Archive for the ‘Security and Compliance’ category

Microsoft wins Data privacy battle

July 23rd, 2016

Tech giant Microsoft scored a major legal victory yesterday with a unanimous decision by an appeals court that ruled warrants issued by U.S. authorities do not extend to data stored in other countries. The ruling by the Second U.S. Circuit Court of Appeals was applauded by the vast majority of the tech industry, which had strongly supported Microsoft’s case against the government.

“The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs,”
Microsoft president and chief legal officer Brad Smith said in a statement about the decision.

Territorial Limitations

The case centered around a previous decision by the U.S. District Court for the Southern District of New York, which had ruled against Microsoft’s efforts to quash a warrant issued under the Stored Communications Act (SCA). The SCA is part of the broader Electronic Communications Privacy Act passed in 1986 designed to protect the privacy of users interacting with an electronic communications service provider.

The warrant directed Microsoft to seize and produce the contents of an email account that it maintained for a customer who used the company’s electronic communications services. The government stated that it believed the emails contained information about narcotics trafficking.

But the information the government requested was stored on servers in Ireland, and Microsoft refused to transfer the data to the U.S. In explaining its decision in favor of the company, the appeals court explained that “warrants traditionally carry territorial limitations: United States law enforcement officers may be directed by a court-issued warrant to seize items at locations in the United States and in United States-controlled areas . . . but their authority generally does not extend further.”

A Ruling for Privacy

The decision was hailed by technology companies, business groups, and privacy advocates. “This ruling is a major affirmation that the rights we enjoy in the physical world continue to apply in the digital world,” said Greg Nojeim, director of the Freedom, Security and Technology Project for the Center for Democracy and Technology. “By declaring that a U.S. warrant cannot reach communications content stored abroad, the court ruled strongly in favor of privacy and national rule of law.”

Amicus briefs supporting the company had been signed by the Chamber of Commerce, AT&T, Verizon, Apple, Cisco, and the National Association of Manufacturers. The Republic of Ireland also supported Microsoft’s case, arguing that the warrant represented an assault on the nation’s sovereignty.

While the decision is certainly a win for Microsoft, the government may yet appeal. The case could eventually end up before the U.S. Supreme Court. The U.S. is also likely to push for new laws requiring companies to store customer data within the U.S. if it decides it can’t legally compel organizations to surrender data stored overseas.

Ransomware on the increase

July 21st, 2016

We have helped several companies recover from ransomware attacks this year.

The business segment is becoming an increasingly attractive target for cipher-malware developers, Kaspersky Lab says in a new study. According to the report based on Kaspersky Security Network (KSN) data, the number of attacks against the corporate sector 2015-2016, compared with 2014-2015 has grown six fold (from 27,000 to 158,000). Thus, ransomware tried to encrypt the data of every tenth B2B user.

Cyber-criminals using ransomware now attack businesses frequently, particularly small and medium-sized companies. This trend is confirmed by the IT Security Risks 2016 study from Kaspersky Lab and B2B International, during which 42% of respondents from small and medium-sized businesses agreed that cryptomalware was one of the most serious threats they faced last year.

For s companies, any data unavailability – however brief – can lead to significant losses, or bring their entire operations to a halt. If a company has not been taking due measures to ensure the safety of its important information, purchasing the decryption key from cyber-criminals can be the only way to recover data.

However, this does not guarantee complete data recovery. The best way to protect your company from malware is to prevent the attack in the first place.

Kaspersky Lab experts recommend several simple safety rules:
-Make regular backup copies of all important files. Companies should have two backups: one in the cloud (for example Dropbox, Google Drive, etc.), and another on an additional server or on removable media if the data volume is not too big.

Synergy’s guide is the 3-2-1 rule
– 3 copies
- on at least 2 media
- 1 of which is held remotely i.e. offsite

1. Compromised servers selling for $6 in IT underground market
2. Kaspersky: 35% of people in UAE are likely to accidentally share confidential data
3. USB charging creates mobile security risk, says Kaspersky

Trust well-known and respectful service providers who invest into security. Usually you can find security recommendations on their web-sites, they publish 3rd part security audits on cloud infrastructure. Don’t assume cloud provider can’t have security, availability or data leakage problems. Raise a question what do you do if security provider losses your data. There should be transparent data backup and restore processes together with data protection and access control.

