Archive:

Security events occur frequently but may not capture our attention unless they are more spectacular than the last, like Marriott’s data breach of half a billion records. We’ve all forgotten by now the personal identifiable information (PII) stolen from Equifax in 2017— that trove of 143M records has the potential for almost half of the identities in the U.S. to be stolen. However, the worst data breach occurred in 2003 when 1.6B records were stolen from then Axciom¹.

IT knows who you are and what you do

Not familiar with Axciom? They’re a data broker that aggregates various types of information on consumers to create accurate individual profiles. Beyond PII, they know a person’s income, shopping habits, gambling habits, home equity, marital status, hobbies, interests, etc., with up to 5,000 data points per individual. Their data provides precision to companies that market consumer products like credit card offers received in the mail or targeted ads shown online such as Facebook. This event flew under the radar and received no media coverage because at the time, California was the only state in the process of implementing a breach notification law. Today, all states have similar legislation that requires individuals affected by a data breach to be notified.

Motive and planning

The attackers described above probably spent a good amount of time with reconnaissance and planning before they were able to find a soft spot to exploit—like bank robbers. A record can be sold on the dark market for $2 to $20 a piece depending on its type and quality. Based on the size of the breaches, the attackers stood to make a lot of money and therein lies the motivation for their crimes.

Mid-sized companies may not fall into the high-value target category as Axciom or Equifax, but they face a similar risk of their own. These organizations’ threats are more associated with crimes of opportunity that are caused by a lack of security or human error, such as misconfiguration or opening a virus attachment. Attackers use automated port scans to search for networks with open ports. Ports are used by computers to communicate with one another and specific communication functions are tied to a port number (i.e. email = port 25). When an open port is found, the attacker will use various techniques to attempt to exploit it and get in.

This is similar to a person walking down the street checking for unlocked cars, and when they find one, rummaging through for something valuable to take. Open ports can be accidentally left open by an organization, or there may be a lack of security at the perimeter.

Implementing proactive protection

Fortunately, ensuring proper protection is simple when using an intrusion prevention system (IPS). An IPS can be found in a managed network security service that can detect, block, and protect your network from port scans. Additionally, using a firewall can reinforce access control into your network as well as obfuscate your internal network from the public. IPS, along with the other security capabilities provides a layer of security between your network and the Internet.

Chances are, you’re being scanned right now 

If you’re wondering how prevalent port scanning is, it’s probably happening to your home network right now. Here’s a screenshot of someone with an IP address from South Africa that scanned my home network. The scanner is checking for systems with open port 23 or Telnet in my network to exploit. It could be a bot herder searching my network for a webcam to add to the Mirai botnet or possibly that Nigerian prince that’s been emailing me.

¹ Kony DBX, 2019 Retail Banking Trends and Predictions report, 2018.

Comments closed

Insurance is that product we all buy but hope we never use. Of course, paying for something you don’t use can create a dilemma.

Let’s say your company offers an optional dental plan. By opting-out, you would assume risk that the insurance company would otherwise incur. If you’ve never personally had to pay a significant dental bill, it’s tempting to skip the monthly premium. When you suddenly develop a serious toothache, you’re glad you have insurance.

The decision to purchase a DDoS (distributed denial of service) mitigation service is similar. If you’ve never been attacked, it’s tempting to go without protection and risk it. DDoS attacks cause 22% of all network outages costing businesses $500 per minute. If you’re attacked without a mitigation service in place, your only recourse is to purchase emergency DDoS mitigation available from a few providers and wait. You pay a higher premium, and while they do their best to get you set-up quickly, you may be down for hours –or days.

What if you could buy the equivalent of a catastrophic coverage insurance plan? You know, low premiums that cover you for the nasty stuff. That’s the spirit in which Windstream Enterprise created DDoS Assurance.

New DDoS Assurance plan: Protection without the high monthly fee

The new Windstream Enterprise DDoS Assurance plan offers the same continuous monitoring and protection as our standard DDoS Mitigation service, at 1/10^th the subscription fee.

That lower fee completely covers one mitigation per month. Subsequent attacks are still mitigated, with overage charges automatically applied to your service bill. You’ll know soon whether it makes better sense to go with DDoS Assurance or our standard DDoS Mitigation service – and regardless, you’re protected from network outages and business costs that would otherwise result.

Either way: DDoS protection is a must for any business Internet connection

The only line of defense against DDoS attacks is 24/7 monitoring and rapid mitigation to keep your Internet connection from being overwhelmed. Now you can choose the level of financial investment/risk that best suits your business, while still benefiting from our industry-leading protection services. For more information, please visit the Windstream Enterprise DDoS Mitigation page.

