CAll Us: +1 888-999-8231 Submit Ticket
Menu

Monthly ArchivesApril 2018

Home / Blog

What Can We Do About IoT’s Security Problems?

what-can-we-do-about-iots-security-problemsBy the end of this year, there will be billions of connected endpoints. The world has never seen a larger digital threat surface. And it has never seen one that is so poorly-secured.

“The ease with which hackers can exploit security vulnerabilities in these cheap and plentiful [IoT] devices is disturbing,” writes PivotNine Chief Analyst Justin Warren. “It threatens the reliability of the Internet upon which millions of people have come to depend…the flood of new Internet-connected devices only increases each year, as the hype train gathers speed and those with dreams of striking it rich join in with this latest gold rush.”

These vendors are not interested in security. They are not interested in the expenses involved in protecting data – whether business or consumer. They are interested in ease-of-use, cost of distribution, and time-to-market.

And they are largely interested in consumers, who do not have the same security concerns as businesses. Yet a smart thermostat or connected coffee maker can see use in an office just as easily as a home. Once such a device is patched into a corporate network, it is essentially an invitation to hackers.

Until the regulatory climate surrounding IoT devices matures, this will not change. There is currently no liability for vendors and manufacturers. There is no reason for most of them to care about cybersecurity.

It is therefore up to us – all of us – to take IoT security into our own hands:

 

  • Pursue a new mindset. The onus of corporate data security is still largely in the hands of employees – but they cannot be expected to secure the coming flood of endpoints. Your business must pursue new security practices and processes, such as automation and intelligent threat mitigation.
  • Train your staff. Cybersecurity training is more critical than ever. Update your awareness programs to incorporate the importance of IoT security, and include advice on how workers can protect their own smart hardware at home.
  • Understand your endpoints. Use an endpoint management solution that allows you to directly manage and monitor smart endpoints. You need more than EMM or MDM.
  • Segment nonessential devices. Your office coffee machine and thermostat do not need to be on your core network. Configure a guest network for non-essential endpoints, and isolate it from your business’s main network.
  • Automate your updates. In addition to working with vendors who pledge to take security seriously, ensure that IoT updates are applied automatically – there is no other way to keep all your endpoints up to date.
  • Configure every IoT device.  This includes changing the default username and password and testing each new device for vulnerabilities.  

 

From a cybersecurity perspective, the Internet of Things is a mess. But it also represents one of the best evolutions for both our personal and professional lives. That’s why there is no slowing the growth of IoT – the best you can do is prepare yourself for the risks it brings with it.

And now you know how to do exactly that.

Posted in:
Security

Source link

Three Signs Your Staff Don’t Take Security Seriously

Cybersecurity is a constant balancing act between convenience and data protection. The former always wins, no matter how much IT professionals might wish otherwise. The consumerization of IT is at the heart of this issue.

Modern workers demand that the tools and applications they are provided in the workplace offer a user experience in-line with what they use in their personal life. When that demand is ignored, they are remarkably skilled at circumventing security protocols. They are interested in doing their jobs – not in adhering to IT’s expectations on how to protect their data.

Worse, even if you do manage to somehow strike a balance, security is not certain. Workers may still have a lax attitude towards protecting corporate data. Learning to recognize such an attitude is essential.

They Dislike Your IT Department

Your IT department should be seen by others within the organization as valuable members of the team. If workers consider them an impediment or roadblock to doing their jobs, that’s a sure sign something needs to change – both culturally and with your security processes. The divide between IT professionals and regular workers is a relic of the past.

Let’s leave it there.

They Overuse Consumer Apps And Devices

There is nothing wrong with the regulated use of consumer tools in the workplace. Some of them can actually be secure under the right conditions. But if every single worker in your business uses consumer apps instead of corporate ones, this signifies two things.

First, your corporate tools are inadequate. Second, your workers don’t understand the reason you mandate their usage. The first can only be solved by revisiting the toolkit you provide your employees – the second will require security awareness training.

They’re Careless

Do your workers still use old, insecure passwords? Do they even bother changing their default login information when given a new account? Do they use consumer file-sharing services and thumb drives for sharing sensitive data?