Avoid using only free security and anti-malware software: small businesses expect the basic security tools offered within free solutions to be sufficient. Free tools do provide basic protection, but they fail to provide multi-layered security support. Instead, take a look at dedicated solutions: they do not require a large financial outlay, but deliver a higher level of protection. Some ‘free tools’ may be provided by the hackers.

Regularly update your OS, browser, antivirus, and other applications. Criminals use vulnerabilities in most popular software to infect user’s devices.

Prevent IT emergencies – configure security solution for your company. Small businesses usually don’t have an IT department or full-time dedicated administrator, they simply rely on the techiest person in the office to take care of the computers, in addition to his regular duties. Don’t wait until something breaks, use IT support from an IT service provider to review your software and security configuration in advance.

Crypto-malware is becoming more and more serious threat, not only an organization losses money for ransoms but business can be paralyzed during files recovery. There is wide attack vector including web, mail, software exploits, USB devices, and others. To avoid infection, you personnel should explain where attacks come from and that employees should not open email attachments, visit untrusted web resources or plug USB devices into unprotected computers. Anti-malware solution is an essential measure to avoid majority security incidents”, noted Konstantin Voronkov, Head of Endpoint Product Management Kaspersky Lab.

Qatar to implement data privacy law -watch out for the fines

July 20th, 2016

Qatar’s Advisory (Shura) Council unanimously approved the draft of a landmark new data privacy law, requiring companies to increase their level of data security and protection against cyber threats. The law was originally drafted in 2011, but has recently gained importance in the wake of the alleged cyber attack on Qatar National Bank. During the attack, hackers gained access to the bank’s customer records and leaked them online in a massive 1.4 GB file. The file contained sensitive information on more than 1,200 individuals, including Al Jazeera journalists and members of Qatar’s ruling Al Thani family.

Creating a regulatory framework for cyber security has become an urgent priority to prevent similar attacks from occurring in the future. In the near future, these laws will place the burden and responsibility of protecting sensitive information on the leadership of every organisation in the country. Organisations that fail to comply with the new laws will face heavy fines of up to 1.37 million USD.

Qatar is not the first country in the GCC to implement such laws. Oman, for example, has been one of the most proactive countries in the GCC in terms of adopting legislation to help promote cyber security and protect the country’s virtual borders. Under the new law, companies are obliged to protect sensitive information from being leaked or hacked. Failure to do so could result in hefty fines (5 million QAR).

According to the Qatari Ministry for Transport and Communication, the new law seeks to create “established standards of data protection as determined by the state”. The third chapter of the law outlines basic data protection responsibilities will become mandatory for all organisations in the country. These responsibilities include properly training data handlers to detect and to mitigate cyber security threats, by using “the necessary precautions to prevent personal data against loss, damage or disclosure”.

Organisations will be required to ensure that their networks and systems are adequately protected. They will be expected to rely on effective, up-to-date cyber security measures, and test these measures on a regular basis. In Qatar CEOs may need to urgently look into authorising budgets for cyber security – to pay for technology rather than to pay fines.

Security ramblings

July 18th, 2016

I ran across a piece last week that noted 10mm Android phones have malware that has rooted their operating system. For the most part this malware is designed to show ads and install apps. Mobile devices are becoming ubiquitous, for everyone. It’s not just technical people that now have access to internal systems from mobile systems as everyone from low level marketing people to high level executives is becoming comfortable with accessing information regularly, from anywhere, at any time. This means that our security is inherently weaker because we allow access and with BYOD spreading this problem looks to get worse before it gets better..

One of the constant challenges with the spread of data breaches is establishing what is indeed data hacked out of an organisation versus data from another source. Many recent cases where representations of a data breach were made turned out subsequently to be wrong. For example, the recent case where it was claimed that 272 million accounts had been stolen from Hotmail, Yahoo, Gmail and Mail.ru. The mail providers subsequently confirmed that this was not the case. Same again for recent claims that there were 32 million Twitter accounts on the loose. Twitter quickly debunked this and speculation that they were obtained via malware has never been substantiated.

