Veeam’s Office 365 backup

It is no secret anymore, you need a backup for Microsoft Office 365! While Microsoft is responsible for the infrastructure and its availability, you are responsible for the data as it is your data. And to fully protect it, you need a backup. It is the individual company’s responsibility to be in control of their data and meet the needs of compliance and legal requirements. In addition to having an extra copy of your data in case of accidental deletion, here are five more reasons WHY you need a backup.

Office 365 backup 1

With that quick overview out of the way, let’s dive straight into the new features.

Increased backup speeds from minutes to seconds

With the release of Veeam Backup for Microsoft Office 365 v2, Veeam added support for protecting SharePoint and OneDrive for Business data. Now with v3, we are improving the backup speed of SharePoint Online and OneDrive for Business incremental backups by integrating with the native Change API for Microsoft Office 365. By doing so, this speeds up backup times up to 30 times which is a huge game changer! The feedback we have seen so far is amazing and we are convinced you will see the difference as well.

Improved security with multi-factor authentication support

Multi-factor authentication is an extra layer of security with multiple verification methods for an Office 365 user account. As multi-factor authentication is the baseline security policy for Azure Active Directory and Office 365, Veeam Backup for Microsoft Office 365 v3 adds support for it. This capability allows Veeam Backup for Microsoft Office 365 v3 to connect to Office 365 securely by leveraging a custom application in Azure Active Directory along with MFA-enabled service account with its app password to create secure backups.

Office 365 backup 2

From a restore point of view, this will also allow you to perform secure restores to Office 365.

Office 365 backup 3

Veeam Backup for Microsoft Office 365 v3 will still support basic authentication, however, using multi-factor authentication is advised.

Enhanced visibility

By adding Office 365 data protection reports, Veeam Backup for Microsoft Office 365 will allow you to identify unprotected Office 365 user mailboxes as well as manage license and storage usage. Three reports are available via the GUI (as well as PowerShell and RESTful API).

License Overview report gives insight in your license usage. It shows detailed information on licenses used for each protected user within the organization. As a Service Provider, you will be able to identify the top five tenants by license usage and bring the license consumption under control.

Storage Consumption report shows how much storage is consumed by the repositories of the selected organization. It will give insight on the top-consuming repositories and assist you with daily change rate and growth of your Office 365 backup data per repository.

Office 365 backup 4

Mailbox Protection report shows information on all protected and unprotected mailboxes helping you maintain visibility of all your business-critical Office 365 mailboxes. As a Service Provider, you will especially benefit from the flexibility of generating this report either for all tenant organizations in the scope or a selected tenant organization only.

Office 365 backup 5

Simplified management for larger environments

Microsoft’s Extensible Storage Engine has a file size limit of 64 TB per year. The workaround for this, for larger environments, was to create multiple repositories. Starting with v3, this limitation and the manual workaround is eliminated! Veeam’s storage repositories are intelligent enough to know when you are about to hit a file size limit, and automatically scale out the repository, eliminating this file size limit issue. The extra databases will be easy to identify by their numerical order, should you need it:

Office 365 backup 6

Flexible retention options

Before v3, the only available retention policy was based on items age, meaning Veeam Backup for Microsoft Office 365 backed up and stored the Office 365 data (Exchange, OneDrive and SharePoint items) which was created or modified within the defined retention period.

Item-level retention works similar to how classic document archive works:

  • First run: We collect ALL items that are younger (attribute used is the change date) than the chosen retention (importantly, this could mean that not ALL items are taken).
  • Following runs: We collect ALL items that have been created or modified (again, attribute used is the change date) since the previous run.
  • Retention processing: Happens at the chosen time interval and removes all items where the change date became older than the chosen retention.

This retention type is particularly useful when you want to make sure you don’t store content for longer than the required retention time, which can be important for legal reasons.

Starting with Veeam Backup for Microsoft Office 365 v3, you can also leverage a “snapshot-based” retention type option. Within the repository settings, v3 offers two options to choose from: Item-level retention (existing retention approach) and Snapshot-based retention (new).

Snapshot-based retention works similar to image-level backups that many Veeam customers are so used to:

  • First run: We collect ALL items no matter what the change date is. Thus, the first backup is an exact copy (snapshot) of an Exchange mailbox / OneDrive account / SharePoint site state as it looks at that point in time.
  • Following runs: We collect ALL new items that have been created or modified (attribute used here is the change date) since the previous run. Which means that the backup represents again an exact copy (snapshot) of the mailbox/site/folder state as it looks at that point in time.
  • Retention processing: During clean-up, we will remove all items belonging to snapshots of mailbox/site/folder that are older than the retention period.

Retention is a global setting per repository. Also note that once you set your retention option, you will not be able to change it.

