failing until after you need them. Additionally, while having local backups is great for quick restores of simple data, keeping an offsite backup is the best way to ensure data recovery in the event of a catastrophic system failure.

Also, always check for web application updates to prevent software vulnerabilities. Security and software updates are not to be taken lightly and should be run as soon as they are available, especially if known to be critical, such as OS or control panel updates. Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched.

If your website utilizes a content management system (CMS), then one of the most important things you can do to keep your server secure is to regularly and responsibly update the CMS and any plugins you may have. However, it is important to keep in mind that it might not be necessary to upgrade every time you discover a new update for your CMS. Pay attention to how your plugins may be affected, and discuss how the latest update might protect your data with your IT Support.

6. Restrict Access to Servers and Directories

By restricting access to the servers and directories to only those who need it, you are controlling risk and limiting potential damages. Taking extra measures to prevent mismanagement or third-party unauthorized access on a physical level also means fewer potential issues.

Liquid Web data centers restrict physical access to staff members to prevent any negligence that could cause outages or affect your business. In the same way, permissions to change and delete files and directories should be set so that only administrators with appropriate clearance have more than read access.

7. Control Root Level Access on Your Server

Consider disabling the root user login in the SSH server entirely. The root user gives full, unfettered access to your server to anyone wielding it. It’s massively powerful and should be used only when absolutely necessary.

One of the common methods that brute force attacks use when attempting to gain access to your system is to focus specifically on root passwords. Creating a new user and using an alternative login that you can switch to root when needed will both protect your server and allow you to still have access to root-level functions.

On a Liquid Web dedicated server, you have full root level access and are the only one who has full control over what happens on your server, so you can choose who gets that access and who doesn’t.

8. Choose Dedicated Servers for Top Protection

Even if you have a modest budget, dedicated servers deliver a specific level of protection for your data. Not only do they protect your sensitive information and ensure high server performance, but they also come with two top perks: they deliver both physical security, and can be customized according to your configuration needs.

Liquid Web’s Dedicated Servers can easily be equipped with locked security cages, and include options for hardware firewalls as well as the standard bundled offerings, which provide services such as backups and protection against Distributed Denial-of-Service attacks.

The post How to Make Your Web Server Secure appeared first on Liquid Web.

2. November 2020

Choosing Between Dedicated IP and Shared IP

In my last post, I started with a conversation about the general business impact of IP addresses, their purpose within Internet business, and introduced dedicated IP vs shared IP addressing.

In this article, we’ll continue these concepts while remaining focused on the business side of the operation. The conversation will center around the three core facets of Internet business required to stay relevant: stability, resource utilization, and reputation.

Let’s get started!

What Is an IP Address?

IP is short for Internet Protocol and is the address for any domain on the Internet. It is represented as a 32-bit number formatted into four 8-bit fields that are separated by periods.

IPs can host many domains, so we can conclude that IPs are the closest point at which we can separate traffic. Keeping stability, resource utilization and reputation in mind, we can start to attack the business impacts of proper separation of traffic so we can allocate resources effectively.

What Is a Dedicated IP Address?

A dedicated IP address is a domain address that serves as your home on the web. Your dedicated IP is not shared with any other domains. Simply typing the dedicated IP address into a browser’s search bar will take a user directly to your site.

When deciding between dedicated IP vs shared IP, remember that dedicated IP addresses will make the most impact on your dedicated server or VPS server’s stability and thereby your company’s reputation (make sense?). Here are a couple guidelines:

1. Dedicated IPs Should Be Isolated to a Single Client.

A dedicated IP, by definition, is an IP address dedicated to a single client. Keep it that way. It will help you later with reporting, tracking, and representation of each client.

2. In Some Cases, a Dedicated IP Address Should Be Isolated to a Single Domain.

One of the most significant advantages to using a dedicated IP address is that bandwidth outside the server can be tracked and identified more granularly.

For example, if this IP address is the target of a DDoS attack, and this IP hosts several domains, it’s often impossible to identify the specific site being targeted. Most often in these situations, the case is that the entire IP address needs to be mitigated or black-holed, not the individual domain.

If this action causes downtime for the targeted client, all of the domains hosted on that IP are now being affected. A tarnish point on your client’s stability equals one on your stability, therefore your reputation.

What Is a Shared IP Address?

A shared IP address is one that is shared among multiple different domains. A shared IP address is most used by smaller businesses that use a managed WordPress host or shared hosting providers.

As you consider dedicated IP vs shared IP, bear in mind that shared IPs can make the most impact on your resource utilization (i.e. your bottom line). Shared IPs should host multiple domains. Not doing so only leaves you spending more money than necessary.