Most employees are well-intentioned, but ignorant. They might accidentally forward a document to the wrong recipient, or open a phishing email without realizing it’s not actually from their boss. Security awareness training is necessary to mitigate this carelessness.

Cybersecurity Is Serious Business

Your employees are your most valuable resource – but they are also your biggest cybersecurity headache. It is your job to teach them about the importance of good security practices. Show them how to properly use software, talk to them about the importance of a password manager, and inform them of how to recognize phishing scams and malicious emails (to name a few examples).

Because while many of them may be ignorant now, that doesn’t mean they should remain so. Do your part to help them take cybersecurity more seriously. Your customers and stakeholders will thank you for it – and you’ll be glad you made the effort.

Posted in:
Security

Source link

Are Your Admins Fed Up With Your Bad Security Protocols?

How well-equipped is your IT department? Do your administrators have everything they need to do their jobs effectively? If you don’t know the answers to those questions, you need to learn them.

These are the men and women who, at the end of the day, are your best (perhaps only) defense against the array of cyberthreats facing your business and its data. Treat them well and provide them with what they need, and they will keep your business secure. Mistreat them and expect them to spin gold from twine?

You may as well hand your files to a hacker yourself.

But how exactly can you tell if your administrators are frustrated and put-upon? What are the warning signs your IT department is under-resourced or understaffed? And more importantly, what can you do about it?

Your first step is to examine both workplace culture and the status of your own software and hardware:

  • You regularly hear employees talking about how difficult an administrator (or the entire department) is to deal with. Such a hostile relationship could indicate serious frustrations on both sides.
  • IT workers seem apathetic or disconnected when you interact with them – as though they don’t care about your organization.
  • Your IT systems have not been updated or improved in years.
  • Security updates and device provisioning are not automated – everything must be done manually.
  • Your executive board constantly pushes for new technology or functionality, simply because they can – not because they need it.
  • You find yourself regularly disregarding or ignoring the advice of your administrators (or notice colleagues doing the same).
  • If your organization is struck by a data breach, your administrators seem unsurprised by it.
  • You do not have security awareness or risk management training at your organization. Employees are simply left to their own devices.

When In Doubt, Communicate

It was once a common misconception that cybersecurity is solely the domain of IT. This idea is toxic. There needs to be an open dialogue between IT and every other department and executive within your organization.

In other words, the best way you can determine whether or not your administrators are happy with your business’s security practices is to simply talk to them. Ask them about what they need to better do their jobs. Ask them how they might improve organizational security posture.

Remember that you’re all in this together – and that by working together, you can achieve far more than you ever could divided.

Posted in:
Security

Source link

Will An Automated Backup Save Your WordPress Site In 2018?

Backing up is something people know they should do, but put off until some unspecified day in the future. It never seems urgent and there’s always something more pressing to do. At least, that’s true until the moment disaster strikes and you kick yourself for not backing up sooner.

In 2017, a lack of backups caused catastrophic destruction and expense across Europe and the US. Thousands of businesses and individuals lost important data, money, and time. We tend to focus on the immediate cause of data loss – in this case, ransomware, but those losses could have been prevented with up-to-date automated backups.

There is nothing you or I can do about the existence of deeply unpleasant people who think hacking and ransomware attacks are a good way to make a living. But we can protect ourselves from them, and backups are one of the best ways to keep your WordPress website safe and to deprive criminals of an income.

Ransomware is propagated by worms — a type of malware — or by social engineering attacks like phishing. Once a server or site is compromised, data is encrypted and the ransom demand displayed. From this point, the situation can go one of two ways. The victim could pay the attacker (a bad choice) or face the consequences of losing their data. Or, they could think to themselves, “Nice try!” before blowing away the infected site and restoring from a recent backup.

If you don’t have an automated backup system in place, there’s no better time than now to get started — ransomware attacks will only grow in sophistication and ferocity in 2018.

What Makes a Good Backup?

A backup that can protect a WordPress site against ransomware must be up-to-date, automatic, and stored offsite. If the backup isn’t up-to-date, it’s better than nothing, but the older it is, the more data is at risk.

