All posts by Kris Price

What is Distributed Denial of Service Attack?

September 18, 2015 Kris Price

DoS & Its Types
Denial of Service (DoS) occurs whenever a website stops to offer services. Denial of services is the result of some attack or presence of too many online visitors on a specific site.

There are many kinds of attacks that disable a system. In some cases, peer-to-peer software is used to corrupt the firmware. Among all types of attacks, Distributed Denial of Service (DDoS) attack is most common. DDoS brings a lot of traffic to a website that is impossible to handle. Networked computers are used by hackers to bring a flood of traffic to disturb business continuity. As website is designed to handle a limited number of customers’ requests at a time, it crashes when flooded with too much traffic.

DDoS Attacks Frequency
DDoS attacks occur on frequent basis. According to Wikipedia, DDos occurs on an average of 28 times per hour. What is more ironical is an increase in the number of attacks on regular basis.

Who are DDoS Attackers?
There are many reasons that compel hackers to use distributed denial of service attack. One cannot pin down exact reasons and who the attackers are. It is believed that DDoS attacks are used by competitors against a business as deceitful tactic.

Objectives behind DDoS Attacks
Attackers use DDoS attacks to get ransom money. Companies are warned to pay an amount, otherwise their system will crash. Once company pays the given amount, it becomes the target of hackers for long term. On the other hand, companies that refuse to pay the ransom suffer due to hindrances in business continuity and downtime, which means to shell out for system recovery and their business reputation.

Sometimes, DDoS attacks are the result of a protest. When hacker groups have conflict with the actions of certain groups, they attack their websites to show reaction. There are many hackers that just use these attacks for the sake of pleasure or to cause trouble for others.

Companies Affected by DDoS Attacks
Steam, Sony Playstation Network, and Xbox Live Network of Microsoft are some of the significant companies that are affected due to DDoS attacks. Side by side large scale companies, small companies are harassed by these attacks because they do not have preventive measures to mitigate the effects.

Unintentional DDoS Attacks
DDoS attacks can be accidental. It may happen that a lot of visitors have found something interesting on a website (video, picture or article) and visit the site at the same time. Website might not be ready to handle an increase in number of visitors, therefore, the system stops to give service any more.

DDoS Attacks are Expensive
Nuestar reported* that DDoS attacks cost more than $100K in an hour for almost 29% businesses. Due to these attacks, customer support centre was affected more than any other department.

In a nutshell, businesses must have an influential plan for DDoS and business continuity. Best practices should be used to reduce the number of DDoS attacks. As a result, the affects of downtime on clients and business can be controlled.

* https://goo.gl/kkwKzT

Managed Service Providers and HIPAA Misconceptions

September 7, 2015 Kris Price

HIPAA is health insurance portability accountability act that checks how covered entities or healthcare providers maintain health sensitive information that is saved in their systems. Regulations are terrifying for service providers, as they are unaware of key factors. What are the responsibilities of service provider while giving service to healthcare department? When audit team finds compliance issues, who is liable to pay the fines? In this article, some of the misconceptions against HIPAA and MSPs are dispelled to bring to light the reality.

Complicated HIPAA Requirements
It is often assumed that requirements are tricky and cannot be understood easily. In fact, requirements are clear-cut and anybody can access them at government website, www.healthit.gov. It is good to learn more about HIPAA by using online services; however, it is better to work under guidance of HIPAA specialized third party. Basically, they support you and discuss various HIPAA aspects to make you HIPAA compliant. Web portal with tools, checklist, and online repository is provided with many other applicable documents. There are many third parties that offer their services to resell and in the process allow you to increase your profit.

Advanced Healthcare Needs
Healthcare practices have requirements which are similar to other businesses. In reality, healthcare department differs from other kinds of businesses in two ways only. First, there is no any tolerance for downtime, as lives can be lost. Secondly, they demand latest security system for getting information, as they keep record of highly sensitive information of patients. If these two factors are put aside, healthcare department works like any other business. When mandate of HIPAA is properly understood, MSPs will get to know that the requirements are not complicated at all.

No Rewards
It is one of the misconceptions that IT providers do not get reward for their services in healthcare industry. In fact, HIPAA compliant service providers get many benefits. It is a profitable system and gives more opportunities to IT providers, who are able to manage HIPAA compliance.

When managed service providers have close contact with their clients, they understand what the clients’ technology demands and develop more confidence to work efficiently. MSPs get benefits as clients have confidence in their service and provide them more opportunities to get new services.

As an MSP, have you ever considered listing the benefits you will be offered in the healthcare industry if you provide HIPAA compliant solution? In your area, how many service providers are specializing in HIPAA compliance?

Conclusion
In healthcare industry, there are a lot of misapprehensions against HIPAA. Reality is far from misconceptions, as it is profitable path where more opportunities and more references are waiting for you. In-depth understanding of HIPAA requirements will make service provider as HIPAA compliance champions. If you become an expert and manage HIPAA, you will have dominating position and more opportunities coming your way than other MSPs.