Keep these in mind:

1. Ensure Transparency When Placing Clients.

Shared IP addresses get a bad rap. Being upfront about your resources with clients will help ensure a long and healthy relationship with them.

2. If Possible, Avoid Using the Server’s Main or Primary IP Address as a Shared IP for Hosting as Well.

Often the primary IP address of a server is set up as the catch-all IP for all services. Mail, DNS, FTP, Databases; all these services run on that IP address.

Going back to the example of a malicious attack: should the main IP of the server also be the shared IP address, and if utilizing a null-route or black-hole to address the attack is the only response, you stand to lose access to all those domains as well as all the other services running on that IP.

3. It’s Okay to Load IPs Up With Domains, Just Be Cautious With the Anticipated Traffic.

As far as server resources are concerned, there’s no difference between shared IP vs dedicated IP addresses. From NIC configuration to power consumption, processor, or memory utilization, there is no impact from the number of IP addresses hosted on the server.

The same is true with the domain-to-IP ratio. You can have hundreds of domains on a single IP and see no issues with performance. You only have to worry if you have traffic that should be segregated from other clients and is not.

Main Differences Between Dedicated IP and Shared IP

One of the major sticking points in resource utilization is the price. Each IP address is a flat, monthly fee, and the amount is not going to be stable forever. To understand their impact on our business, we need to know how each type of IP, dedicated IP vs shared IP, is used, and the effect it has on our budget.

Let’s start by considering a single dedicated IP.

Following our best practices, this IP would host an individual client and only one domain. IP addresses at Liquid Web are 2 USD per IP, per month. That’s not bad! That’s a 24 USD investment for a single customer per year. Let’s assume you end up with twenty-five new clients in a year, a decent factor. This would equate to 600 USD per year in IP addresses alone if you were to put every new client on a dedicated IP address.

However, if you were to accurately identify clients and decide that they didn’t need this level of service, you could have put all twenty-five of those clients on a single IP address saving you 576 USD per year. That’s significant funds that could have been reinvested in your business’s growth and infrastructure.

Further, if you compound that amount year over year, including continued growth, it’s easy to see where proper business IP structuring pays off. Keep this principle in mind as you consider dedicated IP vs shared IP addressing for your clients.

Benefits of Dedicated IP Address

Now that we have a foundation of what IPs are, how to use them, and the price points, we can look closer at why it is sometimes worth it to spend a little extra for dedicated IP hosting.

Classification for Stability and Reputation

Client classification requires an in-depth understanding of the environment, the client, and the client’s needs. Remember, IP addressing is about traffic segregation.

In a shared IP, the reputation of all domains are tied into the IP’s overall reputation. This could mean that one domain’s poor sender reputation could negatively impact the emails of all other domains at the shared IP. Potentially, a company with good email practices could still see its emails getting filtered into spam folders because of the actions of other domains on the IP.

A dedicated IP address assures businesses that they are entirely responsible for their domain’s reputation and not subjected to punishment for the improper actions of other domains. For many, the extra cost of a dedicated IP is worth the peace of mind of being in control of their own reputation.

With that in mind, there are three questions to consider when deciding between shared IP vs dedicated IP addressing for a new or current client.

1. Does the stability of this new client require isolation from other clients/sites?

Potential clients who answer ‘yes’ to this question could be customers who are of a higher business priority or who are sensitive to their stability. Often, clients of this caliber are willing to pay for the extra insurance dedicated IPs offer.

2. Does the stability of my other clients require isolation from this new client?

This is a question of trustworthiness. The Internet is often compared to the wild, wild west. It’s young, accessible, and incredibly popular.

That means it’s bound to attract all kinds of traffic and the only person standing up for your reputation is you. It’s easier to segregate less reputable traffic at the onset rather than try to do so later.

3. Is there a potential for any malicious activity aimed at or sourced from the new client?

Here, we’re considering both stability and reputation. Now, having malicious traffic sourced from a client is difficult to foresee. A hack, an ill-tempered former employee: these are unfortunate and unforeseeable issues of circumstance.

A history of attack, however, is a bit easier to see coming and potentially thwart before it causes your business problems. Be diplomatic as you engage on this topic.

I’ve mentioned the dreaded DDoS attack several times now and have done so intentionally. These attacks are a severe threat and should be prepared for in advance as much as possible.

Further, there are some types of sites who tend to see more DDoS attacks than others. Bidding sites, blogs who lean toward controversial topics, or sites focusing on high competition industries are more likely to have issues than others.

