Jump to content

Search the Community

Showing results for tags 'security'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Hornbill Platform and Applications
    • Announcements
    • Blog Article Discussions
    • General Non-Product Discussions
    • Application Beta Program
    • Collaboration
    • Employee Portal
    • Service Manager
    • Project Manager
    • Supplier Manager
    • Customer Manager
    • Document Manager
    • Configuration Manager
    • Timesheet Manager
    • Live Chat
    • Board Manager
    • Mobile Apps
    • System Administration
    • Integration Connectors, API & Webhooks
    • Performance Analytics
    • Hornbill Switch On & Implementation Questions
  • About the Forum
    • Announcements
    • Suggestions and Feedback
    • Problems and Questions
  • Gamers Club's Games
  • Gamers Club's LFT

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start








Website URL





Found 14 results

  1. Hi Team, we would like to start using the integrations in our instance but our security has some questions about Keysafe : (1) How are keysafe stored credentials protected from unauthorised access? (2) how are credentials destroyed (3) what activity audit logs for keysafe operations are available (4) what independent report of assurance/testing of keysafe security can be provided ? (pentest summary, SOC2 Type 2 etc) I wonder if someone could help us get our internal security approval by helping us work through the above?? many thanks Andy
  2. The Customer Portal is not updating the h_last_accessed column on h_sys_contact table when customer login to the Customer Portal. Therefore we have no way on monitoring or determining when a customer last used the portal account. Can this be addressed, so we can both monitor and also identify dormant customer portal accounts, so that they can be suspended or removed as part of security good practice. Cheers Martyn
  3. Can you advise on how long the automated links sent via the Customer Portal 'Forgotten Password' automate process are valid for? Most systems apply an expiry period on this type of links to stop interception/man in the middle attacks. Cheers Martyn
  4. Is it possible to report on how frequently members of a team log into Service manager - I can see the 'last login' in h_sys_accounts, which gives the most recent login. But I'm after seeing how often users log into Service Manager. This is for full users, rather than basic users. thanks Claire
  5. Security: Meltdown and Spectre A recent critical security announcement for three bugs CVE-2017-5715 CVE-2017-5753 and CVE-2017-5754 which have been nicknamed meltdown and spectre. These were found by multiple people, including Jann Horn, who works for projects Zero at Google. He has done an excellent write up on exactly how he found the Issues.  As with any new serious vulnerability found these days it has to have a catchy name, matching logo and dedicated website that says this about the two issues - "Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents." These security issues have been hidden in Intel CPU's since 1995 undiscovered until now.  Spectre can also effect AMD and ARM CPU's because these processors also implement speculative instruction execution features, which means pretty much every major manufacturer. The good news though is there are currently no known active uses of the exploit. Hornbill's own cloud is running a mix of the CentOS Linux distribution and Windows. Both Of these OS's are affected by these issues so will require patching when they are made publicly available. Our "Secure By Design" approach means we run our own bare-metal hardware and do not provide direct access to our systems to anyone outside of our own operations team. We are in full control of the software we execute on our systems, our customers are not able to run code on our systems, only access the services we provide, which significantly limits the exposure we have for these vulnerabilities. The patch process for this will be the same as usual with the exception of starting to applying as soon as they are available. The process is to push to our development environment and run our tests. We then push to our beta environment which is used internally by Hornbill as our production system. If no issues are found here normally after 48 hours we then push to our productions machines. There has been speculation that performance degradation anywhere between 5% and 30% my be experienced after applying the patches. We will of course be monitoring this after applying any patches and do what we can to mitigate this impact for our customers. As this will be an OS/Kernel update a reboot will be required of the production systems in the usual maintenance windows.
  6. When a end user is crating a request from Service Portal with a progressive capture that allows an Asset to be selected, the end user can search all assets. There is no way to restrict which assets can be searched, as far as we can tell. We consider this to be a security issue, and will have to disable the possibility for end users to pick assets when registering requests. Furthermore, this might be considered a security issue also for agents. There should be ways of restricting which agents can see which assets.
  7. Like many other public bodies, we are now mandated to comply with the requirements of Cyber Essentials: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview In addition, we are preparing for the introduction of the General Data Protection Regulations. Given that Service Manager may contain sensitive information, we are looking at ways of making access more secure. Currently log-in security is limited to AD authentication. Would it be possible to limit access even further by only allowing access by set IP address with any other access requiring 2 factor authentication?
  8. Hi, One of our service desk manager wanted to change some service owners this morning but could not find the button on the screen so contacted me. I had a look and I have to admit I am puzzled here... This is what she sees: Yet here is the setup she has: I just had another look into the Wiki and found this: Service Desk Manager [Show Less] Collaboration Role Service Desk Admin Services Manager Dashboard Viewer The Service Desk Manager will be able to log new and update calls for all call classes as well as the ability to cancel calls or re-open closed calls. In addition the Service Desk Manager can create new Services or edit existing Services. If you have purchased the Hornbill Performance Analytics package you can view great looking Dashboards or Slideshows for detailed performance information. https://wiki.hornbill.com/index.php/What_Service_Manager_Roles_exist%3F She has all the relevant rights, yet she cannot see the button to edit?! Am I missing something? PS: I made sure all the cache was refreshed, tested on both IE and Chrome...
  9. Hi, I just created 2 very interesting dashboards for my company and I would like all users to have access to them. However, for dashboards, we need to manually assign rights to users, groups or roles. I have too many teams and users to do that manually so I was looking for a shortcut using a custom role. But I am struggling and some help would be welcomed! What settings do I need to give to my role to make it appear in the dashboard settings? My dashboard properties and the access I would like to setup: My custom role: I have not given any specific database rights. Any help would be appreciated Thanks!
  10. Afternoon, We are looking to change our password reset processes at the moment, as we don't have a way of identifying people over the phone. So we have to get them to come to us with their staff badge as a form of identification. We would like to use hornbill to save identification questions in peoples profiles so that only the Service desk can see them as a security measure. Then we can ask for characters from their security question to identify them over the phone. If their a field in hornbill anywhere where this can be done? Thanks Hayley.
  11. Hi, I am looking at setting up a new assignment role to overcome a "problem" that we have in our organisation. Basically, we have teams (so far so good) amongst which some individuals have a particular skill set that allows them to perform certain specific tasks. The "problem" we have is when a request comes in and we need these people to help out, we want to be able to assign an activity to this group of people. But they belong to multiple teams... So I tried to create a new assignment role and added 2 members (for testing purposes). I then created an activity and it worked beautifully. Only key problem: users are not able to select "Role" in the drop down when assigning an activity. They only get "User" and "Group". Note that I am the super admin. Am I missing something? Is there a particular setting I missed? Any help would be appreciated.
  12. Is it possible to set up a custom security group to give users access to be able to change the status of a service without being able to modify the setup of the service or add/delete services? As part of our major incident process we want our analysts to be able to change the service status to make it visible on the portal but we don't want them to be able to modify any of the setup of the services, response times or resolution times thanks, Pete
  13. I recently posted a security update blog article. https://www.hornbill.com/blogpost/dirty-cow-security-hole-discovered
  14. Hi, I've been asked by our security team for answers that I can't find in your Wiki. 1. IMAP/POP3 traffic - does your traffic come from a set of IPs that we can filter to (i,e. to lock down access to yourselves)? 2. Is there 2 factor authorisation available on the Admin URL (or are there any plans if not)
  • Create New...