One Of Maine's Top Managed Service Providers

In Maine & New Hampshire

Find Answers

Common questions and general information

Backup: A Better Small Business Solution

Hybrid_Backup_Overview_.jpg

Don't let a bad backup solution keep your business down. Automatic image-based backup with local and secure cloud copies that are continually verified and provide quick and simple recovery options are now affordable to all businesses.

Define Disaster

It's only a matter of time before any company experiences a loss of access to their files due to deletion, corruption, server failure or even a disaster. How are you set to recover? Old standards of backup used a series of tapes or other media that had to be swapped out regularly to maintain any sort of historical backup. Getting these off-site from the main office was critical to ensuring data would be available in the event of fire, flood or other damage to the sight where the server was housed. This type of backup strategy, even though jobs might run on an automated schedule, still relied heavily on human interaction to monitor, troubleshoot, and test. Media wore out and cost of replacement combined with software expenses and employee compensation for the time spent managing it made this solution pretty expensive. Additionally, the technology used for these types of backups have many reasons they can fail meaning that when it comes time to restore, exact versions of files may not be available. Searching media for the right backup point takes time as does the restore.

Find a Solution

For the reasons noted above, many small companies have resorted to using online services for backup which is more automated and takes the media portion out of the picture. However, those solutions that do "full server/system" backup can take days to upload or download an image, so frequent updates may be days before getting started. Restorations of entire systems, if needed, are painfully slow. These backup solutions often get pricey, too, given the volume of data to be stored, so they get limited in how historical they can be. Retention of oldest files may only be a matter of a few weeks or even days. To address these issues, most have resorted to selecting only a few folders to be captured. This makes for faster backups, typically with more retention on smaller volumes of data. Many small businesses are not aware that they need to be concerned about security and integrity of the solutions they choose. Most use a set-it-and-forget-it approach and never check to verify that their jobs are running successfully and that the data is viable if it should be needed. Others, up to 15% of small to medium sized businesses, do no backup at all!

A Better Solution

We've been on the hunt for a solution for small businesses which provides reliable, comprehensive protection at an affordable cost with security and scalability options. Until now, we had a great BDR (Backup Disaster and Recovery) option, but it's far from cheap. The alternative has been to set customers up with other backup solutions which rely on our own regular monitoring and end-user media management--which, let's face it, often gets forgotten for days. This puts companies in a position of significant risk. We now have a solution which has enough options to provide a strong foundation toward building an effective Disaster Recovery and Business Continuity plan  for any business. We now offer Datto backup solutions to our customers. These solutions are fully automated, provide continuous protection, are stored securely and provide instant recovery. Through the use of a small appliance installed on the network, backup 'snap-shots' are taken at custom intervals throughout the day--from cycles of minutes to hours. These are stored on the appliance and copies are uploaded to a secure cloud location over encrypted connections. Because these backups are imaged-based snapshots rather than file copies, they never fail due to "files in use" errors which occurs with the old tape-backup solutions. Even though these are image-based backups, the ability to restore individual files is still possible.

If a site or server suffers damage that prevents the server from operating as it should on the network, a virtual server can be enabled in the cloud and allow users access to its functionality from there until a repair or replacement is made. Higher-end options allow the appliance to spin up a virtualized machine locally--right on the same network, so there is no need to work over the Internet. Backups are tested on schedule with Screenshot Verifications; which simply means a virtual machine is spun up and booted to a login screen to prove the backup is good. If there are ever any failures or alerts, emails to specified recipients are triggered. We customize the alerts to send us a log and screenshot daily to document continued success of the appliance just because we don't always believe that "no new is good news". Sometimes it just means the alert system is broken!

The smallest appliance is suitable for small servers and even desktops. Each appliance allows backup of two small systems if desired. This makes the Datto Alto2 the perfect solution for even the smallest office. Again, other solutions allow more functionality. Contact us today to find out how you can get started on your business continuity plan and have some peace of mind.

Domain Name: Registration & Management

Tracert.JPG

Having access to manage your domain names is critical for maintaining your online presence, communications and proof of identity. Avoid common pitfalls.

Recently I had the “pleasure” of assisting a client in gaining access to manage their own domain name from a less than helpful former service provider. I wish I could say this was an unusual case, but in 15 years of consulting, it’s hardly the first. Many small businesses reach a point where they decide to have their website professionally done. The first step in putting up a website is purchasing a domain name and most businesses have the website designer purchase one for them.

