HIPAA

HIPAA Compliance — It’s the law…

As an IT Managed Services provider, we’ve heard it all…. I mean, who wants to take on another initiative that is as ambiguous and costly as HIPAA Compliance. Besides, your staff don’t have the time to take on more roles and responsibilities.

There’s only one problem though. These rules and regulations are signed into Law. That means, you are breaking the law. So, where does that leave us? Well, there’s 2 options: 1) Roll the dice and hope you don’t get audited/fined when PHI info is lost/stolen 2) Have someone like NetCal help you be compliant quickly and easily.

You see, we are forced to understand/implement the compliance requirements because as a Business Associate, we are also liable for our client’s non-compliance. We’re in this together and we got your back. It’s actually not as bad as everyone thinks. In particular, we know which items are important to focus on and we know how to get your business in compliance via best practices, trainings, templates, etc…

NetCal will perform the following tasks for you:

1. Perform HIPAA, MACRA, and Meaningful Use Risk Assessment
2. Write your Policies and Procedures
3. Train your Employees
4. Maintain your documents in a web portal
5. Provide support in the event of an audit

High-level Summary of Tasks Needed

1. BAA signings
2. User Training
3. Risk Assessment
4. Create HIPAA Policies
5. Perform IT Discovery and Vulnerabilities list
6. Create Recommendation and Security Plan

Major sites still largely lax on prompting users towards safer password choices, study finds

A study assessed whether or not the most popular English-language websites help users strengthen their security by providing them with guidance on creating safer passwords during account sign-up or password-change processes.

Some of the Internet’s biggest names largely fall short of nudging users towards safer choices when they create or change their passwords, a study by the University of Plymouth has found.

Steven Furnell, Professor of Information Security at the United Kingdom-based university, recently conducted an examination of the password practices of Google, Facebook, Wikipedia, Reddit, Yahoo, Amazon, Twitter, Instagram, Microsoft Live, and Netflix. The results – summed up in a paper called Assessing website password practices – over a decade of progress? – actually follow up on previous runs of the same survey in 2007, 2011, and 2014.

So what are the results? In short, some of the world’s biggest online services “still allow people to use the word ‘password’, while others will allow single-character passwords and basic words including a person’s surname or a repeat of their user identity”.

In other words, although there have been modest improvements on some scores, the picture has remained largely unchanged over the years, according to the survey. That is notwithstanding the increased threat of cyberattacks and privacy breaches, along with the fact that countless people continue to make one of the most common security mistakes by picking atrocious passwords.

On a positive note, the number of wildly popular sites in English that allow you to use “password” as your, well, password has dropped over the years. Also, the number of services that enable you to add an extra safeguard on top of your password by supporting two-factor authentication (2FA) has increased from three to eight between 2011 and 2018.

Enforcement of password restrictions and availability of additional support (source: Assessing website password practices – over a decade of progress? via TechCrunch)

Of the ten online services under review (although their composition has not remained unchanged over the years), Google, Microsoft Live, and Yahoo were found to provide the best assistance to users in designing a strong password. This holds true both for the survey’s 2014 and 2018 editions.

On the flip side, Amazon fared the worst, both now and four years ago, having been joined by Reddit and Wikipedia as the worst performers in the study’s latest run.

Now, in the absence of clear and thorough guidance on some of the biggest websites themselves, be sure to read our pieces on how to avoid the perils of passwords, their reuse, and, indeed, how to ditch your password and use a passphrase instead.

In addition, we’ve also reported on The Digital Identity Guidelines, drafted by the US National Institute for Standards and Technology (NIST) last year, which among other things recommend that every password should be compared against a “black list” of unacceptable passwords. Such a “wall of shame” should include predictable and easily guessable passwords, passwords leaked in past breaches, dictionary words, and common phrases that users are known to pick.


This article was provided by our service partner : Eset

Windows 10 quality updates explained & the end of delta updates

With Windows 10, quality updates are cumulative. Installing the most recent update ensures that you receive any previous updates you may have missed. We used a cumulative update model to reduce ecosystem fragmentation, and to make it easier for IT admins and end users to stay up to date and secure. However, cumulative updates can prove challenging when it comes to the size of the update and the impact that size can have on your organization’s valuable network bandwidth.

When a new Windows 10 feature update is released, the first cumulative update is generally between 100-200 MB in size. Across all versions of Windows 10, cumulative updates grow as additional components and features get serviced, pushing the size to somewhere between 1-1.2 GB. Generally, this happens within the first 6-8 months after the release of a feature update.