Guidelines for Managing Software Audits

August 24, 2015 Kris Price

Software audit is usually carried out by large scale companies. When customers pay for software, it is their right to ask questions and get satisfactory response. There are basically two kinds of audits, known as:

Software Assessment Management or SAM
Legal Contracts & Compliance or LLC

SAM is a kind of audit that makes certain whether customers are in compliance or not. If the answer is negative, the company is expected to work with its customers to achieve the target. SAM is also known as “self-audit”, as customers are directed to fill forms to provide detail of software and evaluate it with other software they have purchased earlier.

Many companies are given licensing agreements or deals to fulfil their compliance mandate. Customers, who have used SAM audit process, state that it is supportive when they make fair attempts to becoming compliant. Your contribution in self audit is voluntary; however, if you choose not to participate, an alternate form of audit is offered.

LLC is activated when customers reject SAM. As compared to self-audit, LLC is not free and is taken seriously as someone has accused your business for software piracy. It is your right to consult with an attorney if LLC is issued to your company. Such type of audit is controlled by Business Software Alliance (BSA), which is an anti-piracy leading group that can be hired by software companies to carry out all-encompassing audits. It is something serious as penalties per title violation are more than $150,000.

What are Effective Practices?

Don’t Postpone
If you realize that your company is getting out of compliance, it is good to start the audit process as early as possible. Software audit becomes more considerate when customers are serious about compliance issues.

Do not Presume Authenticity
There are many fraudulent sellers that get benefits from companies by selling pirated software. It is more critical that customers do not even know they are using pirated software till audit exposes the truth. It is necessary to select only certified resellers to avoid such situations.

Keep Record of Receipts
Always keep record that you have purchased laptops or other devices with specific software. During an audit, you need to give proof that your software is legally purchased, and covers retail and OEM licenses.

Software Inventory
In some cases, you might not be able to get record of all of your software in use in the company. If so, you must perform inventory process to find out installed software. It helps in finding breaches in compliance.

Work with Sellers
It happens that companies do not keep all software in full compliance. Auditors understand this and they do not take it seriously and anticipate that your company starts working with sellers to become fully compliant.

Software audits are very important and help companies to become compliant and avoid legal suits. For instance, Microsoft assumes that if customers have Volume Licensing contracts or Enterprise Agreement, they are considered as complaint. Usually audits for small and medium sized companies are issued through Selection or Open licensing agreements.

Characteristics of Advanced Data Archiving Software

August 5, 2015 Kris Price

Data archiving is a specific process to transfer data to a storage device for future use. Unlike backups, data archives do not contain copies of actual data. Before selecting archiving software, there are many useful features to consider. Data archives are based on older, but important data that can be retained for compliance. Searchability is bare-bone feature that helps in providing useful solution for data archiving. To get significant search functionality, data archiving software have particular attributes:

Granularity
In order to carry on searches, granularity plays an important role. It is an indispensable capability which is necessary to perform e-discovery process. As bulk of data is examined at this stage to get important information, software must have competence to carry on searches on following basis:

Data Sources: Through search, access end results from which file server, such as Microsoft SharePoint, financial apps
Data Type: Microsoft Office document, PDF, email and many other files
Important Data: Files such as social security numbers, bank account number and credit card numbers
Author of Document: Search by author of file

Storage Optimization
Another significant feature, other than granularity, is known as Storage Optimization. When this feature is selected, it helps in reducing the amount of data, as well as access data in seamless way. Storage Optimization feature gives benefits in form of reducing operating costs and capital. It helps in improving information governance, access to data for analysis and reporting and lower risk.

It seems absurd to find a lot of copies of same data in search results. To cope with this situation, deduplication engine (available in archiving software) is used that works all the way to avoid such situations. Through compliance, effective policies are developed for keeping data in archives for a specific time period. Archiving is best for certain type of data that is required to be backed up, but will not be accessed frequently.

Flexibility
Third most important feature of archiving software is flexibility to support maximum data platforms and popular applications. Some software offer facility to archive data from social networking sites like organization content on Twitter or Facebook.

Additionally, wide range of sources, writing capabilities and data targets should be handled properly for extraction. An organization cannot afford to follow limited tracks, such as tape archives, when unlimited and affordable archival alternatives are offered to them. Wide-ranging media is supported to extract archived data. Furthermore, extracted data can be written to DVD, tape, Blu-ray and many other mediums.

In a nutshell, best software for data archiving require more features, such as automation and compliance regulation to assist users in managing data. Once you confirm what type of data is important for future use and how long you need to store that data in the archives, organization can get maximum benefit from archiving software.

How Compliance Affects on Data Protection Strategies?