There are a few things to consider as you purchase a domain name:

  1. This is part of your branding and will be where potential customers find information about your services. It can also be used for business email accounts to further unify your web presence and make your name memorable.
  2. Since you want to be able to easily direct people to your website and allow them to easily reach you by email, (sometimes email still is the best way to communicate complex information!) you will want to keep it short, simple and memorable. If some version of your company name doesn’t work, consider incorporating your mission or tagline.
  3. There are other extensions besides .com, .net and .org available. If a domain name isn’t available under one of the common extensions, look for one that works for you.

Domain names are licensed as legal agreements through a registrar authorized by ICANN (Internet Corporation for Assigned Names and Numbers). When a new registration is initiated, the registrar checks to see if the desired name is available against the current list of active registrations with ICANN. This prevents more than one entity claiming ownership of any registration. ICANN is the authoritative source and ownership is not easily transferred unless all pieces are carefully put into place and maintained, but more on that later.

So, someone registers a domain for your organization, a name and extension combination satisfactory to you is available and approved by ICANN—it’s yours! Now, how does that work with getting people to your website or email to your inbox and why does that matter? Each domain name must have DNS (Domain Name Server) entries to translate www.YourDomain.extension to the IP (stands for Internet Protocol and means an assigned number sequence) address of the server hosting your website and/or mailboxes. These entries are created in a zone file at the registrar’s website by someone with access to do so—typically the person that created the registration. The registrar reports these entries to higher-level DNS servers which, in turn, report to other DNS servers until that information is replicated around the globe. DNS servers used to be referred to as the phonebooks of the internet, but that analogy is getting outdated. They are directories: someone types www.DomainName.extension in a browser and their computer sends that request out to its nearest DNS server, typically a server on the network or out to the internet service provider’s DNS server which receives information from a number of other DNS servers to know where the browser needs to connect to send and receive information. The query for that website goes through a number of “hops” to other servers before reaching its destination and loading a page in the window. If the DNS entry in your zone file is not pointing to the correct IP address, your website is essentially unreachable to most people. The same goes for email. Besides entries for website and email servers, there are a number of other DNS record types that can be in any given zone file. As you grow your web presence to market your business or have to prove domain ownership to obtain services, you will need to create new entries which require access to that piece of the management.

Because a registration is a legal agreement, access to manage it in any way is strictly controlled. If the person who registered it for you is responsive, professional and ethical, you will not meet with resistance to gaining some control over the registration. Having control over the registration does not mean you must understand DNS and make the entries yourself. As a matter of fact, unless you know what you are doing, messing with those aspects of the management is not recommended. However, holding the ultimate keys to the kingdom is essential to:

  1. Maintain security of access to the registration
  2. Control who has access to it and in what aspects
  3. Have the final authority for any changes to the registration

Why is it important to be sure your registration is secure? That might be answered by asking yourself how bad would it be if someone were to send requests for your website or emails somewhere else. Protect your access to your domain with a very strong password and multi-factor authentication if available. Instead of using a primary communication email address which is the same as the domain, set your account to use an alternate address such as a Gmail or Outlook.com account. Set up notifications for logins and changes to the account so you are aware of activity. If it is expected activity, fine; if not, you then have a way to be aware of problems quickly. If for any reason you cannot access the domain, the registrar will use this alternate address to verify your authorization to access the account. Frequently other security measures are used as well: PINs, secret questions, etc. Just make sure these extra measures are not easily guessed and that you keep them on file rather than relying on memory. We all have the best intentions of remembering that super-secret information only to be foiled down the road—especially so, because we always use unique credentials for every account we have. Right? In the case of questions, most answers tend to be case-sensitive just like passwords. I have seen domain owners locked out of their own domains when a registration expired and the only email address they had on the account used that same domain. When a domain expires, the website is not reachable and emails to addresses on that domain do not get delivered. If a registration is not renewed in sufficient time, domain squatters are able to purchase it requiring you to pay high prices to get it back. Finally, if you and the person who purchased the domain for you part ways, you maintain the ability to manage or delegate management to someone else.