The backup system should be automatic because you would have to be heroically disciplined about manually backing up to keep backups up-to-date. It should be off site because backups on the same server as the site or on a network-attached storage device are as vulnerable to ransomware as the site itself.

It should be mentioned that the standard backups offered by Hostdedi for WordPress hosting plans shouldn’t be your only backup. They are useful for restoring files in some circumstances, but we advise WordPress hosting customers to implement an additional offsite backup strategy.

Backing up Your WordPress Site

There are several excellent no-hassle solutions for backing up a WordPress site to an external location. The easiest to use is Automattic’s backup service — a premium service that is part or the Jetpack plugin collection.

If you would prefer not to use Jetpack, BackupBuddy is a respected premium plugin that provides an intuitive interface for scheduling automatic backups to a range of storage services, including Amazon S3, Google Drive, and Dropbox. The free version of Updraft Plus is less capable, but more than sufficient for scheduling and managing backups on most WordPress sites.

Posted in:
WordPress

Source link

Instant Purchases Bring One-Click Buying To Magento

instant-purchases-bring-one-click-buying-to-magentoJeff Bezos is the richest person who has ever lived, according to some sources. While that claim should be taken with a pinch of salt – Bill Gates was richer in real terms before he gave a big chunk of his wealth away – Bezos is certainly the richest person in the world today. That wealth is due to the enormous success of Amazon, and a big chunk of Amazon’s success is due to the stranglehold the company had over one-click purchases.

It would be silly to claim that one-click purchases were the most important factor in Amazon’s success, but we shouldn’t underestimate the difference in conversions and revenue between sites with one-click purchases and those that are required to make shoppers jump through hoops to buy. Experian have estimated that a single additional field on a check out form can cost an eCommerce company millions.

Once customers had become accustomed to one-click purchases, it was only a short hop to enhanced shopping experiences like Amazon’s Alexa, which can be used to make purchases by voice.

Last September, Amazon’s patent on one-click purchases expired. Any eCommerce store is free to implement one-click purchases, and Magento was fast off the blocks with the introduction of Instant Purchases.

Instant Purchases bring radically simplified checkouts to one of the most popular eCommerce platforms in the world, allowing tens of thousands of merchants to benefit from a user experience that was once the domain of a handful of eCommerce giants.

Magento Instant Purchases work like this: a shopper taps the “Instant Purchase” button on a store’s product page, confirms the order, and they’re done. A confirmation message appears and the shopper is free to carry on browsing.

To be able to use Instant Purchases, a shopper must be logged-in to their account, have selected a default billing and shipping method, and have a stored payment method.

A side benefit of Instant Purchases is that they encourage shoppers to create an account with all the necessary information, providing retailers with valuable data and increased opportunities for engagement.

Instant Purchases will also decrease cart abandonment rates. Carts are often abandoned before shoppers have completed the checkout process. With Instant Purchases, the decision is made on the spot. Shoppers are, of course, free to cancel any orders they make, but there’s a big difference between actively canceling an order that has already been made and deciding not to make the order in the first place.

Instant Purchases are worth exploration by any business that sells online. Shoppers have never enjoyed entering large amounts of information or plodding through multiple confirmation dialogues. Most want to be able to make a purchase within the context they made the decision to buy.

Posted in:
Magento

Source link

Protecting Your Magento Store From eCommerce Fraud

Fraud has always been a problem for online retailers, but since the introduction of more secure credit cards in the last few years, much offline retail fraud has moved online. Magento retailers can’t afford to ignore the ever-present risk of fraud, whether it’s the dedicated efforts of criminals gangs with stolen identities or the less predictable casual fraudster who orders products with every intention of initiating a chargeback and keeping the goods.

Fraud prevention is both time and labor intensive, especially for larger eCommerce stores. It’s challenging to check every one of thousands of orders for fraud. And, as I know from personal experience, it’s all too easy to generate false positives and lose a genuine sale.

Last year, I ordered some furniture from a well-known retailer and apparently triggered their internal fraud prevention system. The issue wasn’t handled well, and by the time my order had been freed from the dungeon of manual review, the products I wanted were out of stock.