The basics of security are still woefully weak. Many sites only allow you to create limited length passwords or to enter weak passwords such as pwrod123, or ******, etc. This implies they’re trying to fit the password into that varchar(10) column in the database thus implying no cryptographic storage, and it fundamentally weakens the choice of passwords available to the user. E.g. see the Etihad site, or KLM flying blue. Other airlines are equally lackadaisical and there many other security flaws easy to find. PayPal will also truncate long passwords but without telling you – so you might find yourself locked out because your entered password is too long

A recent data back up mantra I heard that is worth repeating is the 3-2-1 approach:
3 copies of data
on at least two media
one copy held remotely
.

Microsoft warns of new self propagating ransomware – Ransom:Win32/ZCryptor.A

May 31st, 2016

The new ransomware, which Microsoft has dubbed Ransom:Win32/ZCryptor.A, is distributed through spam emails. It can also infect a machine running Windows through a malware installer or fake installers like a Flash player setup file.
The ransomware would run at boot and drop :
• a file autorun.inf in removable drives,
• a zycrypt.lnk in the start-up folder,
• and a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe.
It will then change the file attributes to hide itself from the user in file explorer.
The Microsoft advisory said a file headlined “All your personal files are encrypted” would be displayed to the user and the ransomware would encrypt numerous files, changing their extensions to .zcrypt in the process. A total of 88 file-types would be encrypted and Microsoft said it was important to enable file history, or system protection so that restoring personal files from a backup was possible in some cases. However, it appears that Microsoft was also not fully aware of the actions of the ransomware because it offered the following advice: “Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive.”

Windows users take care.

Dynamics AX 2012 R3, CU11 coming soon to Dubai ask Synergy Software Systems

May 23rd, 2016

The latest update to Dynamics AX 2012 R3, CU11, will be available in July 2016.

The CU11 update will include will include more than 50 new features and design changes covering 4 major areas: Retail, Supply Chain Management, Warehouse Management, and Regulatory updates.

Specifically, these include,
• Retail- Design changes and new features including updates to POS and MPOS.
• Supply Chain Management- Enhancements to master planning.
• Warehouse Management- Enhancements that cover the warehouse mobile device portal and more efficient picking and shipment operations.
• Regulatory updates – To provide compliance with local and regional legislation.

SQL Server 2014 RTM cu13 released

April 23rd, 2016

The 13th cumulative update release for SQL Server 2014 RTM is now available for download at the Microsoft Support site.

https://support.microsoft.com/en-us/kb/3144517

Extended support for SQL Server 2005 ended on April 12, 2016

April 21st, 2016

Extended support for SQL Server 2005 ended on April 12, 2016
customers still running SQL Server 2005 after April 12, 2016, will no longer receive security updates and technical support. We recommend upgrading to SQL Server 2014 and Azure SQL Database to achieve breakthrough performance, maintain security and compliance, and optimize your data platform infrastructure.

Phishing and Ransomware – what to do about it?

April 6th, 2016

Ransomware is typically delivered by via email. In particular, the healthcare industry is targeted with these types of attacks. A user opens an email attachment and suddenly whatever files they have access to are encrypted; short of restoring the data from backups, the only answer is to pay a ransom in Bitcoins.

High profile incidents include:

Omaha’s Scoular Co. lost $17 million after spearphishing attack
Ubiquiti Networks says it was victim of $47 Million Cyber Scam
Mattel fought elusive cyber-thieves to get $3M out of China

How the emails trick users:
Mismatched Senders

Every email has y two “from” addresses.
The “mail from” field which is also referred to as the “envelope” or “P1” address The “from” field, is referred to as the “P2” address.
Spam filtering solutions will look at the P1 address .
So the phishing email is sent with a P1 that is from a company that publishes a valid SPF record. However the P2 (which is what the user sees in Outlook) will appear to be from your organization.
So the message arrives , and looks legitimate to your spam solution and to the user it appears as internal or normal business mail. The user swamped with spam emails may not notice that it’s actually going to the P1 address.

Similar Domain Names
An effort is made to register a domain similar to your own. So when your domain is “Synergy1.com”, the email might come in with the domain “SynergyL.com”; assuming the username portion of the email matches, it takes a keen eye to spot this -and that someone will bother to check. Combined with the above where the P1 was “ceo@Synergy1.com” and the P2 (which the user sees) is ceo@SynergyL.com”, its expecting a lot of users to spot this.