Comments closed

SD-WAN’s growing popularity stems from the advantages it offers by moving key business functions to the cloud: simplified management, increased efficiency and resiliency, improved scalability, and significantly lower costs. It’s little wonder that SD‑WAN growth is accelerating, and rapidly.

Yet because SD-WAN uses the internet as transport, concerns persist among potential adopters regarding its security. The essential question: Can any WAN solution operating over the public internet protect enterprise information as thoroughly as a purely private WAN can?

The answer is yes and by considering these four areas, the data transmitted over a public network can be as safe as a private network.

• Firewall – Because it distributes enterprise assets across on-premises, cloud and hybrid environments, SD-WAN opens up new points of vulnerability. SD-WAN solutions must address this with a Zero Trust security model and firewalling based on application flow. Whether you’re considering cloud-based or on-premises firewalls, look for an SD-WAN solution that delivers application control, intrusion prevention, and content filtering.

• Encryption – Data in transit is especially vulnerable to attack; any SD-WAN solution must offer strong end-to-end encryption across all transports. This is especially critical with all traffic crossing the internet to reach branch offices and other remote user locations.

• Security class differentiation – SD-WAN should support the prioritization of security resources, with distinct segmentation and security policies. For example, enterprises that handle payment card information will want to place the highest priority on personally identifiable information to avoid PCI DSS compliance issues. Two-factor authentication and in-depth log monitoring will provide additional assistance through reliable audit trails.

• Virtual network function (VNF) software – VNF in SD-WAN enables common network functions, such as firewall to run as virtual instances on the same CPE as the SD-WAN itself. This supports more highly integrated security, with hardware capacity used efficiently across locations and users. VNFs also can be centrally managed, which supports faster provisioning and greater flexibility in policy management.

While there are always tradeoffs involved in moving from legacy to newer solutions, the gains made by adopting SD-WAN are extremely compelling – as long as security is strengthened in the move rather than compromised. With the right security technology incorporated in SD-WAN and proper preparation, adopting enterprises can move forward with the knowledge that their assets are thoroughly secure – including all interfaces with the public internet, and all enterprise traffic that crosses it.

Comments closed

GDPR, the European Union’s new General Data Protection Regulation, hasn’t received a great deal of press in the U.S., presumably because it is a “Europe thing.” However, U.S. companies are in fact subject to GDPR if they handle personal information on individuals located in the EU, including website visitors.

This is a complicated and far-reaching regulation, and it would take an awfully long post to explain GDPR in full. The information here will help you understand how GDPR works and what, in general terms, is required for compliance. Organizations that are subject to GDPR have a good deal of legal study to undertake. As the regulation took effect on May 25, 2018, it’s time for organizations affected by GDPR to ramp up those efforts immediately, if they haven’t already.

How GDPR might affect your organization

GDPR seeks to protect individuals’ personal data. If your organization collects any personal data from EU residents, or processes any such data collected by others, GDPR specifies strict rules that include getting consent from the individual before data collection, deleting all personal data when an individual requests it, and reporting any data breaches within 72 hours.

Failure to comply can result in stiff fines of up to 20 million euros (more than $23 million) or 4% of global revenues, with the higher amount applying. U.S. companies can’t simply skip paying the fines; EU regulators can enforce them with actions in accordance with international law.

How GDPR defines “personal data”

Assuming your organization is a responsible custodian of people’s personal information as expected in the U.S., it is already fulfilling some of the spirit of GDPR – though compliance will require much broader efforts. It starts with accommodating the GDPR view of personal data vs. the U.S. view.

U.S. breach notification laws generally define “personal data” as a person’s name plus other formal, unique identification, such as driver’s license or social security number. GDPR defines personal data more broadly to include any data that could be used to identify an individual – and that includes such information as location data, IP addresses, cookie strings, and mobile device IDs, as well as informal identifiers such as age and marital status. In other words, pretty much any information that could be used to learn an identity is considered “personal data” under GDPR.

Specific responsibilities: Are you a controller or processor (or both)?

GDPR assigns responsibility to two types of entities: controllers and processors. Because of functional overlap, both can apply to a single organization.

“Processors” are organizations that handle electronic personal data in any way, from collecting to storing to distributing. “Controllers” make decisions regarding the use of personal data. For example, a retailer may collect personal data from its customers to enable it to market to those customers directly, based on their demonstrated preferences. It may also share that data with an acquiring bank for credit card payment collection. In this case, the retailer is the controller, and the acquiring bank is the processor.