It’s a hard balance to strike: too strict and false positives eat into profits, too lax and those profits go to fraudsters. eCommerce merchants don’t want to give shoppers a bad experience — no one likes being accused of fraud — but nor do they want to lose money.

Unfortunately, we aren’t yet at a point where fraud prevention can be entirely automated. There’s no replacement for an eCommerce retailer who intuitively knows when a transaction is likely to be false based on extensive knowledge of the customer base and their order patterns.

Although a manual review of Magento eCommerce sales is here to stay, automation can significantly reduce the work involved, green-lighting genuine purchases and blacklisting fraudulent purchases according to the Magento eCommerce retailer’s policies, and passing uncertain orders to a manual review team.

There are several excellent fraud prevention automation tools that integrate well with Magento.

Signifyd

Signifyd, which provides a Magento extension for Magento 1.X, is one of the leading lights in the field of eCommerce fraud prevention. Its platform carries out an extensive series of verification checks on every order, using a combination of machine learning and human analysis.

One of the most interesting features of Signifyd is how it stands by its decisions. When the service approves an order as genuine, it will refund you the lost revenue if it turns out to be fraudulent. That means Magento retailers don’t pay the cost of chargebacks.

The service isn’t free, so individual retailers should compare the cost of using Signifyd to the cost of fraud for their business and make the appropriate decision.

FraudLabs Pro Fraud Prevention

FraudLabs, which provides Magento integration for Magento 2.x, has been in the fraud prevention industry for more than a decade. The free extension is easy to setup, and once installed FraudLabs will run every order through a wide variety of checks including fraud analysis and scoring, IP Geolocation, email address validation, and a custom set of rules, among others.

Orders are categorized as “approved”, “rejected”, and “pending review”, reducing the amount of manual order validation required.

FraudLabs is free for up to 500 transactions, making it ideal for smaller eCommerce stores that want to dip a toe in automatic Magento fraud prevention.

Posted in:
Magento

Source link

How To Hire A Freelance Magento Developer

Magento provides everything you need to build an eCommerce store. With specialist Magento hosting and Magento’s ecosystem of extensions and themes, you can go a long way. But, every store is unique and the time may come when your store needs the attention of a developer.

Magento developers can build custom integrations, extensions, and themes for a store, but it can be tricky to hire a qualified developer if you don’t know what you’re looking for.

A basic knowledge of Magento fundamentals helps. Magento is a web application written largely in the PHP programming language with a good dose of JavaScript on the front-end. Data is stored either in a database or on the filesystem in the case of static assets like images.

You can expect a decent Magento developer to be able to write PHP and JavaScript code and to have a working knowledge of databases.

Understand What You Need First

Although a good developer will be happy to guide you towards a solution, it’s useful to have a clear idea what you’re looking for in the first place. Take the time to write a detailed explanation that you can give to a developer. You don’t have to go into any technical depth, but the more certain you are of what you need, the easier it will be for the developer to get started.

Have a Realistic Idea of How Much a Developer Costs

You can expect to pay anything from $40 to $150 per hour for a qualified developer in the US. You may pay less for excellent developers outside of the US, but programming is a skilled and in-demand profession: set your expectations accordingly or the work may not be done to the highest standards.

Finding a Developer

In order of best to worst, here are the methods I use to find great Magento developers:

  • Personal recommendations. Ask people you know and trust to recommend a Magento developer. Referrals are not always trustworthy, but, in my experience, the hit rate is a lot higher than with some of the other methods we’ll discuss.
  • Magento development agencies. Magento development agencies like Human Element do the hard work of vetting developers so that you don’t have to. You may pay an agency more than you’d pay a freelance developer, but you also bypass a lot of the hassle involved in finding and hiring someone who can be trusted to do great work.
  • Social media searches. LinkedIn is often a useful resource, as are Magento-focused Facebook groups.
  • Freelance websites. Freelance websites like UpWork and Elance can be used to find good developers, but I’d advise against going down this route unless you have failed to find a good candidate elsewhere.

Assessing a Developer

Magento developers range from barely competent to highly skilled. If you aren’t a developer yourself, it can be hard to work out which sort you’re dealing with.

