Move Over Grim Reaper, Hackers Scariest

halloween

Happy All Hallows’ Eve! Looking for a good spook?

According to the recent crime poll by Gallup, over two-thirds of Americans are “frequently to occasionally” worried about being hacked, far surpassing all other crime fears. Concerns of stolen credit card information and the integrity of personal information on devices topped the upper sixtieth percentile in this year’s report, clearly showcasing the growing prevalence of cyberattacks today – and it appears to be justified.

With fears of the Grim Reaper earning less than 20%, perhaps we should rethink our Halloween costumes this year and trade in those black cloaks and scythes for a code book and keystroke reader.

How Cloud ERP Creates Competitive Advantage | Version-Locked versus Version-Less

Leveraging the advancements in technology to gain a competitive advantage is nothing new in today’s business world, but when was the last time you examined your ERP system under the same lens? The pace of business is changing; organizations simply cannot afford to move at yesterday’s speed, and much of today’s demands fall on process efficiency. However, according to Forrester Research, “approximately half of ERP customers are on releases that are two versions behind the current release, which may be four years old or more.” That statistic alone indicates that a large chunk of the marketplace is running on technology that was created when fax machines were still widely relevant and e-mail was just a novelty. The version-locked ERP of yesteryear is fundamentally incompatible with the current structure for success, and it should come as no surprise then that only 4% of today’s IT leaders feel that their ERP system offers a competitive advantage for their organization.

Version-locked ERP is plaguing many businesses today. The aging, on-premise system grows farther out of alignment with the needs of the organization every day, with no updates for new regulations or integrations to the latest e-commerce platform, stagnant behind a buildup of customizations and manual connect-the-data spreadsheets. Before you know it, the business finds itself in a quicksand situation, stuck in place by an ERP system that isn’t evolving with the pace of business and being swallowed by a market that demands continual progression.

Regardless of industry, businesses remaining relevant in today’s economy are growing more distributed, spanning across geographies like never before, and mobility has become a key driver in performance. But in large, organizations are hesitant to implement business applications built on a similarly dispersed, accessible platform. Old ERP was designed before mobile devices and connect-anywhere capability, when business never left the office, but performance beyond the PC is the foundation of the cloud. If the current structure for success is accessibility and fluidity in an elastic workforce, what better platform than the cloud to drive your business processes forward?

Combining the agility and dispersed access enabled through the cloud with the real-time data of an efficient ERP system creates a true competitive advantage for your business – empowering staff across your organization to collaborate and align with business objectives, regardless of their location and independent of your IT resources. Cloud ERP frees businesses from the inflexible, change resistant ERP of the past. They can run on a system that is essentially version-less, with automatic updates to new features and functionality, migrating any customizations with each upgrade. In short, version-less cloud ERP enables businesses to experience today’s innovation while continuously aligning their ERP needs with their evolving business operating environment.

  

Click here to read more about cloud ERP and “The 8 Ways Outdated ERP Damages Your Business.”

 


stuart_tholenStuart Tholen is the Director of Eide Bailly Technology Consulting’s
Enterprise Resource Planning services. With more than 30 years of
experience in tax, audit and IT, Stuart has focused on building and
developing a consulting department to customize and integrate
business solutions for the end-user.

stholen@eidebailly.com

 

 

 

 

Application Whitelisting: A Critical Piece in the Security Puzzle

Following the release of Windows Server 2003, the capability to implement Software Restriction Policies (SRP) has been widely accepted as one of the safest ways to secure corporate networks. Integrated via Microsoft Active Directory and Group Policy features, SRP identifies and controls the programs running on a domain to increase reliability, integrity and manageability of the devices within an environment.