In the case of this most recent issue, the purchaser had become very slow to respond if they responded at all to client requests. The business owner, having been in business several years, already had a substantial web presence under the first domain name. When they wanted a website revamp and were not getting satisfaction from the first provider, they moved to a new one. Attempts were made to recover management of the original domain, but failed. A new website was launched on a new domain name, but because both existed, prospective customers got conflicting information depending on which site they accessed. (The original domain had not expired, it was just not accessible to the business owner, or anyone they delegated, to make changes.) Because the first domain had such a strong presence already, it would show up first in searches. Additionally, the new domain name was not preferred by the business owner. This owner was frustrated by the fact that a substantial online presence had already been established, now was outside of their control and that they were now starting at the beginning to build a presence again. Building an online presence is a combination of many things, and it is labor intensive to build crosslinks with sites and search providers. Then there’s all that stationery to reprint, business listings to correct, contacts to update and so on.

Having more than one person able to access the domain to make changes is highly recommended and each registrar handles such access differently. Typically, each domain has a registrant, administrative contact and technical contact. The registrant has the highest authority and is able to access and control all aspects of the registration. The administrative contacts typically have access to purchasing services and maybe adding other access accounts. Technical contacts typically have the ability to make DNS changes, sometimes more.

In companies with multiple employees, it is advised that two or more senior persons have access to all key account credentials in the event of one of the information holders leaving the company under any circumstances that are less than perfect. Again, over the years I have encountered situations where account access was maintained by one person and when that person was no longer with the company, recovering access to those accounts was an arduous process involving lots of calls, certified and notarized letters, proofs of identity and ownership and even legal counsel. Secured network storage can make a good central repository for such information. Locked file cabinets and safes are last century’s solutions and still work well for physical items. Just be sure that if things need to survive fire and flood, that the medium is built to protect the specific contents in those events. Most “fire safes” are not sufficient protection for digital media which will melt to a degree in the event of a building fire or corrode from moisture exposure. These also need to be regularly inspected to be sure they continue to protect as expected.

In the end, we were able to reclaim access to the original domain, but it was a long process. Through DNS management, traffic to the new domain name is simply redirected back to the original one and the original points to the new website. This means all traffic, whether the old or new domain is typed, gets to the same website and same email server. Searches which bring up the old domain name now lead viewers to the new website which was the goal all along. The business owner controls access to the domain and has granted access to others as needed. When they change service providers, they can revoke access from one and reassign to another.

Because your domain name is so integral to your branding and marketing, it is important that you have means to manage it or grant someone else access to do so if needed. Would you let just anyone have sole access to you bank accounts or any other key business asset? Why should your domain name be different?

Mobile Tech: Is Yours Protected?

AdobeStock_97458300.jpeg

Data Loss, Malware, Malicious Websites, App Hijacks and Phishing: These are just some of the risks posed by mobile devices to corporate and private data.

BYOD (Bring Your Own Device) is common-place in most offices and growing. More and more, devices are used for mobile payments, online banking and shopping as well as accessing other private sources of information, but do you have any control over compromises of your data? The greatest mobile threats are:

  • Device loss and theft
  • Use of public Wi-Fi
  • Browsing the Internet
  • Downloading of third party apps
  • Lack of knowledge

How do you protect sensitive corporate email and files accessed by employees on their personal devices? If your mail system has no ability to enforce users to minimally secure their devices with a PIN, remotely disable email service to a device, or even wipe the device, what will be your exposure? What other company information is accessible from their phones and tablets? Have they set up a personal cloud storage service to make information available outside the office that otherwise would be only accessible on your network? If a device were lost, would you be able to:

  • Locate it
  • Lock it
  • Make it sound an alarm
  • Wipe it of all data

We have mobile security products for phones and tablets that are effective, easy to deploy and manage, and that do not adversely affect the performance or battery life of employees’ devices. Webroot SecureAnywhere® Business Mobile Protection offers protection for both Android and iOS devices. OpenDNS Umbrella adds an extra layer of protection when on public Wi-Fi connections. These products allow all of the above options from a single console. Both Webroot® and OpenDNS solutions are cloud-based using minimal device resources. Deployment via email link and automatic updating keep ongoing management simple and operational costs low.

Every company needs a mobile device policy which can be as simple as requiring that employees notify HR or IT of their intended use and that HR or IT keep track of who is using their devices for company access. When devices are replaced or employees leave the company, services to the devices should be terminated. There are various levels of management that can be implemented, but gaining control of your company information is critical. We have expertise on establishing policies and procedures and have tools for secure and managed cloud file sharing. Contact us today to get started!

Webroot®, SecureAnywhere®, Webroot SecureAnywhere®, and Smarter Cybersecurity™ are trademarks or registered trademarks of Webroot Inc.