  • Check out their portfolio. Many freelance developers will be happy to show you a portfolio of work that they have done for other clients. Look for work that is similar to your project.
  • Ask for references. Some great freelancers don’t bother with portfolios — they get work through recommendations and referrals — but they should be able to provide you with references of previous clients.
  • Look for Magento Certification. Magento Certification allows developers to prove that they have the necessary skills and knowledge to work with Magento eCommerce stores. Ask about Magento certifications, and then double-check using the Magento Certification Directory.

If you’re still not certain about the quality of a freelance Magento developer, I’d suggest giving them a smaller job before embarking on a long project.

Don’t try to get developers (or any freelance professional) to work for free, even as an assessment: good developers will walk away because they can get more than enough paid work. Instead, offer a small job at their hourly rate.

It’s important to find the right developer for your Magento project. The tips in this article will ensure that you get the best results in a reasonable timeframe.

Posted in:
Magento

Source link

WordPress Is The CMS Of Choice For Enterprise Organizations

wordpress-is-the-cms-of-choice-for-enterprise-organizationsWordPress is often thought of as a great CMS for bloggers, SMEs, and, with WooCommerce, small to medium eCommerce stores. Its popularity is attributed to the fact that it’s free, it’s easy to use, it has a huge theme and plugin ecosystem, and it’s what people know.

But WordPress is also one of the most popular content management systems in the enterprise space, where cost and ease-of-use are less of a concern. Large organizations with the money to spend on any CMS they want and no shortage of developers and content strategists also choose WordPress rather than enterprise content management systems like Sitecore and Adobe Experience Manager.

That’s the upshot of a recent report that investigated enterprise CMS use. WordPress and Adobe Experience Manager are neck-and-neck as the most used CMS by enterprise organizations and WordPress is the most used secondary CMS. Enterprise organizations use WordPress for corporate websites, for brand and product websites, and for eCommerce stores.

They choose WordPress because it is scalable, it has a robust ecosystem, provides a quicker time-to-market than competing options, and has better security. Just as important is the number of skilled WordPress professionals available to develop and manage WordPress sites, themes, and plugins.

In spite of last year’s multitude of security breaches and data thefts, enterprise organizations take security very seriously, the financial and PR costs of a data loss or hacked website are significant. A properly configured and updated WordPress site is a highly secure foundation for building business critical websites on.

Enterprise organizations have strict requirements and long vetting processes for the technology they deploy. They choose WordPress because it provides the security, performance, and scalability required to build large sites. The huge ecosystem of open source plugins and themes allows enterprise organizations to quickly access the functionality they need. Because WordPress is open source, large companies can verify the code of WordPress and any plugins they use.

In the future, the REST API will also be a major factor in attracting large organizations to WordPress. The API allows WordPress users to build integrations with existing systems and software with a minimum of fuss, making WordPress perfect CMS for businesses with complex content management processes and distribution requirements.

Unlike proprietary content management systems, WordPress helps enterprise users avoid vendor lock-in: there are no licensing fees, long-term support contracts, or platform limitations. Migrating a WordPress site to an alternative hosting platform is more straightforward and less expensive than with proprietary alternatives.

Hostdedi is the ideal hosting platform for organizations looking to combine the flexibility of WordPress with the power of enterprise managed WordPress hosting. Get in touch to find out about our custom managed WordPress clusters.

Posted in:
WordPress

Source link

Collaborate On WordPress Posts In Real Time With Wave From Codox

collaborate-on-wordpress-posts-in-real-time-with-wave-from-codoxCollaborative editing is one of those features that I never knew I wanted but loved the minute I understood its power. I’m a huge fan of Google Docs and the way it lets me and my colleagues work together on a document, editing in real time.

Collaborative editing is a powerful tool for learning, teaching, writing, and combining the expertise of different contributors. But, for all its benefits, Google Docs isn’t perfect, and I’ve often wished that I could collaborate within WordPress in the same way I can within a Google document.

WordPress has built-in collaboration features, but they don’t work in real time. Different people can contribute to the same document, but until the work is saved, those changes aren’t reflected in the workspace of other users. Rather than real-time editing, WordPress offers “turn-based” editing. That fits with common editorial workflows, where each piece passes from writer to editor and perhaps back again. But it’s not suitable for concurrent editing.