A common SRP technique is blacklisting where known threats are blocked from running through your anti-viral or anti-malware programs. Utilizing blacklisting methodologies within your organization is an essential aspect of any security strategy as it is a cost effective approach to threat detection; however, this is a reactive defense that cannot scale to today’s growing volume and variety of threats. In the instance of a zero-day attack, such as Heartbleed and Shellshock which leveraged previously unknown system vulnerabilities, blacklisting techniques alone will leave your organization completely susceptible as it can only protect you against the known, and in today’s highly ambiguous grey area of security certainty, organizations must be preparing for evolving threats to remain secure and successful.

Enter: Application whitelisting.

Whitelisting is a proactive approach to SRP configuration where, instead of blocking known attacks, a network administrator defines a limited set of permitted programs, called a whitelist, which are allowed to run on a domain. By default, this prevents all other programs – including most malware – from running within the environment. Essentially, it functions as an “if-than” filter thwarting unauthorized applications from breaching a system. When employed in conjunction with traditional security measures, it creates an additional layer in an organization’s defense-in-depth strategy.

Take, for example, if an employee opens an email or inserts a USB drive containing malicious code; through the effective use of whitelisting, it will be unable to run within the domain, maintaining the integrity of your organization’s network. Traditional downtime in such situations ranges from a couple hours to a number of days, depending on the penetration of the malware. While you may feel that your network data is secure, can your business withstand an extended outage?

For an effective application whitelisting solution, network administrators should note that all executable code must be blocked by default so only approved, whitelisted programs can run. Additionally, network users cannot have modification abilities on the files allowed to run, and all installations and downloads of new applications will involve administrator authorization. While there are definite advantages to application whitelisting, like the defense against current malware and the absence of daily oversight, there are some disadvantages to consider before implementing in your organization. Efficient application whitelisting requires regular maintenance of the whitelist as new applications are added and removed based on the approval process defined within your organization. This, in turn, requires some performance overhead for enforcement and continuous improvement definitions. It is also important to consider that end-users will be limited on downloads, applications, and files they are permitted to use which can create some frustration and annoyance. Proper communication on the importance and necessity of rigid policies should be a priority within your security strategy as staff will be more receptive to restrictions when they are made aware of the reasoning. Engage your employees as advocates on your journey to network integrity and never underestimate the importance of a communication plan with all organizational changes.


mike_arvidsonMike Arvidson is the Director of Eide Bailly Technology
Consulting’s Infrastructure Services. With more than 20
years of experience in the IT industry, Mike’s wealth of
knowledge includes network systems implementation,
integrated new technologies, and information security.

marvidson@eidebailly.com

 

Hockey Analytics: The New Power Play

New technologies are constantly appearing and proclaiming their life changing capabilities, but in reality, it can be difficult to visualize their real-word relevancy until they have gone mainstream. By that point, however, you’re often already behind the game. Big data falls into this category. It is both complex and ambiguous, and its impacts are far reaching but widely misunderstood and underestimated. Analytic systems have been around for decades, but with the new stream of valuable information being leveraged to power them, we have seen a whole new revolution in data analysis.

Case in point: the NHL.

Enabled with advanced statistics, franchises in the National Hockey League are evolving their game and strategies with deeper insights into their sport. A shift in leadership tactics has seen the addition of analytics specialists within multiple organizations in the hopes of capitalizing on the overflow of data available in today’s technologically driven world. This is nothing new, though. Baseball saw the power of statistical analytics over 20 years ago with Bill James’ sabermetrics movement, which went on to heavily influence the Oakland Athletics’ successful 2002 and 2003 MLB seasons under the helm of general manager Billy Beane – the main focus of 2011’s Moneyball starring Brad Pitt. Hockey analytics, however, aims to measure a sport that is much more difficult to quantify, but new technologies – like the possibility of microchip streaming – indicate that this is just the beginning.

Hockey Analytics quote

Data analytics in the NHL are creating a cutting edge advantage to coaching staff and executive leaders, aiding them with deciphering the best lineups, pairings, and matchups as well as developing their game strategy, driving scouting techniques, and gauging the overall health of the organization. Like in any business, the more you know, the better you can develop and prepare your organization – a concept not lost on today’s leading hockey clubs.