Also, it’s completely acceptable to ask a client if they have had a history of DDoS attacks. Any reputable client will be forthcoming as it should be their desire to have a strong, healthy business relationship.

Also, don’t be put off if they’re honest and alert you to a spotty history. This doesn’t necessarily mean they’re bad clients. Remember, a DDoS attack is precisely that: a malicious attack. Often honest, well-intentioned people are the target of criminal activity.

With this information up front, you can start to protect you and your new client ahead of time.

Classification for Resource Utilization

The previous two questions were geared toward stability and reputation. If you can answer ‘yes’ to either of these questions, you can start to lean toward a dedicated IP address for this client and write the price off as the “cost of doing business.”

Resource utilization is a little more complicated and very much a function of forecasting. Once we’ve protected ourselves from any immediate issues by spending more on resources, a choice needs to be made on how we’ll allocate the rest of our budget.

You can discuss growth or other business opportunities with the client to get an idea of their needs going forward. If they’re planning on moving to a dedicated server within a given amount of time, or would like to expand to include a mix of shared IP and dedicated IP addresses, it may be a good idea to consider starting them on dedicated IP addresses. The remaining customers can likely be placed on a shared IP plan.

This planning reduces your overall cost, and allows you to have some reinvestment opportunities while also giving you some wiggle room as you and your clients grow together.

IP Classification Changes for Liquid Web Customers

Need to make changes to your clients’ IP addresses? No problem!

Starting with planning, Liquid Web’s method of IP allocation is relatively simple. If you need to migrate a customer from a shared IP to a dedicated IP, you can request a new IP through your Manage Interface. Just remember how valuable IP addresses are and vet every request carefully.

Fortunately, Liquid Web’s vetting process is also simple. You would just have to justify the reason you need a new IP then use it appropriately. Request only as many as you need ( a few, not hundreds) and supply the domain that’ll be using that IP. With a short explanation, your request should be granted quickly.

If you have a single server, remember how IPs work on hardware: one server can host many IPs. These IP addresses are probably housed on the same server, so migrating should just be a case of making a few adjustments in your server management interface. If the destination IP is hosted on a different server from the source IP, there may be a few technical caveats.

Our Helpful Humans can handle any questions, offer clarification, and start operations with no problem! Open a ticket, and you should be on your way to resolving whether to use dedicated IP vs shared IP for your customers.

In my final post of the series, I’ll be touching on some of the myths and dated information that still crops up across tech blogs.

Need Help Managing Multiple Sites?

Managing client sites and having trouble keeping up? Download our free guide on the 5 Insider Tips to Managing Multiple Sites.

The post Choosing Between Dedicated IP and Shared IP appeared first on Liquid Web.

2. November 2020

8 Best Practices for Password Security

If you’re in any way vigilant about online security, you undoubtedly have a different, complicated password for every protected online resource that you use. Also, because you’re vigilant, you might sometimes have trouble remembering passwords. But weak passwords won’t stand up to security issues from hackers.

Passwords are a pain, but strong passwords are also a necessary means of defense against hackers who won’t stop at anything to gain access to your accounts.

It’s worth the time and effort to keep hackers off-balance with smart, strong passwords that (hopefully) you can still remember. Hackers excel at exploiting weaknesses, and they have the time and the tools to keep hacking away.

What is the Most Common Password?

The most common password in 2019 (which did not change from 2018) was 123456. Other common passwords included 123456789 and qwerty.

Anyone using any of these passwords are just begging to be hacked.

Hackers are everywhere, and they are constantly looking for your password vulnerabilities to attack.

What Password Mistakes Should You Avoid?

To protect your passwords, here are eight common password mistakes to avoid:

Consecutive keyboard combinations, for example, “zxcvb” or “qwerty”
Trending slang phrases or words spelled backwards
First name, family name, or names of your spouse or kids
No personal information, like your birthday or age.
Never recycle old passwords, use passwords only once.
Don’t use the same password for every account you possess.
Don’t let anyone watch you enter your password.
Always log off of your account if you leave your computer around or are on a public network.

These are all great helpful hints to keep you away from being hacked, which can often lead to an even worse turn of events, like identity theft or data theft/loss.

What Ways Do Hackers Use to Hack or Gain Passwords?

Brute Force Attacks

Brute force attacks are when hackers try to overpower your defenses, attempting combinations of usernames and passwords with software that recombines English dictionary words with thousands of variations in an attempt to access your website.

While WordPress is the most popular CMS, and therefore the most targeted for brute force attacks, other CMS platforms and login systems are also vulnerable to attack.