To help you reduce the burden on your network bandwidth, yet still receive the same equivalent update, Microsoft designed three different update types:

  • Full updates have all the necessary components and files that have changed since the last feature update. We refer to this as the latest cumulative update, or LCU. It can quickly grow to a little over 1 GB in size, but typically stays that size for the lifetime of that supported version of Windows 10.
  • Express updates generate differential downloads for every component in the full update based on several historical bases. For example, the latest May LCU contains tcpip.sys. We will generate a differential for all tcpip.sys file changes from April to May, March to May, and from the original feature release to May. A device leveraging express updates will use network protocol to determine optimal differentials, then download only what is needed, which is typically around 150-200 MB in size each month. Ultimately, the more up to date a device is, the smaller the size of the differential download. Devices connected directly to Windows Server Update Services (WSUS), System Center Configuration Manager, or a third-party update manager that supports express updates will receive these smaller payloads.
  • Delta updates include only the components that changed in the most recent quality update. Delta updates will only install if a device already has the previous month’s update installed. For example, assume in May that we changed tcpip.sys and ntfs.sys, but did not change notepad.exe. A device that downloads the delta update will get the latest version of tcpip.sys and ntfs.sys, but not notepad.exe. Delta updates include the full component (not just the individual files) that changed. As a result, they are larger than express updates, often around 300-500 MB in size.

Regardless of which type of update is installed on a device, that update is fully cumulative and installing the latest update will ensure that the device has all the necessary quality and security improvements.

Windows 10

This raises an important question: why make delta updates available if express updates are more optimized and don’t require the previous month’s update already be installed? Delta updates were originally created because the express update protocol was only available to devices connecting directly to Windows Update or Windows Server Update Services. In January 2017, the express protocol was extended to all 3rd party update management systems; however, we continued to ship delta updates to give companies and third-party update management tools time to implement support for express updates.

Currently delta updates are available for the following versions of Windows 10:

  • Windows 10, version 1607
  • Windows 10, version 1703
  • Windows 10, version 1709
  • Windows 10, version 1803

Now that express update support for third-party update managers has been available for over a year, we plan to stop shipping delta updates. Beginning February 12, 2019 Microsoft will end its practice of creating delta updates for all versions of Windows 10. Express updates are much smaller in size, and simplifying the cumulative options available will reduce complexity for IT administrators.

For more information on optimizing update bandwidth and more details about express updates, see Optimize Windows 10 update delivery. To learn more about Windows as a service, check out the new Windows as a service page on the Windows IT Pro Center.

 

3 Cyber Threats IT Providers Should Protect Against

With cybercrime damages set to cost the world $6 trillion annually by 2021, a new bar has been set for cyber threats security teams across industries to defend their assets. This rings especially true for IT service providers, who are entrusted to keep their clients’ systems and IT environments safe from cybercriminals. These clients are typically small and medium-sized businesses (SMBs), which are now the primary target of cyber threats and attacks. This presents a major opportunity for the managed service providers (MSPs) who serve them to emerge as the cybersecurity leaders their clients rely on to help them successfully navigate the threat landscape.

Before you can start providing cybersecurity education and guidance, it’s crucial that you become well-versed in the biggest threats to your clients’ businesses. As an IT service provider, understanding how to prepare for the following cyber threats will reinforce the importance of your role to your clients.

Ransomware

Ransomware is a type of malware that blocks access to a victim’s assets and demands money to restore that access. The malicious software may either encrypt the user’s hard drive or the user’s files until a ransom is paid. This payment is typically requested in the form of an encrypted digital currency, such as bitcoin. Like other types of malware, ransomware can spread through email attachments, operating system exploits, infected software, infected external storage devices, and compromised websites, although a growing number of ransomware attacks use remote desktop protocols (RDP). The motive for these types of attacks is usually monetary.

Why is ransomware a threat that continues to spread like wildfire? Simple: it’s easy for cybercriminals to access toolsets. Ransomware-as-a-Service (RaaS) sites make it extremely easy for less skilled or programming-savvy criminals to simply subscribe to the malware, encryption, and ransom collection services necessary to run an attack—and fast. Since many users and organizations are willing to pay to get their data back, even people with little or no technical skill can quickly generate thousands of dollars in extorted income. Also, the cryptocurrency that criminals demand as payment, while volatile in price, has seen huge boosts in value year over year.

