Security events occur frequently but may not capture our attention unless they are more spectacular than the last, like Marriott’s data breach of half a billion records. We’ve all forgotten by now the personal identifiable information (PII) stolen from Equifax in 2017— that trove of 143M records has the potential for almost half of the identities in the U.S. to be stolen. However, the worst data breach occurred in 2003 when 1.6B records were stolen from then Axciom1.
IT knows who you are and what you do
Not familiar with Axciom? They’re a data broker that aggregates various types of information on consumers to create accurate individual profiles. Beyond PII, they know a person’s income, shopping habits, gambling habits, home equity, marital status, hobbies, interests, etc., with up to 5,000 data points per individual. Their data provides precision to companies that market consumer products like credit card offers received in the mail or targeted ads shown online such as Facebook. This event flew under the radar and received no media coverage because at the time, California was the only state in the process of implementing a breach notification law. Today, all states have similar legislation that requires individuals affected by a data breach to be notified.
Motive and planning
The attackers described above probably spent a good amount of time with reconnaissance and planning before they were able to find a soft spot to exploit—like bank robbers. A record can be sold on the dark market for $2 to $20 a piece depending on its type and quality. Based on the size of the breaches, the attackers stood to make a lot of money and therein lies the motivation for their crimes.
Mid-sized companies may not fall into the high-value target category as Axciom or Equifax, but they face a similar risk of their own. These organizations’ threats are more associated with crimes of opportunity that are caused by a lack of security or human error, such as misconfiguration or opening a virus attachment. Attackers use automated port scans to search for networks with open ports. Ports are used by computers to communicate with one another and specific communication functions are tied to a port number (i.e. email = port 25). When an open port is found, the attacker will use various techniques to attempt to exploit it and get in.
This is similar to a person walking down the street checking for unlocked cars, and when they find one, rummaging through for something valuable to take. Open ports can be accidentally left open by an organization, or there may be a lack of security at the perimeter.
Implementing proactive protection
Fortunately, ensuring proper protection is simple when using an intrusion prevention system (IPS). An IPS can be found in a managed network security service that can detect, block, and protect your network from port scans. Additionally, using a firewall can reinforce access control into your network as well as obfuscate your internal network from the public. IPS, along with the other security capabilities provides a layer of security between your network and the Internet.
Chances are, you’re being scanned right now
If you’re wondering how prevalent port scanning is, it’s probably happening to your home network right now. Here’s a screenshot of someone with an IP address from South Africa that scanned my home network. The scanner is checking for systems with open port 23 or Telnet in my network to exploit. It could be a bot herder searching my network for a webcam to add to the Mirai botnet or possibly that Nigerian prince that’s been emailing me.
1 Kony DBX, 2019 Retail Banking Trends and Predictions report, 2018.
Insurance is that product we all buy but hope we never use. Of course, paying for something you don’t use can create a dilemma.
Let’s say your company offers an optional dental plan. By opting-out, you would assume risk that the insurance company would otherwise incur. If you’ve never personally had to pay a significant dental bill, it’s tempting to skip the monthly premium. When you suddenly develop a serious toothache, you’re glad you have insurance.
The decision to purchase a DDoS (distributed denial of service) mitigation service is similar. If you’ve never been attacked, it’s tempting to go without protection and risk it. DDoS attacks cause 22% of all network outages costing businesses $500 per minute. If you’re attacked without a mitigation service in place, your only recourse is to purchase emergency DDoS mitigation available from a few providers and wait. You pay a higher premium, and while they do their best to get you set-up quickly, you may be down for hours –or days.
What if you could buy the equivalent of a catastrophic coverage insurance plan? You know, low premiums that cover you for the nasty stuff. That’s the spirit in which Windstream Enterprise created DDoS Assurance.
New DDoS Assurance plan: Protection without the high monthly fee
The new Windstream Enterprise DDoS Assurance plan offers the same continuous monitoring and protection as our standard DDoS Mitigation service, at 1/10th the subscription fee.
That lower fee completely covers one mitigation per month. Subsequent attacks are still mitigated, with overage charges automatically applied to your service bill. You’ll know soon whether it makes better sense to go with DDoS Assurance or our standard DDoS Mitigation service – and regardless, you’re protected from network outages and business costs that would otherwise result.
Either way: DDoS protection is a must for any business Internet connection
The only line of defense against DDoS attacks is 24/7 monitoring and rapid mitigation to keep your Internet connection from being overwhelmed. Now you can choose the level of financial investment/risk that best suits your business, while still benefiting from our industry-leading protection services. For more information, please visit the Windstream Enterprise DDoS Mitigation page.
SD-WAN’s growing popularity stems from the advantages it offers by moving key business functions to the cloud: simplified management, increased efficiency and resiliency, improved scalability, and significantly lower costs. It’s little wonder that SD‑WAN growth is accelerating, and rapidly.