Three technologies provide different protection options:
three technologies are, how they provide different types of protection and how they can work together.

SPF (Sender Policy Framework)
SPF is pretty well known and commonly implemented. it’s essentially a DNS record (TXT) that contains a list of approved senders by IP address, domain name or some other mechanism.

SPF looks as the “Mail From” field within an email and compares the sending IP address to the published TXT record for that domain. The “Mail From” field can contain a different value than the “From” or “Reply To” fields. This is how some phishing emails can enter your organization. They will have a valid SPF published for the “Mail From” and then present the user with a different email in the “From” field.

With Exchange Online, Microsoft provides the information to properly configure your SPF record. There are some limitations on the number of DNS queries you can have in your SPF record and it’s not uncommon to see syntax errors so you always validate your SPF record with one of the online validation tools.

When a message is received from a source not authorized in the SPF record, the receiving party can do what they choose with that information e.g. to block the message, to rank it higher as prospective spam or to ignore it.

DKIM (DomainKeys Identified Mail)
DKIM also looks at the “Mail From” field and will show a “None”, “Pass” or “Fail” once the message is evaluated. The same potential phishing issue exists with DKIM where the “Mail From” does not necessarily match the “From” field that the user sees.

DKIM uses a public/private key to sign messages as opposed to the published TXT record. One advantage of DKIM over SPF is that there is no limit to the number of partners you can authorize to send on your behalf (assuming they support DKIM). If you use a number of third-party senders, then will run into issues when trying to include those in your SPF.

Another way to address the SPF limitation is to have senders send their messages under a subdomain and to publish a separate SPF for that subdomain.

DMARC?
DMARC looks for a passed SPF or DKIM but also looks for “alignment” of the “Mail From” and “From” fields. Configuration of DMARC allows you to tell recipient mail servers what to do with a message when DMARC fails.
A DNS TXT record is created (_dmarc.company.com) and for mail systems that use DMARC, they will send success/failure reports to the addresses specified in the TXT record. A third-party tool or service can be used to aggregate these reports and analyze them.

Prophix 12 is now available from Synergy Software Systems

April 5th, 2016

We are happy to announce the availability of Prophix Version 12. Designed with the user in mind, with enhanced ease of use with a web browser interface and access to Prophix from anywhere, any time, on any device.

The same productised approach with a single suite of tools for all your corporate performance requirements is now enhanced. In this time of ongoing recession, volatile exchange rates, commodity prices collapse, and global political challenges the need for corporate performance management tools are greater than ever. More frequent reforecast, budget scenarios, budget vs actuals, detailed planning, faster month end, ease of inquiry are all essential now.
A proven solution for almost 30 years Prophix is regularly enhanced with a clear road map that leverages the evolving Microsoft technology stack and is driven by business need and user and partner feedback.

Some of the great new enhancements in Prophix Version 12:
• Brand new user experience developed after hundreds of hours of usability studies with everyday users, designed to make it even easier to complete key tasks in performance management across the organization.
• New web client based on HTML5 technology for access all major browsers (e.g. Chrome, Firefox, Internet Explorer, Edge, Safari).
• New Dashboard Studio for self-service dashboard creation by any user through a drag and drop user interface. Create innovative mash-ups to monitor key business processes and performance metrics using data sourced both from within Prophix, or externally.
• Redesigned Workflow Tasks portal and new workflow dashboard tile for quick access to assigned tasks, and monitoring of completed, past due, and future tasks.
• Enhanced navigation and layout selection in Ad hoc Analysis and Templates. These changes enable users to interrogate ,and to navigate, across multidimensional data to get exactly what they need in fewer clicks.
• Enhancements to line item schedules to cell commentary.

The upgrade path to Prophix Version 12 will be seamless for customers currently using Prophix 11. Cubes do not need to be rebuilt; templates will not have to be redesigned. Everything that users have learned will still be valid as the existing Smart Client and its functions continue to work well.

GESS Exhibition ( Global Educational Supplies & Solutions ) 2016

March 2nd, 2016

Gulf Educational Supplies and Solutions (GESS) opened yesterday and is being held under the patronage of his Highness Sheikh Mohammed Bin Rashid Al Maktoum, Vice President of the UAE, Prime Minister and Ruler of Dubai, in partnership with the Ministry of Education, GESS and Global Education Forum (GEF). In its 9th edition, GESS provides the ideal platform for education professional worldwide to meet, find new products and services, and discuss a range of topics about education and its future.