 

For the full article on the NHL’s data analytics journey, head over to TheStar.com, and for all you fantasy leaguers out there, “fancy stats” can help you with your draft too.

 

The 7 Practices of Highly Effective, Rapid Growth Businesses

There are no defined guidelines or an official rulebook for building and growing a successful business. It takes grit, a substantial amount of perseverance, and a dose of trial and error to make it in today’s business climate. Common sense rules still apply, but the wrong move or position of stagnant complacency can be deadly. Surprisingly, despite the tumultuous economy as of late, we have seen the rise of a number of super-growth organizations, businesses that have truly set themselves apart from the competition and appear to be making all the right moves. So what is their secret? In examining the strengths and successes of some of today’s rapid growth companies like GoPro, Netflix, and Yext, we have identified seven practices of highly effective businesses.

Consider this your official, unofficial rulebook to business success in the mid to late 2010s.

1. Be Value Added and Recognize Emerging Trends
First and foremost, customers want true value from you, not perceived benefits. This may seem simple enough, but what makes being a true value added organization difficult is that fact that customers are continually redefining their wants and needs. And where the customer goes, the market follows. Ultimately, this means you need to build a product or service that adds consistent and compelling value to your audience – beyond the competition – and recognizing emerging market trends can help. In the current “Car Wars” waging in a metropolitan landscape near you, the car service that will step out on top between Uber, Lyft and Hailo will be the business that best capitalizes on the point where emerging trends and customer value meet.

2. Spot Growth 
Businesses grow in two fundamental ways: to their existing customer base natively by leveraging new offerings or to new customers by moving into new markets or diversifying their portfolio. The key to success is identifying the largest potential area of growth for your organization and supporting that strategy across the business, continually reassessing the market and performance metrics.

3. Think Efficient
Hyper-growth businesses are built on a foundation of brilliant processes. Efficient and scalable, these processes enable decision makers to make timely, informed business moves based on the organization’s strategic direction to the benefit of the business, the team and the customer. Hand-in-hand with efficient processes come efficient technology solutions. It is more critical than ever that any system or platform you implement within your organization sets you up for growth, enabling the scalability and flexibility you need, when you need it.

4. Measure and Respond
Despite what some may argue, the ever ambiguous x-factor luck does not have a role in true success. Constant monitoring of performance and growth will provide insight to your path to success, allowing you to determine what is working within your organization and what simply is not so you can make adjustments as you go. You may not be able to control external forces, but you can set yourself up to react – even pro-act. This is where big data comes in to play. Data-driven technologies enable organizations to access real-time information for visibility, flexibility and responsiveness, proving that big data leads to a big market advantage.

5. Foster Focused Vision
The late, great business consultant and author Peter Drucker once said that “management is doing things right; leadership is doing the right things.” And you cannot have the former without the latter. Regardless of your superior value proposition or outstanding future growth opportunities, your organization will not grow to full success without focused leadership. A true, focused leader aligns to the company vision and drives it forward, adapting in an evolving market and proactively identifying trends.

6. Create a Following
Nothing spreads as fast as good news, except maybe bad news – and nothing is as impactful in today’s marketplace as customers sharing the word on your superior product or service. Identify your brand advocates – be they within your organization or external – in conjunction with your growth strategy and engage them through social media or traditional testimonial case studies. Creating a following of brand loyal ambassadors for your business will be your greatest differentiator on the road to success, but it is important to remember that this is a two-way dialogue. Control the story by effectively mitigating any bad press while highlighting and encouraging others to tell your story to the market. It will be your most effective marketing tool.