Tips to combat ransomware:
  • Keep company operating systems and application patches up-to-date.
  • Use quality endpoint protection software.
  • Regularly back up company files and plan for the worst-case scenario: total data and systems loss (consider business continuity if budgets allow).
  • Run regular cybersecurity trainings with employees and clients.

Phishing

Phishing is the attempt to obtain sensitive information, such as usernames, passwords, and credit card details (and, indirectly, money ), often for malicious reasons. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information into a fake website, the look and feel of which are almost identical to a trusted, legitimate site.

Phishing is a common example of a social engineering attack. Social engineering is the art of tricking or manipulating a user into giving up sensitive or confidential information. The main purpose of a phishing attack can range from conning the recipient into sharing personal or financial information, to clicking on a link that installs malware and infects the device (for example, ransomware uses phishing as its primary infection route.)

Tips to combat phishing:
  • Ensure your employees and clients understand what a phishing email looks likeand how to avoid becoming a victim by testing your users regularly. Train them with relevant phishing scam simulations.
  • Hover over URLs in email to see the real address before clicking.
  • Use endpoint security with built-in anti-phishing protection.
  • Consider a DNS filtering solution to stop known phishing and malicious internet traffic requests.

Brute Force Attack

A brute force attack is a cyberattack in which the strength of computer and software resources are used to overwhelm security defenses via the speed and/or frequency of the attack. Brute force attacks can also be executed by algorithmically attempting all combinations of login options until a successful one is found.

It’s important to note that brute force attacks are on the rise. Earlier this year, Rene Millman of SC Magazine UK reported, “hacking attempts using brute force or dictionary attacks increased 400 percent in 2017.”

Tips to combat brute force attacks:
  • Scan your systems for password-protected applications and ensure they are not set to default login credentials. And if they’re not actively in use, get rid of them.
  • Adjust the account lockout policy to use progressive delay lockouts, so a dictionary or brute force combination attack is impossible.
  • Consider deploying a CAPTCHA stage to prevent automated dictionary attacks.
  • Enforce strong passwords and 2-factor authentication whenever possible.
  • Upgrade your toolset. RDP brute force is a major ongoing issue. Standard RDP is highly risky, but secure VPN paid-for alternatives make remote access much more secure.

Leveraging Common Cyber Attacks to Improve Business

As an IT service provider, it’s important to remember that communication is everything. With clients, I recommend you define what exactly you’re protecting them against in an effort to focus on their top cybersecurity concerns. If you “profile” certain attack vectors using common cyber threat attack types, like ransomware, phishing, and brute force attacks, you’ll be able to clearly communicate to clients exactly what it takes to protect against their biggest risks and which technologies are necessary to remain as secure as possible.


This article was provided by our service partner : webroot.com 

Tips to backup & restore your SQL Server

Microsoft SQL Server is often one of the most critical applications in an organization, with too many uses to count. Due to its criticality, your SQL Server and its data should be thoroughly protected. Business operations rely on a core component like Microsoft SQL Server to manage databases and data. The importance of backing up this server and ensuring you have a recovery plan in place is tangible. People want consistent Availability of data. Any loss of critical application Availability can result in decreased productivity, lost sales, lost customer confidence and potentially loss of customers. Does your company have a recovery plan in place to protect its Microsoft SQL Server application Availability? Has this plan been thoroughly tested?

Microsoft SQL Server works on the backend of your critical applications, making it imperative to have a strategy set in place in case something happens to your server. Veeam specifically has tools to back up your SQL Server and restore it when needed. Veeam’s intuitive tool, Veeam Explorer for Microsoft SQL Server, is easy to use and doesn’t require you to be a database expert to quickly restore the database. This blog post aims to discuss using these tools and what Veeam can offer to help ensure your SQL Server databases are well protected and always available to your business.

The Basics

There are some things you should take note of when using Veeam to back up your Microsoft SQL Server. An important aspect and easy way to ensure your backup is consistent is to check that application-aware processing is enabled for the backup job. Application aware processing is Veeam’s proprietary technology based on Microsoft Volume Shadow Copy Service. This technology quiescences the applications running on the virtual machine to create a consistent view of data. This is done so there are no unfinished database transactions when a backup is performed. This technology creates a transactionally consistent backup of a running VM minimizing the potential for data loss.

Enabling Application Aware processing is just the first step, you must also consider how you want to handle the transaction logs. Veeam has different options available to help process the transaction logs. The options available are truncate logs, do not truncate logs, or backup logs periodically.