Other enhancements

As Microsoft released new major versions for both Exchange and SharePoint, we have added support for Exchange and SharePoint 2019. We have made a change to the interface and now support internet proxies. This was already possible in previous versions by leveraging a change to the XML configuration, however, starting from Veeam Backup for Microsoft Office 365 v3, it is now an option within the GUI. As an extra, you can even configure an internet proxy per any of your Veeam Backup for Microsoft Office 365 remote proxies.  All of these new options are also available via PowerShell and the RESTful API for all the automation lovers out there.

Office 365 backup 7

On the point of license capabilities, we have added two new options as well:

  • Revoking an unneeded license is now available via PowerShell
  • Service Providers can gather license and repository information per tenant via PowerShell and the RESTful API and create custom reports

To keep a clean view on the Veeam Backup for Microsoft Office 365 console, Service Providers can now give organizations a custom name.

Office 365 backup 8

Based upon feature requests, starting with Veeam Backup for Microsoft Office 365 v3, it is possible to exclude or include specific OneDrive for Business folders per job. This feature is available via PowerShell or RESTful API. Go to the What’s New page for a full list of all the new capabilities in Veeam Backup for Microsoft Office 365.


This article was supplied by our service partner : veeam.com

Why Simplified Security Awareness Training Matters for MSPs and SMBs

In a recent report by the firm 451 Research, 62 percent of SMBs reported having a security awareness training program in place for their employees, with half being “homegrown” training courses. The report also found that most complained their programs were difficult to implement, track, and manage.

Like those weights in the garage you’ve been meaning to lift or the foreign language textbook you’ve been meaning to study, even our most well-intentioned efforts flounder if we’re not willing to put to use the tools that can help us achieve our goals.

So it goes with cybersecurity training. If it’s cumbersome to deploy and manage, or isn’t able to clearly display its benefits, it will be cast aside like so many barbells and Spanish-language dictionaries. But unfortunately, until now, centralized management and streamlined workflows across client sites have eluded the security awareness training industry.

The Importance of Effective Security Awareness Training

The effectiveness of end user cybersecurity training in preventing data breaches and downtime has been demonstrated repeatedly. Webroot’s own research found security awareness training cut clicks on phishing links by 70 percent, when delivered with regularity. And according to the 2018 Data Breach Investigation Report by Verizon, 93 percent of all breaches were the result of social engineering attacks like phishing.

With the average cost of a breach at around $3.62 million, low-overhead and effective solutions should be in high demand. But while 76 percent of MSPs reported using some type of security awareness tool, many still rely on in-house solutions that are siloed from the rest of their cybersecurity monitoring and reporting.

“MSPs should consider security awareness training from vendors with cybersecurity focus and expertise, and who have deep visibility and insights into the changing threat landscape,” says 451 Research Senior Analyst Aaron Sherrill.

“Ideally, training should be integrated into the overall security services delivery platform to provide a unified and cohesive approach for greater efficacy.”

Simple Security Training is Effective Security Training

Security awareness training that integrates with other cybersecurity solutions—like DNS and endpoint protection—is a good first step in making sure the material isn’t brushed aside like other implements of our best intentions.

Global management of security awareness training—the ability to initiate, monitor, and report on the effectiveness of these programs from a single pane of glass across all of your customers —is the next.

When MSPs can save time by say, rolling out a simulated phishing campaign or training course to one, many or allclient’s sites across the globe with only a few clicks, they both save time and money in management overhead, and are more likely to offer it as a service to their clients. Everyone wins.

With a console that delivers intuitive monitoring of click-through rates for phishing campaigns or completion rates for courses like compliance training, across all client sites, management is simplified. And easily exportable phishing and campaign reports help drive home a client’s progress.

“Automation and orchestration are the force multipliers MSPs need to keep up with today’s threats and provide the best service possible to their clients,” says Webroot SVP of Product Strategy and Technology Alliances Chad Bacher.”

So as a growing number of MSPs begin to offer security awareness training as a part of their bundled services, and more small and medium-sized businesses are convinced of its necessity, choosing a product that’s easy to implement and manage becomes key.

Otherwise, the tool that could save a business from a breach becomes just another cob-webbed weight bench waiting for its day.


This article was provided by our service partner : webroot.com

cybersecurity

7 Critical, and Often Overlooked, Ways to Improve Your Cybersecurity

What you don’t know can, and will, hurt you. Cybersecurity is now at the forefront of business IT needs. If you ignore it, it won’t go away, and even worse, your customers will look elsewhere to get the services they need if you’re not providing them. It’s time to face the music. I recently sat down to chat with Chris Loehr, Executive Vice President of Solis Security, who specializes in cybersecurity incident response.