Avoid “Admin”

Avoid the default “admin” name for WordPress and other login systems. Hackers will always try using “admin.”

Also, don’t use common names or even your website name as the username. As tempting as it is to think a hacker won’t be able to spell your difficult last name, he/she can always cut and paste it from another source.

Social Engineering

Social engineering is a malicious tactic hackers use to manipulate their targets into divulging sensitive and confidential information. Social engineering can happen across many different platforms, including email, social media, and even the phone. Social engineering, when paired with spear phishing, can be extremely effective to unwary targets that are not on the lookout.

The entire point of social engineering attacks is to gain confidential information that could be used to gain access to systems, steal data, or steal your identity.

Unlimited Login Attempts

Website logins can be set to have either unlimited or a set number of login attempts. It never hurts to limit the number of login attempts you can make to access your site. Not only will this eliminate the threat of brute force attacks, but it keeps hackers from attempting to access their site through manual password entry from socially engineered attacks.

If you are using WordPress, you can download a plugin to do this for you, or even whitelist/blacklist specific IPs for access/denial of access. This way, you can be sure legitimate users can access your site while malicious hackers cannot.

8 Best Practices for Password Security

Here are the top eight security best practices for passwords in 2020:

Use different passwords for different accounts, so if one is compromised, the others are not.
Phrases using symbols like a smiley face “:)” instead of using the word happy, or replacing the word “to” with the number “2”. This can make your password more difficult to guess by playing around with short codes or phrases.
Try using passphrases with words that don’t normally go together instead of easily forgettable and non sensible long-character passwords. Passwords like “puppy airplane eating banana” are more easily remembered and less likely to be hacked. Also, swap in non-alphabetic and uppercase characters to strengthen the passphrase. Using the same example, we could easily strengthen the password to “Puppy 41rpl4n3 34ting B4n4n4” by substituting numbers for letters.
We recommend using at least twelve characters of interchangeable lower case, upper case, symbols, and numbers within your password. The longer, the better.
Always check the strength of your password. Most sites allow for a password analyzer to communicate how strong or weak your password may be. Definitely pay attention to the analyzer and alter your password accordingly.
Change your password every 90 days, at a minimum.
Employ Two-Factor Authentication (2FA), also known as Multi-Factor Authentication. This uses a text-based or application-based authentication method to verify your identity prior to access.
And lastly, invest in a password manager. Password managers use multiple forms of encryption to ensure that your passwords are even harder to crack, and allow you to only need to remember one password.

Take Password Security Seriously

The above password best practices will help you further secure your site. Granted, thorough password protection isn’t a quick task, but it’s worth the time and effort to keep hackers off their game while safeguarding your site and customer data from theft.

Secure Your Infrastructure Today With This Checklist

The post 8 Best Practices for Password Security appeared first on Liquid Web.

24. Oktober 2020

Non Conformance Plan in Sage X3 V12

In Sage X3 V12 a new functionality is added which will help in enhancement in quality standard. In our previous blog we saw in detail on Non conformance management screen. In this blog we will see in details on how Use Non conformance plan function to guide and schedule corrective or preventive actions against a reported non-conformity.

New Stuff:- How to create credit memo from customer return

Once a report is logged in Non conformance it is important to address this issue methodologically and track the progress this is where Non conformance plan screen helps in planning further steps of non-conformity reported, using this function we can correct or prevent an incidence of non-conformance and this screen provides a framework for adjusting the current system or operations currently in use.

This function supports the planning process. It becomes easier for user to track and plan since it brings together the components that must be met to successfully correct or prevent an incidence of non-conformance and provides a framework for adjusting the current system or operations currently in use.

Path: All>Non-conformances>Non-conformance plan

There are two action button available in this screen

Implement: On click of this button, this will advance the status of this plan to status ‘Being implemented’. This indicates to the user that they can start processing the tasks on the plan to which they have been assigned and in turn provides visibility to stakeholders of the progress of the corrective and preventive Action plan.
Complete: On click of this button, this will advance the status of this plan to status ‘Completed’. This in turn informs the stakeholders that the Action plan has been delivered and the product is approved.

This screens helps to maintain more details related to the plan, below are the list of fields which helps in maintaining more relatable data of tracking the plan

The header flag provides the current status of the Action plan and key information from the reported non-conformity.