H.E. Hussain Ibrahim Al Hammadi, Minister of UAE Ministry of Education, UAE and Synergy Software Systems Account Manager Sudhakar Raman at yesterday’s exhibition in Dubai. The event continues today and tomorrow.

H.E. Hussain Ibrahim Al Hammadi was appointed Minister of Education in 2014 by His Highness Sheikh Mohammad Bin Rashid Al Maktoum, Vice-President and Prime Minister of the UAE and Ruler of Dubai. He is also CEO of the Emirates Advanced Investments Group of companies.

Synergy Software Systems is a Microsoft President’s Club member and implements solutions for the Education sector, such as: specialised Admissions and Billing in Dynamics Ax, library system, classroom scheduling, as well as traditional enterprise solutions for finance, HR, payroll, CRM , T@A and the Office 365 suite of applications.

Filehold – ask Synergy Software Systems about document management for the U.A.E.

November 30th, 2015


Courier documents


Mobile document management

http://www.businessnewsdaily.com/8031-best-windows-document-management-software.html

“We recommend FileHold as the best document management system for businesses using Windows. We chose FileHold from dozens of document management system options.
Why FileHold?
Ease of use
FileHold is a self-hosted document management system for businesses using Windows computers. It has the same look and feel of programs you’re already accustomed to using, and the interface is designed specifically with Windows Explorer in mind. The filing structure incorporates the same cabinet, drawer, folder and subfolder approach that Windows uses. So, once the software is installed, employees should have no trouble grasping how to use and navigate it.
We like FileHold’s clean interface. It isn’t cluttered with icons or images. All you see when logging in is the file library running down the left-hand side of the page and a search bar along the top. The majority of the page remains blank until you start filing, searching for or opening documents. This approach keeps you on the same page the entire time you’re using the system. Many of the other systems we examined force you to toggle back and forth between pages depending on the task you’re working on.
The FileHold library structure is designed with Windows Explorer in mind.
Adding to the system’s ease of use are the MyFileHold folders, which are placed on top of the general library of cabinets and drawers on the left-hand side of the page. The MyFileHold section features separate folders for employees’ “favorite” documents, their checked-out documents, any alerts or reminders they have, the files they recently accessed and the files they recently added to the system. This provides a quick snapshot of the documents currently being worked on and the files that need immediate attention.
Each employee can customize various portions of the system with their personal preferences. This option isn’t offered by all of the document management systems we examined. When looking at specific documents, employees can choose the tools they want to be quickly accessible. Quick links can be added for a variety of tasks, such as adding files, linking documents together and checking out files. Additionally, you can choose the metadata attributes — like document type, version, number of linked files and the author — that are shown alongside the file’s name.
Filing documents within the software is simple and can be done in many ways. You can drag and drop files already on your computer or network, as well as scan documents directly into the system. The Microsoft Office integration also allows you to add documents you are working on in Microsoft Word, Excel, Outlook or PowerPoint with just a click of a button.

Microsoft Azure or Amazon AWS >

October 19th, 2015

An informative presentation from a Microsoft MVP that will help to understand what the ‘cloud’ means and what factors need to be considered. Cost security governance, scalability, services, public, private or hybrid – a common sense introduction.

Software selection – human considerations

October 3rd, 2015

To Organise and to manage a software selection project is not so easy. If you cannot get a critical mass of people deeply involved in the accounting software selection project, then think twice before starting. Change management is often given only superficial consideration. A new tool is of little use if no one uses it. It does little good for a company to spend $500,000 on anew accounting software, or ERP software when the people who will be using the accounting software systems cannot, or will not operate it effectively.

Is your company organized for success (culture, leadership style, business processes and finally business management . If not then you need to consider more carefully the role of the implementation partner and not blame the software.

In addition to the usual questions of :
• Can the software systems do what you the businesses needs?
• What operating and hardware configuration do I require?
Also ask
Do your employees have the ability to utilize these software or ERP solutions effectively?
Hoc an I change that?
Does my implementation partner offer industry and business knowledge and track record of enabling that change process in a company like mine?