7. Stay Agile and Innovative
After creating and fostering an effective, rapid growth business, you may be tempted to take your foot off the gas and coast. But if there is anything we can be certain of it’s that the market can (and will) change in an instant, and today’s winners can become fast losers if they are not continually reassessing their position, their customers, and their market opportunities. Strive for innovation; keep moving and evolving. Customer’s today have more options at their fingertips than ever before, and new competition is constantly appearing – always be one step ahead of the game.


scott_kostScott Kost is the Director & Principal of Eide Bailly
Technology Consulting. With over 25 years of
experience in the IT industry, Scott’s wealth of
knowledge includes new technologies
implementation, information security and
system operations, leadership
development, and strategic planning.

skost@eidebailly.com

Guest Blogger | Bash “Shellshock” Vulnerability: What You Need to Know Now

The media, IT security industry, and social platforms are all talking about a newly found, highly critical vulnerability named “Shellshock.” With all the hype surrounding these types of security threats, statements about this vulnerability like it “affects 50% of the internet,” “hundreds of millions of computers, servers and devices,” and is “bigger than April’s Heartbleed vulnerability” are being tossed around left and right, and frankly, it’s overwhelming. In an effort to not only promote awareness on this vulnerability but provide valuable and actionable information on the topic, we’ve brought in security expert and information technology professor Michael Ham as a guest blogger to help us truly understand what Shellshock is, what devices are impacted, and how to effectively mitigate risk.


What is Bash?

To first understand what Shellshock is, you have to understand where the vulnerability is rooted. The Shellshock vulnerability impacts a component of many Linux and Mac OS X operating systems known as the “Bash shell.” For more than 25 years, the Bash shell has provided system users and administrators with a command-line interface (CLI) to interact with their Unix-based systems. From a Windows operating system perspective, this would be the equivalent of the command prompt; the Bash CLI allows end-users to make and modify user accounts, permissions, manipulate data, and interact with the operating system in highly privileged ways.


Shellshock Vulnerability: The Basics

The Shellshock vulnerability was first reported as early as September 24 and is catching attention rapidly. The threat ultimately stems from an improper handling of global data within Unix operating systems known as environment variables; these variables are updated in a number of ways and affect how a device’s processes behave. Additional services that interact with environment variables in Unix include the Apache Web Service, OpenSSH, and DHCP, opening the vulnerability to web servers and routers.

Essentially, due to the vulnerability in these environment variables within Bash shell, attackers are able to remotely access a vulnerable system over the network and execute arbitrary command codes. If this sounds familiar it is because Heartbleed worked in a similar fashion; both are remote code execution vulnerabilities, but Shellshock allows an attacker full, outright control of a targeted system. Additionally, security experts across the industry have valued Shellshock as a high severity and low difficulty – meaning if it happens, it’s going to be bad, and it is also relatively simple for these cyber assailants to launch.


Who’s Affected?

Vulnerability disclosers are reporting that the Bash shell is vulnerable from version 1.13 to version 4.3; nearly 22 years’ worth of updates. As you can imagine, given the vast expanse of time that the vulnerability has persisted, a large number of devices are likely vulnerable to a potential attack.

The majority of devices in the spotlight fall under one of the following categories:

  • Apple Mac OS X
  • Many distributions of Linux – excluding Debian and Ubuntu which use the Dash shell
  • Embedded Unix devices, such as wireless routers

It is important to note that Windows users are not affected directly by Shellshock; however, because of the nature of Bash shell, there is always the chance that a program running on a Windows machine could run Bash and, thus, potentially be vulnerable for an attack – the two most notable being Git and Cygwin programs. Check for updates within your programs periodically.

Given the severity of this issue, many users are looking for a simple and sure-fire way of determining if their systems are affected or not.  For those running Mac OS X or Linux systems where you are able to log in and access the terminal, you may run the following command:

env x='() { :;}; echo Vulnerable’ bash -c “echo Check for updates”

If your terminal displays “Vulnerable Check for updates,” that machine is vulnerable to Shellshock.

If you receive an error message similar to this, the device is not affected:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’


What’s the Impact?

The National Vulnerability Database, a service sponsored by the Department of Homeland Security, provides vulnerability scores based on exploitability and potential impact. As previously mentioned, Shellshock has earned a 10 ranking in both categories – the highest level of severity in their rating system.