A plan status can have following: ‘In planning’, ‘Being implemented’ or ‘completed’, depending on the role assigned to user handling of non-conformity is characterized. Following are the list of roles Planner (Project manager), Actioner and Stakeholder

Planner: As the Planner (Project manager) assigned to that non-conformance the QA manager has effectively handed over control. Planner are now responsible for planning a successful delivery of those requirements and build a set of ‘global actions’ to eliminate the problem.
Actioner: He is responsible for taking ownership of and delivering a line (a task or action) in the Action plan by the specified date. As soon as the Action plan is at status ‘Being implemented’ you can start processing the tasks (actions) to which he have been assigned.
Stakeholder: As a stakeholder at any time can access an action plan. An action plan shows you how the objectives for the design or production ‘change’ will be met. You can use it as a mechanism for referencing and managing business risk, and potentially costs.

The Non-conformance plan adds an additional feature in handling non-conformity by allowing user to guide and schedule corrective or preventive actions. Using this function we can effectively improve our quality cycle by planning the non-conformity in an effective way.

Hope this blog helps in raising your quality standards!

About Us

Greytrix – a globally recognized and one of the oldest Sage Development Partner is a one-stop solution provider for Sage ERP and Sage CRM organizational needs. Being acknowledged and rewarded for multi-man years of experience, we bring complete end-to-end assistance for your technical consultations, product customizations, data migration, system integrations, third-party add-on development and implementation competence.

Greytrix caters to a wide range of Sage X3, a Sage Business Cloud Solution, offerings. Our unique GUMU integrations include Sage X3 for Sage CRM, Salesforce.com, Dynamics 365 CRM and Magento eCommerce along with Implementation and Technical Support worldwide for Sage X3. Currently we are Sage X3 Implementation Partner in East Africa, Middle East, Australia, Asia, US, UK. We also offer best-in-class Sage X3 customization and development services, integrated applications such as POS | WMS | Payment Gateway | Shipping System | Business Intelligence | eCommerce and have developed add-ons such as Catch – Weight and Letter of Credit and India Legislation for Sage X3 to Sage business partners, end users and Sage PSG worldwide.

Greytrix is a recognized Sage champion ISV Partner for GUMU Sage X3 – Sage CRM integration also listed on Sage Marketplace; GUMU integration for Sage X3 – Salesforce is a 5-star rated app listed on Salesforce AppExchange and GUMU integration for Dynamics 365 CRM – Sage ERP listed on Microsoft AppSource.

For more information on Sage X3 Integration and Services, please contact us at x3@greytrix.com, We will like to hear from you.

24. Oktober 2020

How to create credit memo from customer return

In a normal business scenario credit memo and customer return plays an important part. It has its own importance in the sales process which is integral to business processes.

New Stuff:- MongoDB Backup and Restore Procedure

A credit note or credit memo is a commercial document issued by a seller to a buyer. Credit notes act as a source document for the sales return journal. In other words the credit note is evidence of the reduction in sales. A credit memo, a contraction of the term “credit memorandum”, is evidence of a reduction in the amount that a buyer owes a seller under the terms of an earlier invoice. It can also be a document from a bank to a depositor to indicate the depositor’s balance is being in event other than a deposit, such as the collection by the bank of the depositor’s note receivable.

A credit note lists the products, quantities and agreed prices for products or services the seller provided the buyer, but the buyer returned or did not receive. It may be issued in the case of damaged goods, errors or allowances. In respect of the previously issued invoice, a Credit Memo will reduce or eliminate the amount the buyer has to pay. Note: A Credit Memo is not to be substituted as a formal document. The Credit Memo rarely contains: PO #, Date, Billing Address, Shipping Address, Terms of Payment, List of products with quantities and prices. Usually it references the original Invoice and sometimes states the reason for the issue.

Customer Returns are basically items that have been purchased from a store or any online store but then returned by a customer. In retail, a product return (customer return) is the process of a customer taking previously purchased merchandise back to the retailer, and in turn receiving a refund in the original form of payment, exchange for another item (identical or different), or a store credit.

Many retailers will accept returns provided that the customer has a receipt as a proof of purchase, and that certain other conditions, which depend on the retailer’s policies, are met. These may include the merchandise being in a certain condition (usually resalable if not defective), no more than a certain amount of time having passed since the purchase, and sometimes that identification be provided (though usually only if a receipt is not provided). In some cases, only exchanges or store credit are offered, again usually only without a receipt, or after an initial refund period has passed. Some retailers charge a restocking fee for non-defective returned merchandise, but typically only if the packaging has been opened.

Steps to be followed:

In sage X3 when you want to create a credit note against customer return the first step is to create customer return against a particular delivery. In sage X3, after trying to create a new transaction and entering mandatory fields like site and customer you can select particular delivery by left-list selection. But for delivery to appear in left-list selection of customer return it needs to be validated first then and only then it will appear in left-list selection of customer return. Kindly refer below screenshot for the same.