Businesses try to work to policies- which are based on predetermined assumptions, conditions, processes, statutory and other constraints, and if effect embody pre-defined decisions. decisions.

The real world is full of exceptions. Companies use information to control day to day operations relating to the production of goods and services. This information is used to control budgets and cash flows and the best utiisation of assets. . Managers combine the latest information with their managerial experience to make sound business decisions within the policy guidelines..

The negative side is that this information is of little use when the data is not updated correctly on time, and or is not integrated. Thus all functions need to participate and collaborate- if one drops out and relies on manual or Excel systems alone then the integration loop is broken and “system” does not operate effectively. The key to the effective utilization of accounting software systems is the effective production of and access to timely a, accurate meaningful information to ensure timely informed decision making at all levels of the organisation. “Knowledge is power.”

Managers can make faster and better or worse decisions based on the available information ,but they may not even be aware they need to take a decision without information whether in an inquiry screen or a report, a bI dashboard, an alert or a kpi.

Advanced software can be sued to auto decide some decisions, or to make recommendations e.g mrp. or forecasting tools. genrall software systems do not make decisions. People do. When people are not provided with the tools they require to make these critical decisions, it’s very likely mistakes will be made. Some of these decision taking responsibilities are imposed upon by the market in which the company competes. Some are imposed by the owners or managers interpretation of how the business should be operated. However, the methods by which these decisions are made can only be formulated by each individual person, and that is why the software/human relationship is so importsnt.

Each person in any company is unique. So when defining just what software systems consider the unique needs of each person with whom the accounting software systems will “integrate” or how you will select those unique people who will be comfortable with the system

Each person who will be processing transactions (e.g. customer orders) must be given the opportunity to express their personal needs, for it is these people who will be required to operate the system. Further, each manager who will be making decisions based in part upon the information produced by the accounting software systems must express their reporting needs as well (e.g. Business Intelligence, Performance Metrics, and Exception Management ). It is only after these needs are identified and understood recognized that the broader corporate strategic needs should be defined.

At the core of these considerations is a clearly understood definition of what the company is to do strategic objectives , and it must do well in order to succeed- tactical excellence. The way a company organizes itself and controls the flow of information into and out of the accounting software systems, determines to a large degree how successful the accounting software systems will become.

As individual people define their needs, do not limit their responses to factors relating only to the software systems. Let them express their needs with respect to how they fit into the overall business, what information they require when, in what format, from other people, where potential bottlenecks may occur, and in general how the manual side of the business management processes should be controlled.

Selection of a new software systems does not eliminate the need for business process control procedures, and it is those procedures impact on the effectiveness of the new accounting software systems. Some people swear will champion software systems or ERP solutions, while others will believe those are seriously flawed and will cling to old, manual systems. Some will be reluctant to share knowledge- the basis of their experience and seniority. Some may fear new technology. others may worry more about social change – reporting to a new boss, working in a different office. Most people adopt new technology is every day life a new phone, car, tv etc, but don’t so easily change their personal relationships.-

One person sees the software systems as a friend, while the other as a threat. You cannot compare your new wife to your old girlfriend fi you want a long and happy marriage. All people, whether they have had computer experience or not, have developed some personal definition of what they consider to be “good” software systems. If the software systems you purchase meets these pre conceived notions, the task of learning and operating the system will be relatively easy. If the system does not make sense to people, then they will resist entering data, and undergoing training and errors will be made. Evaluate the degree of fit between your employees and the accounting software systems you are examining during your software selection project. The cultural fit with the consultants is equally important.

Tyr not to impose a new software systems on people. Consider whether they feel their opinion is as important as others, and that that the accounting software systems will assist them personally. WIFIM “What’s in it for me?”

While you might argue that first impressions can be changed over time, andc omputer system can seem quite a daunting challenge to . The operator, whether it is accountant, bookkeeper, or clerk can be suffering silence. This suffering might reach the point where the person is willing to consider another job.

No amount of patience, encouragement, or training will reduce this suffering. Mistakes will begin to occur more frequently as well. If the person does not leave, you may have to face the grim decision that their mistakes can be corrected only by removing them from the job. Has this achieved anything positive? Certainly not! If too many critical people in the organization resist the software systems, you can consider the selection project a complete failure. That’s why this evaluation of personal needs is so very important.