Figure 1: SQL Server Transaction logs Options

Figure 1 shows the Backup logs periodically option is selected in this scenario. This option supports any database restore operation offered through Veeam Backup & Replication. In this case, Veeam periodically will transfer transaction logs to the backup repository and store them with the SQL server VM backup, truncating logs on the original VM. Make sure you have set the recovery model for the required SQL Server database to full or bulk-logged.

If you decide you do not want to truncate logs, Veeam will preserve the logs. This option puts the control into the database administrator’s hands, allowing them to take care of the database logs. The other alternative is to truncate logs, this selection allows Veeam to perform a database restore to the state of the latest restore point. To read more about backing up transaction logs check out this blog post.

Data recovery

Veeam Explorer for Microsoft SQL Server delivers consistent application Availability through the different restore options it offers to you. These include the ability to restore a database to a specific point in time, restore a database to the same or different server, restore it back to its original location or export to a specified location. Other options include performing restores of multiple databases at once, the ability to perform a table-level recovery or running transaction log replay to perform quick point-in-time restores.

Figure 2: Veeam Explorer for Microsoft SQL Server

Recovery is the most important aspect of data Availability. SQL Transaction log backup allows you to back up your transaction logs on a regular basis meeting recovery point objectives (RPOs). This provides not only database recovery options, but also point-in-time database recovery. Transaction-level recovery saves you from a bad transaction such as a table drop, or a mass delete of records. This functionality allows you to do a restore to a point in time right before the bad transaction had occurred, for minimal data loss.

And it is available for FREE!

Veeam offers a variety of free products and Veeam Explorer for Microsoft SQL Server is one that is included in that bunch. If you are using Veeam Backup Free Edition already, you currently have this Explorer available to you. The free version allows you to view database information, export a database and export a database schema or data. If you’re interested in learning more about what you get with Veeam Backup Free Edition, be sure to download this HitchHikers Guide.

 


This article was provided by our service partner : veeam.com

veeam

Veeam Availability Suite 9.5 Update 3a is now available!

Platform support is a priority at Veeam. Whether that is the latest operating systems, new storage systems or updated hypervisors, we take platform support seriously. Since Veeam Backup & Replication 9.5 Update 3 has been released, a number of ecosystem changes have warranted an update ahead of the upcoming set of Veeam capabilities (due later this year) showcased at VeeamON. A larger update is coming soon, which is why we are referring to this release as Update 3a opposed to Update 4 (which is planned for later in the year). The main capabilities in this release are the new platforms supported as well as over 20 minor enhancements detailed in the KB article.

Update 3a will bring support for the latest VMware and Microsoft platforms that organizations need from Veeam. The list of new platforms supported by Veeam Backup & Replication are:

  • VMware vSphere 6.7
  • VMware vCloud Director 9.1
  • Preliminary support for VMware vSphere 6.5 U2  (See more below)
  • Microsoft Windows Server 1803
  • Microsoft Windows Hyper-V Server 1803
  • Microsoft Windows 10 April 2018 Update

There are supplemental platforms also supported in this update:

  • VMware Cloud on AWS version 1.3
  • Microsoft System Center Virtual Machine Manager 1801

This update is important as it means Veeam Backup & Replication will do the following:

  1. Install Veeam Backup & Replication 9.5 Update 3a on the new Windows operating systems
  2. Install components (such as proxies, repositories, etc.) on the new Windows operating systems
  3. Perform backup and replication jobs from the new vSphere platforms and the Hyper-V roles in the Microsoft Windows Server 1803 operating system

One different notation is the “Preliminary” support for VMware vSphere 6.5 Update 2. Those of you who have been following the weekly forum digest emails have additional insights to the many milestones that had to be achieved to get to this point. This is very important as with a product providing backup in the data center, we cannot take any risk of a false sense of security. These emails are also where you can get the latest from R&D on all the catch points that may arise; namely what we are seeing with vSphere 6.5 Update 2. Support for this release will likely come in an update to 6.5 Update 2 itself. The support statement is clarified well in this forum post, basically stating as it is there is a known issue a critical API for our use failing under load.

To remain on the cutting edge, many organizations like to maintain aggressive policies on upgrading to the latest vSpherevCloud DirectorWindows 10 and Windows Server releases; and ensuring that these platforms are supported for backup should be an important consideration. This is yet another reason why Veeam continues to work hard to deliver updated platform support as soon as possible. As you plan your next moves for your business, you can know that the platform support needed to keep those applications, systems and data available will be there with Veeam.


This article was provided by our service partner : veeam.com