So, after creating a customer return against the delivery user needs to make a credit memo flag on lines of the customer return to “Yes”, then only the user can select those lines of returns for the credit note. But that flag can only be made to “Yes” when the field is active to select and that field is activated only if invoice is created against the particular delivery. If delivery is not invoiced then even after selecting that particular line on the customer return system doesn’t allow us to change the flag of the credit memo. Kindly refer below screenshot for the same.

So if a user wants to create a credit memo against that particular line of customer return then he/she can change the flag to “Yes” and then can create a transaction of the same.

Then the next step is to create a credit note against that customer return. So for that transaction we need to select a credit note transaction and while creating the same that particular line has to select from left-list selection of customer return. Here only those lines will appear for selection whose credit memo flag is “Yes” on customer return transaction.

With the help of the above blog we can create credit note against customer return in sage X3.

About Us

For more information on Sage X3 Integration and Services, please contact us at x3@greytrix.com, We will like to hear from you.

24. Oktober 2020

MongoDB Backup and Restore Procedure

Sage X3 uses Mongo DB as a storage database for the Administration Module. It also acts as part of the first layer of security alongside the Syracuse Component. Just like Microsoft SQL and Oracle DB; Mongo DB also needs to be backed up. In this blog we will see how to take a backup of MongoDB and how to restore the procedure.

New Stuff:- Top 3 Benefits of Greytrix Professional Services

To take the backup first need to check below pre-requisite.

Sage X3 needs to be installed on the server with same version and patch level.
Both the server needs to have MongoDB Compass downloaded i.e. from where the data of MongoDB will be extracted and to where it will be restored.

Below are the steps needs to be followed to export and import data from MongoDB from one server to another:

Download the stable version MongoDb Compass as per the platforms you use.
Run the Application file with the name “”MongoDBCompass” from the downloaded folder.

Enter the connection string as “ mongodb://127.0.0.1:27017 ” and click on CONNECT button to connect to the link.

After the successful connection application will take you to the home page which will show the database.

In the above screenshot you can see the “syracuse” is the one in which Sage X3 saves all the data of Administration module.

Click on Syracuse Option.

After clicking on the syracuse database it will take you to Administration

Out of all the functions the one can decide which all functions data needs to be extracted from one server and restore it in another server.

Below we will see exporting the MongoDB data.

From the above list user can extract data of below mentioned function. (As per requirement this is just an example.)

Below are the steps to extract data from the function through MongoDB compass.

Groups :

In Sage X3 currently we have 4 groups out of which 1 “Super Administrator” is the standard group which comes with the Sage X3 installation.

a. Click on Group on MongoDb compass.

b. Once clicked it will take you to the below screen. In which this symbol is the export button through data gets extracted.

c. Click on the export button it will take to the following screen.

Click on Browse and select the path where you want to store the data and name the file with .json extension. In the above image we have named the file as Groups.json.
Once finished go back to the selected path you will see a .json file. This file has all the groups available in Sage X3.

2. Roles :

In Sage X3 currently we have 57 roles out of which 3 “Purchase, Sales, Finance” are the ones manually created rest all are the standard ones.

a. Click on Role

b. Once clicked it will take you to the below screen. In which this symbol is the export button through data gets extracted.

c. Click on the export button it will take to the following screen

Click on Browse and select the path where you want to store the data and name the file with .json extension. In the above image we have named the file as Roles.json.
Once finished go back to the selected path you will see a .json file. This file has all the roles available in Sage X3.

In a same way you can export rest of the data.

Here we will see how to restore the exported .json files into another server.

Move all the exported .json files to the new server where there is already Sage X3 is installed with same version and patch level.

Note: As mentioned earlier the exported files contains all the data from their respective function even the standard data which comes automatically after the Sage X3 installation. We need to delete the standard data so that it doesn’t get duplicated after the import.

To delete the standard data open the .json file through Notepad ++, this make easier to identify and delete the data:

Once you delete the date, the .json file is ready to get imported. Below are the steps to import the extracted data:

a. Open the MongoDB Compass by following the steps mentioned in point 1 mentioned above at the start.

b. Click on Syracuse database and from the following window click on Group function.

c. Click on the Import Data as highlighted in the below image.

d. Click on Browse and select the json file and click on Import.

e. Now login Sage X3 and click on Groups from Administrator module there you will see new groups added.

f. Edit all the new groups added. In Endpoint section add all the folders and Save

Roles:

Even for roles we have to delete the Standard roles and import the manually created roles. Below are the steps:

a. Open the Roles.json file using Notepad ++. Identify the standard roles and delete them by selecting the lines and Save the file. All the new roles created in Sage X3 you will find it in the bottom of the json file above that line all are standard ones.

b. Now the .json file is ready to get imported next go to MongoDB compass click on Roles function going to Syracuse database and click on Import Data.