July 27, 2015 Kris Price

An organisation that is using data archiving software should give value to result oriented practises while designing policies for data archiving. No doubt, compliance plays an important role when policies are formed. It is the requirement that forces to conform to the rules and regulations. However, the rules and regulations may depend on the nature of business:

– In Specification or Standards — when a particular standard is adhered to, like Payment Card Industry (PCI) or International Organisation for Standardisation (ISO) protection standards;

– In Regulatory — when the need is linked with specific type of compliance, such as HIPAA or Sarbanes-Oxley;

– In Legal — when the need is linked with specific data for investigation purposes or e-discovery.

Financial or medical industries are regulated more specifically than a small franchise in other service areas, which for instance, needs to follow PCI standards. However, such a franchise — or any business for that matter — must have some policies in place for legal and e-discovery.

Three basic considerations must be defined in order to determine how certain data should be archived and/or when the data should expire:

– Type of data – how important that data is for the organisation;

– Time period required for data protection – how long should the data be kept active;

– When archived data should be deleted.

In fact, compliance is the basis of data storage. Archives contain only a few relevant files for BDR. It is ridiculous to save short-term records as drafts or logs. If you have decided on what type of data is needed to be backed up, the next task is to check the required time period for keeping the protected data. For instance, IRS demands to keep documents related to tax protected for at least 7 years.

When a specific data is no more needed, it is time to remove the archived data. Most do not even bother to delete data as cloud backup is cheaper and is simpler solution for maximum data protection. Due to business continuity and compliance management, data is considered as valuable commodity. Data can be stolen to damage the reputation of a company; therefore, companies must keep backup of all files and documents, whether needed or not. This is one of the reasons why businesses have huge bulk of data stored in the cloud.

Though holding valuable data as backup helps during recovery process, but keeping expired data might cause many legal problems for companies. Federal regulations demand specific type of data to be retained if a company is charged for any wrong doing. Litigation experts claim that keeping unnecessary data beyond the required date may cause more problems for companies. More resources will be required to sift through the data. Furthermore, more data means, more chances of vulnerability. Companies must design and follow a policy for destruction of irrelevant data to avoid legal consequences.

Current legislation that demands proper procedures, as well as policies, also needs to have formal record of all data destruction and retention policies. Moreover, such policies are used as record to court that certain data no longer exist.
It is time to think about compliance as no organisation even desires to be charged for not following the law. When right compliance kit and compliance management is selected, companies can avoid legal issues.

Virtualization Storage Performance and RAID Levels

July 6, 2015 Kris Price

RAID (Redundant Array of Inexpensive Disks) is based on virtualization technology to store data. In RAID system, many drives are used to make one logical unit. There is a variety of RAID levels and each of them is optimized for particular condition. As a matter of fact, RAID levels are not standardized through industry groups, and therefore, companies often have distinctive numbers and accomplishments.

Commonly used RAID levels are:

RAID 0
RAID 5
RAID 6
RAID 10

Software to carry on RAID functionality is usually positioned on controller card. In Mac OS X and Windows Server 2012, there are software for RAID functionality.

RAID Level 0

In this level, data is divided into blocks. If multiples disks are used, RAID 0 provides greater I/O performance. This level gives satisfactory performance in write and read operations. Storage virtualization is easy to implement. The drawback of RAID 0 is the inability for fault-tolerance. In case, one of the drives get failed, available data in RAID 0 will be lost. Consequently, it cannot be used for critical systems. It is perfect for non-critical data storage where the basic aim is to write or read data at highest speed; such as video editing station. For critical system, it is better to use cloud backup technology so that important data remain backed up to the cloud.

RAID Level 5

It is known as secure level and needs three or more drives. Across the drives, data blocks are banded. With the help of parity data, the computer calculates the other blocks of data even if data does not exist any longer. In other words, RAID 5 has the capability to survive. If one drive fails and replaced, data can be accessed easily. RAID 5 offers fast transactions of read data; however transactions of write data is a bit slower.

Drawback of RAID 5 is that failure of one drive influences on others as well. When one drive fails, data restoring process needs one day or more depending on the controller speed and load. When another disk fails during data restoring process, it is impossible to retrieve the lost data.

RAID Level 6

It is similar to RAID 5 however two drives are used for data parity. Consequently, RAID 6 needs minimum 4 drives and bears the loss of two drives at the same time. It is true that failure of two drives simultaneously is rare. RAID 6 has fast transaction of read data. The drawback of this level is slow speed of write data just because of parity. When read operation is selected, it reads the data from drive-1 parity and then drive-2 parity. Similarly, write operation means to write parity one and then write parity two; which is time consuming.

RAID Level 10

It is known as uncomplicated level for calculation. It has mirror sets and each of them writes data two times to develop mirroring. As a result, write performance gets slow. RAID 10 is an easy and fast process for rebuilding data to new drive from existing mirrors. In this level of virtualization, maximum storage capacity is utilized for mirroring and makes it expensive method.

Conclusion

It is the basic needs of enterprises to keep their important data secure. Though there are various performance levels of RAID, but each level has some drawbacks. In RAID array, all drives have same age factor so failure of one drive can lead to other. To keep data safe from natural disasters, drive failure and/or hacking, the best option is a cloud backup service.