Any multi-user accounting system or ERP solutions will be operated by a number of different people with different job functions and different skill levels. The larger the system becomes, the more diverse these individual abilities become, and the more critical an evaluation of their relationship to the accounting system becomes.

Perhaps the least skilled person who might be called upon to operate the accounting software systems is a warehouse manager or even a shipping or receiving clerk.
Does the system meet their needs?
Does the menu structure segregate their input screens into one logical area?
Does the language used, particularly Help Screens, talk to them on their skill level?
Will the processing methodology make sense to someone with their relative skills and educational background?
Do they have to work in multiple systems?

I cannot emphasize enough the importance of training. If you want to remove fear, then you have to build confidence.
You need to reduce errors, not only for the business to avoid fear of personal embarrassment. These result from a lack of experience I.e training and practise with the new software systems.
Invest the time in practical training – understanding a demo does not make you fluent in transaction entry or in report analysis. Reading the highway code is not enough for you to drive – you also need 40 hours on the road experience. You also need an instructor by your side for sometime and to be formally tested and certified. If the investment in training appears formidable, then beware. The major lesson that those who implement cite is that they unde-rbudgetted time for training. Don’t be fooled by those who calm they can configure and get you live in a month or so with an accelerator, or a blueprint . Configuration is a relatively simple, job. Defining the right configuration need user interaction and the testing, To make that work needs their training and practice time. Transforming a an install into a working implementation is another matter. It is not enough to buy a tool you have to understand the many different ways to use it and build up skill.

Depending upon the vendor or product reseller you have selected to provide your accounting software systems, you will probably have several options open to you. If your system is a large multi-user installation, you might want to consider sending several people to a regional or national training seminar lasting several days. While expensive on the surface, this intensive class room oriented environment will enable these people to develop a detailed knowledge which can be passed on to others. Train the trainer really works.

Demonstration accounting software systems are excellent training tools. An even better one is a training company with your own Chart of Accounts, vendors, customers, and employees. This provides people the opportunity to experience a “real” data processing environment without running the risk that errors will lead to catastrophes.

One last point should be discussed with respect to training. Some people will find it difficult, if not impossible, to make the transition to new accounting software systems, or from one accounting software system to another, perhaps more powerful ERP solution.

While you might wish the accounting system or ERP solution could be installed with minimum problems, this may be your most significant hurdle. If the installation of integrated accounting software systems is the best alternative for your company, what is to be done with those people who cannot, or will not make the adjustment?

You must face the very real possibility some people may have to be replaced. It’s not a very pleasant thought, but do not delude yourself into thinking all people will be as excited about new accounting software systems as you are. Business is not easy sometimes, and this is one of those times. I do not like the idea any more than you do, but changes may be necessary for the good of the company and its employees.

Ask yourself if you know how to organize and control an accounting systems selection project. One of the greatest dangers is people assuming they know when in fact that are ignorant. They do it rarely in their business life. Can IT or choose a finance system, do they really know how to select a vendor or a solution? Manger’s need to have confidence in their decision making but often they do not know how to evaluate facts outside their core functional area, nor even what facts are needed to evaluate a solution. Its too easy rush into a demo and to benchmark everything against the first software seen .

In practice its better to spend sometime discussing your business needs, your change management challenges, and the business case and to focus on the implementation partner understanding and expertise. the right partner will guide you through the process and will not waste your time with inappropriate solutions, and then the demo will have some relevance to your needs. and you will have a better idea how to evaluate it.

Security – major threats revealed – August 2015

August 8th, 2015

A major vulnerability plaguing Firefox has Mozilla warning users to update the Web browser to Firefox 39.0.3 to fix the vulnerability The browser is set to automatically update by default, but users should manually check to ensure that the update has indeed gone through.
An advertisement on a news Web site in Russia was offering an exploit for the browser that searched for specific, sensitive files, before uploading those to a server that appeared to be located in the Ukraine.
The vulnerability allows hackers to violate the browser’s same origin policy and inject script into a non-privileged part of Firefox’s built-in PDF viewer. Same origin is a security practice in which a Web browser allows scripts running from one Web page to access data from a second one, if both pages are from the same origin. The bug allows an attacker to read and steal sensitive local files on the victim’s computer.
Mozilla said that since the vulnerability is specific to its PDF Viewer, versions of the browser that do not contain the PDF Viewer, such as Firefox for Android, are not at risk.
The company said that the exploit leaves no trace of itself on the local machine, making it difficult for users to know if their files had been compromised. Mozilla urged users running Firefox on Windows and Linux systems to change any passwords and keys for programs targeted by the exploit. Mac users were not vulnerable to the particular exploit found in the wild, but would be vulnerable if another hacker designed a payload targeting Macs.