About Us

For more information on Sage X3 Integration and Services, please contact us at x3@greytrix.com, We will like to hear from you.

c.. Click on Browse and select the json file and click on Import the same way we did for groups.

d. Now login Sage X3 and navigate to roles function you will notice 3 new roles added apart from 54 roles which are standard ones.

e. Edit all the 3 newly added roles. Select badges as ERPFULL and security profile as User and click on Save.

Similarly you can import data for users also.

This is how we can extract the data from the mongodb backup database using the MongoDB Compass from one system and Import the same in to another system. This MongoDb backup and restore process is mostly used to move groups, Roles, Users, LDAP from one x3 system to another.

24. Oktober 2020

Top 3 Benefits of Greytrix Professional Services

Greytrix is one of the leading ERP vendors and CRM vendors globally, providing low cost, high quality Professional Services for ERP softwares like Sage X3, Sage 100, Sage 300, Sage 500, Sage Intacct and CRM softwares like Sage CRM, Microsoft Dynamics 365 CRM, Salesforce with over two decades of experience and 250+ developers & consultants. Our team of highly qualified and certified techno-functional experts provide complete assistance for your technical consultations, product customizations, system integrations, add-on development and implementation expertise. Having dealt in thousands of product customizations worldwide, we pride ourselves with the best of services and products with a focus on characteristics, dependability, customer service and uniqueness. Greytrix bridges the functionality gaps and helps you deliver projects on time every time for an always ON business.

Greytrix Professional Services provides the following benefits:

Our team of highly skilled and certified developers have the expertise, understanding and experience in handling ERP development and CRM development involving introduction of new objects, reports and application for enhancing and streamlining your business processes.

Industry Specific Customizations

Our best in class development capabilities for Sage ERP and Sage CRM delivers new modules, add- ons, and verticals for various industries. Greytrix – software vendors, with multi- man years of experience provides you customizations including software based product configurations which enable end users to add or change specific functions of the core product to suit your organizational needs.

We provide configuration of ERP systems and CRM systems (cloud based and Windows system) and are experienced with 500+ Customers projects and services delivered across the globe. We understand the core requirements of businesses and chart out a strategic plan to best suit the needs of your organization. Greytrix offers consulting for flexible engagement models, fixed time/ fixed cost, as per your business processes including project planning, assessing business rules, configuring and optimizing the solutions.

So, if you have an ERP or a CRM software and are interested in developing it from scratch then join hands with Greytrix. Our team of highly qualified and certified techno-functional consultants will define the roadmap of how to build your system and address the most frequent questions until you are familiarized with the new technology.

About Us

For more information on Sage X3 Integration and Services, please contact us at x3@greytrix.com, We will like to hear from you.

24. Oktober 2020

TrainingPros Digitally Transforms Finance with Sage Intacct Helping to Trigger 11% Margin Boost

TrainingPros, a specialized staffing agency, achieved rapid scale and agility by replacing their previous solution with Sage Intacct cloud financial management software. The key to a digital transformation in Finance, the robust system helped the company’s CFO modernize several cumbersome accounting workflows and deliver more comprehensive reporting across the organization. With Sage Intacct’s powerful automation and flexible platform services, the finance team saved dozens of hours in commissions management and payroll tasks, while delivering new dashboards that empowered sales reps to increase margins by 11 percent.

TrainingPros is a specialized staffing agency with a large and active pool of expert consultants in the learning and development arena. The company provides Fortune 1000 organizations nationwide with skilled contractors who help them effectively train internal staff. With revenues more than doubling, TrainingPros needed financial management leadership and software that could handle increasing complexity and provide needed visibility. The agency hired Jill Vogin as CFO, who selected Sage Intacct to support the next phase of business growth. “The difference with Sage Intacct is that now we’re in front of the eight ball, instead of always being behind it,” said Vogin. “By moving to our financial software to the cloud with Sage Intacct, we’re able to provide real-time information to management, invoice our customers more quickly, and pay our contractors more accurately.”