Chris has experience conducting forensic work on cyberattacks. He works with MSPs day in and day out and sees first-hand the mistakes commonly made all the time. Here are the tips he shared with us on how to wise up about cybersecurity:

Know Your Power

Your tools, specifically your remote monitoring and management (RMM) tool, are extremely powerful. While it can be used for the purpose it was intended, allowing you to work on multiple machines at the same time, it can also be used maliciously to attack several companies at once. This makes MSPs an ideal target for attackers to gain access to an entire database in a relatively short amount of time vs. attacking companies individually. And unfortunately, in some cases, businesses never recover. You need to ensure that your RMM is secure.

Don’t Blindly Trust Your Providers

You should hold yourself responsible and perform due diligence on your key vendors/service providers. Your customers trust you. The vendors you work with are an extension of you and the services you provide. Ensuring that your vendors are doing the right things makes it easier for you to also do right by your customers. You need to educate your customers on what threats could impact them, what you do or do not cover, and provide the appropriate solutions. In doing so, you can be the trusted service provider they believe you are. And in the long run, this level of earned trust translates directly to customer retention.

Invest the Time to Truly Know Your Customers

When disaster strikes should not be the time that you’re learning about your customers and their operations. You need to know ahead of time what the critical applications/files are that need to be backed up. They might not be the obvious applications. Too often after disaster strikes, you find out you didn’t back up something essential to the customers’ business because you didn’t know about it or its importance. A business impact assessment (BIA) should be performed annually for each monthly recurring revenue (MRR) customer.

Give Your Best Customers Some Love

When disaster strikes, the best customers usually will be the most upset and most willing to pursue legal action. Even though everything appears to be going great, you don’t know what may be happening behind the scenes. Having crucial conversations with decision makers is key to your ongoing success. Ensure these conversations include topics around cybersecurity to help protect them, as well as yourself.

Don’t Be Cybersecurity Insurance Ignorant

Cybersecurity coverage is not the same as an auto insurance or health insurance policy. Filing a claim does not make your premiums go up. Be especially careful when deciding what coverages to waive. To get lower premiums, companies sometimes waive cyberextortion coverage. However, this type of coverage pays for a ransom, should you be in a situation to require one. Even though you might have enough money in the bank to pay it, keep in mind that you are still responsible for operational expenses as well (like payroll).

Doing a risk assessment is helpful to understand where you and your customers stand and in the future could also become a tool for the insurance industry to help underwrite policies.

Realize That Your Contracts Aren’t a Magic Shield

This is the biggest weakness of many MSPs. Anyone can sue you regardless of your contract. You need to know when certain scenarios will negate your liability limitations. Often, MSPs rely on only one attorney to assist in creating their contracts. It’s always best to have a second option. We highly advise getting a litigation attorney to look at your contracts. Also, take into consideration different state laws if you operate in more than one state and how that impacts your contracts.

Prepare for a Disaster

As the saying goes, “If you fail to plan, you’re planning to fail.” Not planning for a disaster could quite literally put you out of business or set you back a couple of years. Your backup solution is the ultimate piece that will save your business. It has to be more than rock solid. Test it and test it again. Backing up data is the first step but being able to restore from the back up is the true measure of success. The worst-case scenario is to have to tell your customer that you lost all the files that were previously backed up. A one size fits all backup solution might not work for each customer.


This article was provided by our service partner : connectwise.com

Cloud Based vs Self Hosted Remote Support

Cloud-Based vs. Self-Hosted Remote Support: 3 Things to Consider

Researching remote support products can lead you down many paths, but it’s important to keep your footing and consider how the needs of your business–and your clients’ needs–factor into the functionality of the tool(s) you’re considering.

One fork in the road you might encounter is the choice between a self-hosted or cloud-based remote support solution. You should carefully consider your options here as there are pros and cons to both self-hosted and cloud based remote support software.

Your crossroad will only look slightly different if you already have a self-hosted remote support system in place. In that case, you should consider whether your current solution is still worth the time and money to maintain.

So, where does this lead? Let’s examine the pros and cons of both self hosted and cloud based.

1. Setup & Implementation

On-prem support tools frequently require more time and money up front to implement. You might have to purchase hardware to build your own server structure or buy a domain name. In that case, you’ll need to ensure that the ISP allows for configuration of your own self hosted remote support software as some don’t.

The cloud-based remote support counterparts typically come preconfigured for easier setup, ready for action right out of the box. Typically, they also include an easy to remember URL or subdomain, so you won’t have to worry about ISP server allowances, purchasing a static IP address, or experiencing NAT loopback issues.

2. Security*

Self-hosted remote support software will require you to manually secure ports, set up firewalls, establish SSL certificates, and maintain security yourself.