Generally speaking, controllers have the greatest responsibility for GDPR compliance. This includes the primary role (among other requirements) of informing individuals as to why their data is collected, how it will be used and by whom, and how they can completely delete their data if they choose. Processors still have substantial responsibility, and ensuring that all is done accurately and compliantly requires transparency and coordination between the controller and processor.

Compliance preparations

Again, there is a good deal more to understanding for actual compliance if GDPR applies to your organization – and it does apply if you actively conduct any business with EU individuals that involves the collection of personal data, or process any personal information on behalf of companies that do.

EU courts will need to decide how egregious any U.S. company’s noncompliance really is, and unintentional noncompliance may very well be forgiven if it is infrequent and “unlikely to result in a risk to the rights and freedoms of natural persons.” But with potential exposure to such high-dollar penalties, it’s definitely better to be safe than sorry.

GDPR is a reminder to all businesses, whether you have customers in Europe or not, that privacy is a major concern. We have a responsibility to our customers to ensure the data they provide us is kept safe. Windstream Enterprise is dedicated to keeping our customers informed and will continue to monitor this subject closely.

Comments closed

Business spending for cyber security has evolved from once being part of an IT budget to becoming its own budget – that’s at least true for large enterprises.  Small Medium Businesses (SMB) continue to subscribe to the adage of implementing good enough security or enough to prevent negligence.  Not being on the fortune 500 list doesn’t preclude a distributed denial-of-service (DDoS) attack from happening against an organization.  In fact, in 2017 53% of businesses that experienced a DDoS attack fell into the small and medium business categories.

DDoS attacks were once a rare occurrence but are now a perennial event increasing in frequency and size.  A common attack involves the attacker, a command & control, a botnet (i.e. exploited computers), and the victim.  Looking into the anatomy of an attack reveals that the attacker is taking advantage of how Internet communication works to direct a large amount of traffic towards a victim, rendering their network and/or internet facing systems and applications unavailable.

So why should you care if your Internet is not available?  It depends on how your organization uses this IT resource to gauge whether it’s important, and if there’s a business return on money spent to prevent such attacks.  Let’s examine the number of applications an organization potentially uses that require the internet to function:

• Communication – Email, Web Conference, VOIP, Unified Communications, Collaboration (i.e. Slack)
• Cloud – Enterprise Software (i.e. Microsoft 365), CRM, ERP, Cloud Computing
• WAN – IPSec VPNs, SD-WAN
• Remote Access
• Web Services – website, SaaS, ecommerce
• Source of research for employees

Similar to any business decision, deciding whether to implement cyber security boils down to the return on investment – more specifically the total cost of an outage due to an attack should be significantly more than the cost to prevent it.  For example, if DDoS attacks negatively impacted an organization $100,000 annually and the cost to mitigate them was $15,000, the ROI for this preventative control would be

Aside from impacting availability, DDoS attacks have been used as a diversionary tactic for data exfiltration and are part of a growing trend in extortion.

You’re concerned. What should you do?  Unfortunately, there aren’t effective DIY solutions to implement because attacks will continue to get larger — making it a cost prohibitive arms race for any organization.   This leaves partnering with a service provider that can help mitigate the attack upstream, away from your network.   When evaluating potential solutions, take into consideration how fast a threat can be detected and the available response options.  How a mitigation works and does it require your involvement?  Is monitoring included or is it an option you can add?  Can the provider protect internet circuits that belong to another ISP?  Last, how is the service priced – is it a fixed monthly fee or is pricing dynamic and driven by factors such as attack frequency and size.

In conclusion, take the time now when things are calm to consider how much internet downtime your organization can withstand, 10mins, 30mins, 1hour, 24hours, etc.  Early planning can also save a substantial amount of money as emergency mitigation services are more expensive and can require time to setup.

Trusted security solutions require trusted partnerships

Windstream Enterprise’s DDoS mitigation solution includes 15-minute SLAs for both notification and mitigation, ensuring Internet circuits and web-facing applications stay up and available during attempted DDoS attacks. Optional proactive mitigation and auto-mitigation can reduce the response to mitigate to near real time.  With the help of an experienced, trusted network security partner (Windstream Enterprise, etc.), your organization can put a flexible, adaptable DDoS mitigation plan in place – as part of a broad integrated suite of IT security solutions – so you and your team can spend more of your own time focused on strategic initiatives that help you innovate and advance your business.

Comments closed

Most employers take great care in protecting any and all employee personal information they store, such as social security numbers and credit cards used for travel. When that care doesn’t extend to making sure employees, themselves are taking effective measures for protection, the result is multiple points of potential compromise that can severely damage an enterprise’s brand.

How is your own organization doing? Consider the following three best practices to ensure that data is more completely secured throughout your enterprise.