By implementing Sage Intacct and working with Sage Intacct consulting partner Dean Dorton to customize the system to their specific requirements, TrainingPros increased productivity while improving business visibility. For example, the firm:

Saved dozens of hours of manual payroll and commissions management work: Rather than use four different applications to track staff time and payments, TrainingPros’ contractors can now enter their hours directly into Sage Intacct. Timesheets then flow through the system’s automated accounts payable and vendor payment processes, so that payroll runs take just three hours versus a week, and contractors are paid 33% faster. In addition, the finance team used custom fields and reports in Sage Intacct to streamline complex commissions calculations from days to hours.

Built Sage Intacct dashboards to help improve sales performance, growing margin by 11%:Using Sage Intacct dashboards and reports to help analyze data, the company introduced a bonus program for more generous compensation, and put financial data in the hands of sales reps to improve performance. “Account Managers can go to their dashboards to track and manage execution against goals and look at their outstanding invoices. This has helped us ramp up our margins by 11%,” Vogin said.

Improved cash management and visibility amid double-digit growth: In addition to account managers, hundreds of TrainingPros employees—including the company’s new president—use Sage Intacct dashboards to support decisions surrounding collections, pricing, cash management, and more. As soon as the new president assumed her role earlier this year, the finance team created a personalized dashboard with all of the financial metrics she cares most about, such as daily cash balances and real-time profit and loss statements. This enables her to deliver data-driven business decisions and improve cash flow.

For more information on how TrainingPros benefits from the use of Sage Intacct, read the full case study here.

The post TrainingPros Digitally Transforms Finance with Sage Intacct Helping to Trigger 11% Margin Boost appeared first on ERP News.

24. Oktober 2020

Best Sporting Record Holders

Sports are more than mere pastimes. Whether you enjoy football or horse racing, there is a thing that bonds all sports lovers – the thrills of seeing your favourite athlete or team win a match or event. But have you ever wondered who the best sporting record-holders are? Those people who’ve managed to change the game for good? We surely did and put up a list of our favourite records. Check them out!

1. Michael Phelps

Swimming
may not be the most popular sport out there, but nobody deserves the gold medal
of all sporting record-holders more than Michael Phelps. We could easily call him “the
supreme swimmer,” holding over 18 gold medals in the field.

Not
only can he brag with such a record, but six of those golds come from his very
first Olympics in Athens in 2004 while a further eight from Beijing Olympics in
2008 – the most won by a single athlete throughout the history of the Games.

2. Miroslav Klose

If
you’ve ever been into placing free bets at sporting events, you probably
already know how hard it is to find the best soccer team to bet on. Especially
in the Miroslav Klose’s era. Known as Mr Consistent, Klose has already won four
World Cups and humiliated Brazil with a 7-1 score in last season’s tournament.
No doubt, a great achievement not only for Germany but also for the coach’s
personal Palmares.

3. Usain Bolt

From
football to running, Usain Bolt is another achiever that tops the charts as one
of the most iconic record-holders in history. The champion became a legend in
2012 when he managed to win the title of the fastest man on earth.

Winning
a world record didn’t stop his ambitions, so maybe we’ll have the honour to
watch him break yet another impossible speed record.

4. Lance Armstrong

You
don’t have to like cycling to know that Lance Armstrong is one of the most
inspirational figures of all time. Between 1999 and 2005, he won seven Tour de France races – seven years in a row, that
is.

Not
only did he won these races, but he did so after surviving testicular cancer.
Sure, there have been discussions about doping, but nothing can replace the
fact that he is indeed the greatest cyclist of all times.

5. Bob Gibson

Bob
Gibson is one of those names that may not tell you much unless you’re really
into baseball. If that’s your favourite sport, though, you might have heard
already about the Year of the Pitcher. If you hadn’t, all we can say is that
Gibson managed to pitch 47 consecutive scoreless innings and threw 13 shutouts
in the 1968 baseball season.

The
record still stands today, alongside other records he managed to break, and
Gibson was elected to the Baseball Hall of Fame in 1981.

6. Martin Brodeur

Ice
hockey is another beloved sport, and the one who has written the sport’s
history is Martin Brodeur. The Canadian goaltender spent his entire career with
the New Jersey Devils and is the only goalie in history with eight 40-win
seasons.

7. James Robinson

Ending
our list of best sporting record-holders, none other than James Robinson, the
one and only jockey that has won nine wins in the 2000 Guineas race. While this
record remains unequalled to date, Robinson holds an impressive book of
records.

During
his career, he has also won six Derbies and 24 British Classics. Needless to
say, his records remain unmatched after over 140 years from his death.

The post Best Sporting Record Holders appeared first on ERP News.