Conversely, with a cloud-based tool, securing your data (and maintaining its security) is done in partnership with the vendor who’s there to help with these efforts. The vendor will usually have wildcard SSL certificates in place that will secure your instance for you, so there’s no need to maintain firewalls and traffic for a server in the cloud.

Pro-Tip: look for remote support software that offers AES encryption as well as SSL certificates.

*If the industry you support requires stringent security compliance, then on-prem is the option for you. But for most businesses, cloud-based tools are a viable option. And while there’s still plenty of debate about the security of cloud environments, the question you should ask yourself is whether or not you want to shoulder the responsibility of a security breach if something goes wrong with your self-hosted system.

3. Upkeep & Upgrades

When considering self-hosted options, hardware gets old and sometimes breaks; manual upkeep ties up your resources; access to support and upgrading fees add up; downtime can poke holes in your revenue stream.

But with cloud-based options, updates and bug fixes are done automatically, and typically don’t have hidden fees. You’ll always be using the most up-to-date version of the product.

Other factors are at play here, too. Customization, resource training, overall reliability–these are all things you should weigh before you make a purchase. Once you see what tilts the scales, the decision will be much easier.

Dragonblood

WPA3 flaws may let attackers steal Wi-Fi passwords

The new wireless security protocol contains multiple design flaws that hackers could exploit for attacks on Wi-Fi passwords

WPA3, a new Wi-Fi security protocol launched in June 2018, suffers from vulnerabilities that make it possible for an adversary to recover the password of a wireless network via “efficient and low cost” attacks, according to a new academic paper and a website dedicated to the flaws.

As a reminder, the third iteration of the Wi-Fi Protected Access (WPA) protocol is designed to enhance wireless security, including by making it well-nigh impossible to breach a WiFi network using password-guessing attacks. This safeguard – which is courtesy of WPA3’s ‘Simultaneous Authentication of Equals’ (SAE) handshake, popularly known as Dragonfly – could even ‘save people from themselves’, i.e. in the far-too-common scenario when they choose easy-to-break passwords.

Not so fast, according to Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University & KU Leuven. Their research found that the passwords may not be beyond reach for hackers after all, as the protocol contains two main types of design flaws that can be exploited for attacks.

“Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network,” they write, noting that, in the absence of further precautions, this could in some cases pave the way for thefts of sensitive information such as credit card details. The vulnerabilities – which were identified only in WPA3’s Personal, not Enterprise, implementation – are collectively dubbed ‘Dragonblood’.


‘Dragonblood’ logo

One type of attack, called the ‘downgrade attack’, targets WPA3’s transition mode, where a network can simultaneously support WPA2 and WPA3 for backward compatibility.

“[I]f a client and AP [access point] both support WPA2 and WPA3, an adversary can set up a rogue AP that only supports WPA2. This causes the client (i.e. victim) to connect using WPA2’s 4-way handshake. Although the client detects the downgrade-to-WPA2 during the 4-way handshake, this is too late,” according to the researchers.

This is because the 4-way handshake messages that were exchanged before the downgrade was detected provide enough information to launch an offline dictionary attack against the Wi-Fi password. The attacker ‘only’ needs to know the network’s name, aka Service Set Identifier (SSID), and be close enough to broadcast the rogue AP.

Meanwhile, the ‘side-channel attack’ targets Dragonfly’s password-encoding method, called the ‘hunting and pecking’ algorithm. This attack comes in two flavors: cache- and timing-based.

“The cache-based attack exploits Dragonflys’s hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack,” said Vanhoef and Ronen, who also shared scripts intended to test some of the vulnerabilities they found.

“The resulting attacks are efficient and low cost. For example, to brute-force all 8-character lowercase passwords, we require less than 40 handshakes and 125$ worth of Amazon EC2 instances,” they wrote.

Additionally, the two researchers also found that WPA3’s built-in protections against denial-of-service (DoS) attacks can be trivially bypassed and an attacker can overload an AP by initiating a large number of handshakes.

All’s not lost

Vanhoef and Ronen said that they collaborated with the Wi-Fi Alliance and the US CERT Coordination Center (CERT/CC) to notify all affected vendors in a coordinated manner.

The Wi-Fi Alliance acknowledged the vulnerabilities and said that it is providing implementation guidance to affected vendors. “The small number of device manufacturers that are affected have already started deploying patches to resolve the issue”, according to the certification body for Wi-Fi compatible devices.

Meanwhile, Vanhoef and Ronen noted that “our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner”. For all its flaws, however, WPA3 is an improvement over WPA2, they concluded.

Notably, Vanhoef was one of the researchers who in 2017 disclosed a security loophole in WPA2 known as ‘Key Reinstallation AttaCK’ (KRACK).


This article was supplied by our service partner : Eset.com