1. Advise employees to use a unique password for each vendor site they access. It’s unfortunately common for people to use one password for most, if not all, of the sites they routinely visit. Many who follow this practice assume that as long as they re-use a strong password not easily guessed, they’re covered. Yet if all vendor sites have the same password for an employee, and any one of those sites gets compromised, the time it takes to compromise all sites involved is greatly reduced – making it much more difficult to prevent further damage from the intruder.
2. Maintain an ongoing anti-phishing campaign. Cyber thieves who orchestrate phishing campaigns are gaining in sophistication, and many of the emails they send are not immediately identifiable as coming from someone other than the purported sender. That’s especially true when the email is personalized and addressed to the recipient’s business email address – and knowing the format of a single employee’s email address makes it very easy to personalize phishing emails for others. Encourage employees to report any suspicious emails they receive rather than open them or respond, so that you can block emails from that source and alert other employees that they may be targeted.
3. Extend security policies to physical measures for documentation. Dumpster-diving is alive and well, and often turns up the documentation employees print for internal use that includes personal identifiable information or confidential information that could be used against the company, such as meeting notes. Make sure employees have easy access to paper shredders, and that they understand the need to use them for all documents containing information of any degree of sensitivity.

A solid managed network security solution can assist in many of these measures with automated, 24/7 threat protection, including intrusion protection, anti-virus protection, DDoS mitigation and immediate updates when new threats emerge. In many cases, these services will, for example, automatically scan emails with attachments and block documents that contain viruses and malware. Any enterprise that does not have such a solution, and those that haven’t upgraded recently, are encouraged to make sure they have a high level of managed security. Be sure to extend this to remote employees, who should be covered by protection on their personal internet access points.

It’s also important to remember that no managed security solution can button up an enterprise 100%. Complete security requires vigilance on the part of employees, who can form an important front-line defense against intruders who seek to gain access to information within the workplace. A program based on the three principles outlined above is a great place to start.

Comments closed

Quick: Which of the following poses the greatest threat to network operations?

A: Breaches

B: Distributed denial of service (DDoS) attacks

Correct answer: “B.” If you chose “A,” consider that the question concerns “operations” – the DDoS target. Meaning, making business come to a grinding halt.

DDoS attacks caused 22% of all network outages in 2016, with an average business cost of over $740,000 per attack. For banks, DDoS attacks can impact ATMs and shut down online transactions. For healthcare providers, they can wipe out continuity of care and team coordination. For retailers, DDoS attacks frequently shut down online shopping, sending customers elsewhere.

Simply put, your network exists to deliver services; DDoS attacks seek to deny those services and disrupt your business. Threats don’t come any more direct than that.

So why do we sometimes assume that DDoS is a lower level of threat? Or forget to think about it at all?

Why we think about breaches more than DDoS

Large-scale data breaches make national headlines because they potentially affect large numbers of news followers. The recent Equifax breach got wall-to-wall news coverage because it exposed the sensitive personal information of some 143 million Americans. That is absolutely newsworthy.

It was also the latest in a series of events involving tens of millions of consumers and leading corporations. Frequent headlines contribute to serious top-of-mind awareness.

DDoS attacks don’t command that level of attention, mainly because their extensive damage falls squarely on the targeted enterprise, as business disruption. Plus, the name “DDoS” sounds like the dated DOS (or MS-DOS) operating system of the ‘80s, with a passé ring to it.

But when your own network is the target of a successful DDoS attack, it’s exceedingly bad news and a devastating hit to business continuity. Any threat causing 22% of network outages and totaling more than $740,000 per occurrence deserves serious and sustained attention.

Bring the threat of downtime toward zero

Taking a proactive approach to the problem, Windstream now offers a DDoS Mitigation service that is available at very affordable subscription pricing. The service, which is ISP agnostic, includes a 15-minute SLA to detect and verify attacks, followed by a 15-minute SLA to begin mitigation – ensuring there is little to no downtime.

And because the service is integrated into the network, the entire monitor/detect/verify/mitigate process can happen without customer involvement. It’s the sophisticated defense against an increasingly sophisticated threat. And one of the first that combines both monitoring and mitigation in a single package, along with consistent pricing regardless of the number or scale of attacks.

If you’re one of the many enterprises that remain vulnerable to DDoS attacks, you really should look into it, and make DDoS Mitigation an essential element of your overall enterprise security strategy. Your customers will definitely enjoy the continuous uptime experience – and your enterprise leaders and users will appreciate the continuity of business operations.

We invite you to share your thoughts on DD0S and learn more about Windstream’s new approach to DDoS Mitigation services.

Comments closed