An attacker may be able to leverage this impactful vulnerability remotely and without any credentials (unauthenticated). In the event of a successful exploitation, an attacker can create denial of service (DoS) conditions on critical services, extract sensitive data, take complete control of affected systems, and redirect network traffic to untrusted or illegitimate locations resulting in further compromise. The combination of ease of exploitation in addition to highly compromising results equates to a perfect storm that adversaries will look to take advantage of and capitalize on if users do not mitigate their risk.


What to Do?

While understanding the root of the vulnerability and the potential impacts are important, many are simply looking for a way to mitigate the associated risks. Unfortunately, being early in the discovery phase of this threat, few strategies exist to easily patch the vulnerability. As a general rule of thumb, ensure that you are running the latest versions of software and programs on your devices to best mitigate your risk. Enabling automatic updates on your devices will relieve you of this manual process, keeping you safe with the latest updates against these types of threats.

The following is a brief roundup of what can be done at this point on any affected devices:

  • Apple Mac OS X – Unfortunately, there is not yet an official patch released by Apple to address the vulnerability. Check your system updates frequently as Apple is expected to address the situation and respond accordingly in the days to come.
    • Sources have issued guides on manually updating and patching the shell in OS X. Be extremely cautious doing so, as this may lead to undesired results.
  • Linux – Patches are out for some of the well-known operating systems, such as Red Hat. Most patches appear to be released through the normal system update process.
  • Embedded Devices – Given the nature of these devices and the vulnerability itself, it is going to be difficult to determine which devices are vulnerable and which are not. Check with your devices’ manufacture for any indications on the existence of a vulnerability. They will be pressured in time to address the vulnerability and respond with appropriate patches as security researchers unveil more information about affected devices.

 

We will bring you more information as it is made known, but in the meantime, if you’re running Linux or OS X, install the newest security updates as they become available to keep yourself protected.

You can read more about this vulnerability from the following trusted sites:

http://mashable.com/2014/09/26/what-is-shellshock/
http://gizmodo.com/why-the-shellshock-bash-bug-could-be-even-worse-than-he-1639047786

 


michael_hamMichael Ham is a professor in the College of Business and
Information Systems at Dakota State University in Madison,
South Dakota where he specializes in information security,
cyber operations, and system administration.
Michael is a contracted, independent tester with Eide Bailly
Technology Consulting where he performs internal vulnerability
evaluations, external penetration testing, and social engineering
assessments.

i-mham@eidebailly.com

 

Safeguarding Trust with IT Security

We’ve all heard about the major data breaches companies both large and small have experienced as of late – from Target to Home Depot, the prevalence and size of breaches are growing. The risk of cybercrime is real and present in today’s ever-technology based life. In fact, according to a new report from the Ponemon Institute, in the last year, 43% of businesses experienced a data breach, up over 10% from the previous year. And while you may assume the compromised data is your biggest concern in the event of a security hack, the true threat is to your organization’s reputation and your ability to maintain the trust of your clients and stakeholders – although, with an average cost of $201 per stolen record in the United States, there’s a substantial financial risk to your business as well.

Trust is the currency of consumers today, and when that trust is broken, it can be extremely challenging to regain. A quality product, service or experience is only one facet of consumer trust; client satisfaction is based on their entire experience with your organization at every touch point, including how your organization safeguards that trust with an exceptional IT security strategy. It is shocking to find that 27% of businesses today do not have an established security strategy despite the steady rise in threats.

Security and privacy begins in the boardroom; it cascades over the C-suite and trickles down through the organization where it ultimately rests upon the shoulders of every single employee within your business. As you evaluate your current IT security strategy, the following are important – and often overlooked – aspects to consider.

Security Begins and Ends with Leadership  |  It is critical that you have your organization’s leadership determining the level of risk you will assume; the technology department should never lead security and privacy efforts.