Mac OS is a trademark of Apple Inc. - Android is a trademark of Google Inc.

Mobile Tech: Tips for Safe Travel

pexels-photo-306534.jpeg

As the Thanksgiving holiday approaches, the ads for Christmas deals have already been playing for weeks. Inboxes are full of email with more of the same, notices from accounts, and less savory items like phishing attempts, spam, links which don't lead to where they look like they should, and possibly even infected messages. Depending on the device you access email from, you may not see all the warning signs and risk falling victim. Phones, tablets, web browsers and email clients all display messages differently. Knowing the limitations and functions of yours is important, as is taking what steps you can to strengthen their resiliency. Additionally, where and how you use them affects their security. Web browsing is fraught with risk from bogus search results, compromised links in ads, snooping and tracking activity, and unsecured payment portals.

First and foremost; every device, whether computer, tablet or smartphone, needs malware protection. A product such as Webroot SecureAnywhere® Business Endpoint Protection or Webroot SecureAnywhere® Mobile Protection, which operates primarily via cloud, provides responsive protection without impeding device operation. A good protection will secure browsers and block malicious content. Additionally, all downloads and installs will be scanned for safety. Rooting a phone or tablet or disabling the protection of either the Apple Store or Google Play Store is ill-advised because it leaves your device very vulnerable to compromise.

Whether computer or mobile device, keep it up to date! When notified of a system update, installation is recommended since this is the primary means for discovered vulnerabilities to be patched. If you're like most, you have installed software at some point for any number of reasons. Go through those applications from time to time; remove what is no longer needed and update those still in use. Some computer applications can be set to automatically update and is recommended, but still may require interaction from you to complete the process. For apps that have no update mechanism, searching the vendor site for the most recent version is typically the only way to find it. If something has not been updated in years, it's best to remove it. Do you leave device-to-device communication or Bluetooth enabled at all times? Both of these may be no issue in the office or at home, but anywhere else, should be used only as needed.

A secured network on which you use your device is also important: it should be protected with a strong firewall to prevent intrusions from the outside world into the private network. Every business should use a business-class firewall capable of inspecting encrypted traffic; only the newest devices are capable of this and only some do so without severely throttling your bandwidth. Consider enforcing VPN connections to the private network by mobile users. Mobile users should use a modern wifi router at a minimum on their home networks and secure it with strong credentials. Wifi networks should also be secured as much as possible. Relegating guests and unprotected devices to guest networks which are separate from the private one provides some security as well. If you use guest network access in someone's home, realize that it may be as exposed as public wifi and should be treated as such. Free and public wifi, even if "secured" is far from secure for end-users. Anyone else on that same network has potential access to compromise your system--hence the need for system protections such as software updates, malware protection and, in the case of computers, system firewalls. Use of Cisco Umbrella protection can prevent misdirection of web traffic and when managed by a corporate policy can restrict access to certain categories of content and defined URLs.

So, the first requirements are met, what next? The same "safe computing" tips you've heard for years:

  • Secure your computer or phone with a strong password
  • Limit who uses the device
  • Make sure the link you click on is actually the link you think it is (hover your cursor over it) then validate it in the browser address bar
  • Before you enter credentials or other private information, make sure your session is encrypted (the URL should begin with https://)
  • Review an email before opening it and that goes double for attachments
  • Do not do your most sensitive transactions on a shared network

Some additional steps you might take:

  • Encrypt your data (most new computers, phones and tablet support encryption)
  • Set up a VPN to a network you know is secure and conduct all activity within that session
  • Disable Bluetooth on devices when in public
  • If you frequently work in public places, consider a privacy screen for your laptop, phone or tablet

Finally, be prepared for the worst. Have current, usable backups--hopefully with at least a few options available. Drives permanently attached to a computer, including most file-sync utilities unless they specify otherwise, are vulnerable to exploit if your system gets hit.

All of our customers subscribing to managed services have multiple layers of protection to thwart some of these threats, but even so, should remain diligent.  

Be safe out there! Questions and inquiries welcome--we're here to help.

Ransomware: Are You Protected?

AdobeStock_69184227.jpeg

Clients subscribed to our managed services have options for layers of protection against threats like WannaCry which has hit Europe and much of the world like wildfire.