Wave from Codox brings the benefits of Google Docs-like collaborative editing to WordPress. Wave isn’t a WordPress-specific tool: it’s an app for Google Chrome and the family of browsers that can use Chrome apps, but it works well in the WordPress editing interface.

Wave’s basic features will be familiar to anyone who has used Google Docs. Several contributors can work on a document and the changes each makes are reflected in the interface of the others.

When mentoring or editing writers in WordPress, I’ve often had to send long emails full of quotes and corrections. I could make the changes myself in the WordPress post, but if the goal is to teach it’s necessary to talk through what I’m changing and why. Email is far from ideal, but the combination of a collaborative editing tool like Wave and a Skype or Google Hangouts call is vastly superior.

Once you have installed Wave’s Chrome app, you’ll have to create an account or sign in using a Google account. To start a collaborative editing session, create a new WordPress post or open an existing post, click on the Wave icon that hovers in the browser window, and enter the email addresses of your collaborators.

Invitees receive an email with a link. When they click on the link they’re taken to the WordPress post and can begin editing. It’s a simple process that even the least technical writers and editors won’t have a problem with.

In the future, I’d love to have this functionality integrated directly into WordPress as a plugin or core feature. Although Chrome is the most popular browser, it’s not the only browser and I’d rather not have to insist that everyone who wants to collaborate installs a browser they wouldn’t ordinarily use.

Wave is a tool I can happily recommend to any WordPress user who finds WordPress’s current collaboration features limiting.

Posted in:
WordPress

Source link

What Is Cryptomining Malware?

what-is-cryptomining-malwareCryptomining malware is a new form of malware that uses the resources of compromised servers and hosting accounts to generate cryptocurrencies like Bitcoin and Litecoin. Before a coin can be created, miners have to demonstrate “proof of work,” which involves computationally intensive mathematical operations. Legitimate miners buy powerful computers to do the hard work, but criminals use malware-infected machines.

Over the last few weeks the value of cryptocurrencies, particularly Bitcoin, has increased quickly. By using compromised machines to generate coins, criminals create a digital asset that can be converted into hard currency. Because the value of cryptocurrencies is rising, we can expect to see more frequent and sophisticated attacks through 2018.

Cryptocurrencies are based on blockchain technology. A blockchain is a distributed ledger, a data structure that records transactions and is shared, modified, and verified by many different network nodes. The ledger records transactions like transfers of coins between users, but also the creation of new coins. You can read more about how new coins are created here, but, in a nutshell, to create a coin a miner has to prove to the network that they have done an amount of work. Without the proof of work, it would be easy for anyone to make coins and individual coins wouldn’t be worth much.

In the early days of cryptocurrencies, creating coins was easy: they could be generated quickly on low-powered hardware. Over time, the amount of work needed increases, and today serious miners use clusters of machines with powerful GPUs. But the alternative to a few high-powered specialized machines is many low-powered machines like laptops and smartphones.

Cryptomining malware — code injected into websites via known vulnerabilities or installed along with pirate themes and plugins — allows its authors to run the proof-of-work calculations on large networks of compromised machines, generating coins with minimal investment.

One of the most popular pieces of cryptomining malware for WordPress sites is called Cloudflare.solutions, which has nothing to do with the real Cloudflare. Discovered earlier this year, cloudflare.solutions loads malicious cryptomining code. When a user opens a page on a compromised site, the malicious code runs and uses the device’s resources to perform mining operations. Hijacking the processor can degrade browser and device performance and diminish battery life.

In an unpleasant twist, cloudflare.solutions has recently been modified to include a keylogger that sends text entered into WordPress text entry fields, including password fields, to the criminals’ servers.

It should be mentioned that some “legitimate” publishers are taking advantage of cryptomining to generate revenue for their sites. I’ll avoid debating the ethics here, but it’s undeniable that a large number of cryptomining scripts found on the web are the result of exploited sites and are funneling money to criminal organizations.

The best way to avoid being infected by cryptomining malware is to follow standard WordPress security best practices: use two-factor authentication, update your WordPress site when new versions are released, and only install themes and plugins from trusted sources.

Posted in:
Security

Source link