Be Intentional  |  Many organizations simply put IT security tools in place and then stand back and wait for something bad to happen. Be intentional, proactive and constantly monitoring the effectiveness of your security tools so that you can continually improve process and procedures while staying ahead of risks with the latest tools and technology.

Make it a Regular Discussion  |  Security needs to be a regular aspect of every board strategy and risk assessment meeting. Board members need to be educated on what the risks are and what is being done to mitigate them.

Put the Right Tools and Policies in Place – and Monitor Effectiveness  |  Security measures may work properly in theory but fail if they are not used correctly or are altered. You must consider the human factor involved in safeguarding electronic information, and as an organization, it is important to remember that the right tools and policies are only as effective as the individuals who monitor them.

Solve for Mobile  |  Mobile devices are an integral facet of everyday life for clients and employees alike. They are also an emerging technology platform for hackers, and they pose a significant security risk within your organization. It is important to find a BYOD solution that functions correctly within your space and allows your staff and consumers to interact efficiently. Don’t be afraid of the security aspects of mobile technology; rather, manage those risks appropriately and frequently.

Train, Train, Train  |  Every employee needs to understand the risks and their role in safeguarding the trust of your clients. Regular training on policies, procedures and the human behavioral element of security is imperative, particularly during this period of rapid, evolving technological presence in the marketplace.

Test  |  Regular internal and external security testing of your tools, policies and people is truly the most effective method of assessing hidden areas of high risk within your organization. Whether you conduct these tests internally or hire a white-hat hacker to provide an additional perspective is determined by the ability and bandwidth available within your organization.

IT security is about safeguarding trust and deterring breaches. Organizations who take an intentional, proactive stance have the opportunity to drive trust and lead the industry in setting the standard for exceptional security. Ultimately, high levels of trust result in improved stakeholder satisfaction, employee retention and reduction of organizational risk – all of which are essential in today’s evolving business landscape.


mike_arvidsonMike Arvidson is the Director of Eide Bailly Technology Consulting’s
Infrastructure Services. With more than 20 years of experience in
the IT industry, Mike’s wealth of knowledge includes network
systems implementation, integrated new technologies, and
information security.

marvidson@eidebailly.com

 

Business Analytics & Big Data: Your Golden Opportunity for Success

Big data. You hear the term all the time – in meetings, within your business network, at roundtable discussions and industry conferences – but do you really understand the concept?

Putting it simply (or, rather, as simply as possible), big data essentially refers to a set of traditional – financial records, transaction details, point-of-sale interactions – and digital information – metadata, web behavior, social exchanges – collected both internally and externally that delivers ongoing analytic discovery for your organization. It is the premium, synthetic motor oil to your engine of a business analytics system; without it, you’ll lock up trying to run on dry with flat, lifeless information.

Generating value from all these sources, however, requires powerful processing and discovery capabilities. The market today is responding with more analytics tools and functionalities than ever before, empowering users to leverage all these business facts and figures to generate genuine business insights. It’s a new approach, one that has seen the sudden demand for never-before-needed roles like data scientists and BI analysts, but even as the technology and industry progress, business users by and large aren’t capitalizing on their golden opportunity.

The statistics on leveraging the power of big data and business analytics to make better business decisions are staggering.

EideBailly_Infographic_GoldRush

Whether QlikView’s dynamic, real-time visual data discovery or the newly announced “freemium” cloud-based application Watson Analytics with powerful what-if predictive insights, big data is moving into the mainstream with more innovative, easy-to-use tools. It is in your organization’s best interest to “mine for business gold” with big data analytics and gain a competitive advantage before the rest of your market cashes in on the gold rush.


darwin_braunagelDarwin Braunagel is a technology business advisor with Eide
Bailly Technology Consulting. He has more than 15 years of
experience developing and managing business and
technology strategies, with success in the selection and
implementation of ERP, CRM, Cloud, and mobile
solutions.

dbraunagel@eidebailly.com