  • If you are currently subscribed to a full management package and following our recommendations to only use currently supported operating systems and software, then your systems have received the applicable Windows updates through automated and consistent patching protecting them against the exploited vulnerability identified in bulletin MS17-010.
  • Additionally, your systems are protected with rapid malware detection and remediation provided by Webroot which has been protecting against similar threats for some time.
  • If your mail server allows full implementation of our Total Control email protection, you are protected against messages with infectious content and provided a sandbox to review those held as potential risks through your quarantine summary. If your mail server has not allowed us to prevent delivery of unscanned messages to your inbox, we have communicated this to you. Exercise extra caution managing email. Any message scanned by Total Control has a footer with links to your filter. If there is no footer, then the message was not scanned by Total Control and may contain malicious content.
  • All SonicWall customers with active subscriptions to Gateway Security Services have had your network protected from WannaCry (also known as WanaCrypt0r, WannaCrypt, and WCry) ransomware since April 20, 2017. Those annual renewals are paying off!
  • If your company is following our recommendations for backup with Datto, ShareSync or CharTec, you have automated, encrypted, off-site copies of your most critical data necessary for recovery in the event one of your users unleashes the villain on your network.  

Phew!

Early yesterday, news broke of a widening net of maleficence across Europe and Asia affecting thousands in about one hundred countries. The majority of attacks have been in Russia, Ukraine and Taiwan, but in the U.K. hospitals had to turn away patients because computer systems were completely inaccessible. News outlets urged people to reserve medical visits for only the most extreme emergencies! In China, the internet security company Qihoo360 issued a “red alert” saying "Global internet security has reached a moment of emergency.” Colleges and students in the country were confirmed affected and gas stations were offline forcing customers to pay cash. Spain’s telecom Telefónica identified as being compromised. FedEx in the US indicated it too had been hit and was working to contain the damage.

"Affected machines have six hours to pay up and every few hours the ransom goes up," said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab.

Ransomware encrypts (locks) files preventing access and displays messages demanding ransom to be paid in bitcoin. If the ransom is not paid, complete destruction of the files will result. Paying the ransom is not recommended by the FBI: paying criminals does not typically result in the actual promise being delivered—they are criminals. Additionally, even if your files were to be unlocked, the fact that this malware has been on your systems, means there is absolutely no guarantee that some other resident evil has not been left behind because most threats today are “blended” meaning they are comprised of multiple tools.

This ransomware is leveraging an exploit named EternalBlue or MS17-010 that was leaked by the ShadowBrokers last month and affects versions of the Windows operating system before Windows 10. Although Microsoft released a patch on March 14, it only prevents spreading the attack through internal networks and many organizations have not applied it.

Kevin Beaumont, a U.K.-based security architect, examined a sample of the ransomware used to target NHS and confirmed it was the same used to target Telefónica. He said it is likely the ransomware will spread to US firms too. The ransomware is automatically scanning for computers it can infect whenever it loads itself onto a new machine. "It has a 'hunter' module, which seeks out PCs on internal networks," Beaumont said. "So, for example, if your laptop is infected and you went to a coffee shop, it would spread to PCs at the coffee shop. From there, to other companies." This kind of thoughtfulness just warms the heart!

The ‘hunter’ module is a worm function. One of the trends with malware and ransomware in particular is that it morphs over time, acquiring new behaviors to avoid detection and infect by alternate means. Protection against such threats is by all means an arms race and so, as long as there is computing, no computer or its data is ever 100% safe. Old recommendations still hold true:

Update your systems and software: software which no longer receives patches for detected vulnerabilities puts your system at risk.
Do not click suspicious links and be wary of emails from unknown senders and unexpected attachments. (If your company still publishes jobs postings requesting application by email submission, STOP! There are safer ways to hear from prospective hires.)
Back up your data: often, to removable media, store it off site. A backup drive constantly attached to a system will be just as quickly locked by ransomware. Are you relying on a file sync service as your “off-site” copy? It too will be compromised by ransomware because your computer always has access to it.
If you use public wifi be sure your system is secured with patches, automated malware protection, software firewalls, trusted VPNs and smart use.  
 
Events like this show us just how vulnerable our businesses and lives are where they are so dependent on technology. None of us is immune really. However, the steps above are simple enough to teach anyone, from children to grandparents. Car and home owners have gotten used to the idea that automobiles and buildings need regular maintenance and care to keep them useful. Technology and its sundry pieces are no different. If you need assistance in making sure your network is secure, contact us. Losing sleep with worry solves nothing and ignoring the problem does not make it less real. Taking effective action will make you feel much better!