Firefox users on Windows machines should change the passwords for the following files: subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.

Linux users, meanwhile, should change passwords associated with global configuration files such as /etc/passwd, user directories including .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts

Before the dust has had a chance to settle on one major security flaw uncovered in the Android mobile operating system, a second massive vulnerability — dubbed “Certifi-gate” — has burst onto the scene.
The new vulnerability can allow attackers to “gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations, and more,” according to Check Point. The problem cannot be completely fixed with a patch.

Check Point has a scanner app that Android users can download from the Google Play Store and run to determine whether their devices are vulnerable. The Certifi-gate vulnerability allows applications to gain illegitimate privileged access rights that are normally used to support remote applications, according to Check Point. Those applications might have come pre-installed on the device, or been intentionally downloaded by the user, but currently there is no way in Android to revoke the certificates that allow those privileged permissions.

This latest flaw “affects hundreds of millions of Android devices, as most popular OEMs (original equipment manufacturers) have collaborated with these vendors. The same scale applies to the previously disclosed Stagefright vulnerability, which potentially affects 95 percent — about 950 million — of Android devices.

Google, Samsung and LG this week said they would start providing more frequent — about once a month — security updates for their Android devices. Google’s own Nexus devices are not affected, nor has the company seen any attempts to exploit the vulnerability.

Apple users have largely skirted the bugs, viruses and other malicious software that plague Microsoft Windows and Google’s Android. But this flaw in Apple’s OS X is serious enough to sound the alarm.
German security researcher Stefan Esser published details about a zero-day vulnerability in OS X without telling Apple first and hackers moved quickly to exploit the flaw. It’s an adware installer that actually modifies a file that controls who can run what commands on a machine while Thomas was testing it.

The Sudoers File

The sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

The worse part is that Apple has reportedly known about the zero-day vulnerability for quite some time because another security researcher had disclosed it previously.
There is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.
Another Apple bug, Thunderstrike 2, which will be revealed at Black Hat security conference in Las Vegas this week, is more concerning. That’s because firmware bugs can cause lots of headaches for both regular users and advanced users and are almost always harder to eradicate than any other bug.

A massive hack infiltrated Yahoo’s ad network for at least seven days, according to Malwarebytes’ official security blog- this anti-malware security company, discovered the attack and immediately notified the search company. With more than 6.9 billion visitors to Yahoo’s Web site every month, the attack, which began on July 28, constitutes one of the farthest reaching malware attacks ever recorded.
The hackers pulled off the attack using Web sites for Microsoft Azure, a cloud computing platform and infrastructure used for building, managing, and deploying applications and services. The scam worked by redirecting users to an Angler exploit kit, off-the-shelf software containing easy-to-use packaged attacks on known and unknown vulnerabilities.

Malicious ads do not require any type of user interaction to execute their payloads. Just visiting a Web site that contains malicious advertisements can be enough to trigger an infection.
Yahoo said it took immediate action when it learned of the campaign, and would continue to investigate it in the future. Because of the large number of visitors to Yahoo sites, it is difficult to know exactly how many Internet users have been affected.

The subtlety of a malvertising attack, combined with the complexity of the Internet advertising market, make it a difficult security challenge to overcome. That might be part of the reason such attacks are increasing. The number of malvertising attacks spiked in the first half of this year, registering a 260 percent increase over the same period in 2014,

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, director of research at RiskIQ. “There are a number of reasons for this development, including the fact that malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on Web sites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

“This machine-to-machine ecosystem has also created opportunities for cybercriminals to exploit display advertising to distribute malware,” according to the company. “For example, malicious code can be hidden within an ad, executables can be embedded on a Web page, or bundled within software downloads.”