Yet because SD-WAN uses the internet as transport, concerns persist among potential adopters regarding its security. The essential question: Can any WAN solution operating over the public internet protect enterprise information as thoroughly as a purely private WAN can?
The answer is yes and by considering these four areas, the data transmitted over a public network can be as safe as a private network.
While there are always tradeoffs involved in moving from legacy to newer solutions, the gains made by adopting SD-WAN are extremely compelling – as long as security is strengthened in the move rather than compromised. With the right security technology incorporated in SD-WAN and proper preparation, adopting enterprises can move forward with the knowledge that their assets are thoroughly secure – including all interfaces with the public internet, and all enterprise traffic that crosses it.
GDPR, the European Union’s new General Data Protection Regulation, hasn’t received a great deal of press in the U.S., presumably because it is a “Europe thing.” However, U.S. companies are in fact subject to GDPR if they handle personal information on individuals located in the EU, including website visitors.
This is a complicated and far-reaching regulation, and it would take an awfully long post to explain GDPR in full. The information here will help you understand how GDPR works and what, in general terms, is required for compliance. Organizations that are subject to GDPR have a good deal of legal study to undertake. As the regulation took effect on May 25, 2018, it’s time for organizations affected by GDPR to ramp up those efforts immediately, if they haven’t already.
How GDPR might affect your organization
GDPR seeks to protect individuals’ personal data. If your organization collects any personal data from EU residents, or processes any such data collected by others, GDPR specifies strict rules that include getting consent from the individual before data collection, deleting all personal data when an individual requests it, and reporting any data breaches within 72 hours.
Failure to comply can result in stiff fines of up to 20 million euros (more than $23 million) or 4% of global revenues, with the higher amount applying. U.S. companies can’t simply skip paying the fines; EU regulators can enforce them with actions in accordance with international law.
How GDPR defines “personal data”
Assuming your organization is a responsible custodian of people’s personal information as expected in the U.S., it is already fulfilling some of the spirit of GDPR – though compliance will require much broader efforts. It starts with accommodating the GDPR view of personal data vs. the U.S. view.
U.S. breach notification laws generally define “personal data” as a person’s name plus other formal, unique identification, such as driver’s license or social security number. GDPR defines personal data more broadly to include any data that could be used to identify an individual – and that includes such information as location data, IP addresses, cookie strings, and mobile device IDs, as well as informal identifiers such as age and marital status. In other words, pretty much any information that could be used to learn an identity is considered “personal data” under GDPR.
Specific responsibilities: Are you a controller or processor (or both)?
GDPR assigns responsibility to two types of entities: controllers and processors. Because of functional overlap, both can apply to a single organization.
“Processors” are organizations that handle electronic personal data in any way, from collecting to storing to distributing. “Controllers” make decisions regarding the use of personal data. For example, a retailer may collect personal data from its customers to enable it to market to those customers directly, based on their demonstrated preferences. It may also share that data with an acquiring bank for credit card payment collection. In this case, the retailer is the controller, and the acquiring bank is the processor.
Generally speaking, controllers have the greatest responsibility for GDPR compliance. This includes the primary role (among other requirements) of informing individuals as to why their data is collected, how it will be used and by whom, and how they can completely delete their data if they choose. Processors still have substantial responsibility, and ensuring that all is done accurately and compliantly requires transparency and coordination between the controller and processor.
Again, there is a good deal more to understanding for actual compliance if GDPR applies to your organization – and it does apply if you actively conduct any business with EU individuals that involves the collection of personal data, or process any personal information on behalf of companies that do.
EU courts will need to decide how egregious any U.S. company’s noncompliance really is, and unintentional noncompliance may very well be forgiven if it is infrequent and “unlikely to result in a risk to the rights and freedoms of natural persons.” But with potential exposure to such high-dollar penalties, it’s definitely better to be safe than sorry.
GDPR is a reminder to all businesses, whether you have customers in Europe or not, that privacy is a major concern. We have a responsibility to our customers to ensure the data they provide us is kept safe. Windstream Enterprise is dedicated to keeping our customers informed and will continue to monitor this subject closely.
Business spending for cyber security has evolved from once being part of an IT budget to becoming its own budget – that’s at least true for large enterprises. Small Medium Businesses (SMB) continue to subscribe to the adage of implementing good enough security or enough to prevent negligence. Not being on the fortune 500 list doesn’t preclude a distributed denial-of-service (DDoS) attack from happening against an organization. In fact, in 2017 53% of businesses that experienced a DDoS attack fell into the small and medium business categories.
DDoS attacks were once a rare occurrence but are now a perennial event increasing in frequency and size. A common attack involves the attacker, a command & control, a botnet (i.e. exploited computers), and the victim. Looking into the anatomy of an attack reveals that the attacker is taking advantage of how Internet communication works to direct a large amount of traffic towards a victim, rendering their network and/or internet facing systems and applications unavailable.
So why should you care if your Internet is not available? It depends on how your organization uses this IT resource to gauge whether it’s important, and if there’s a business return on money spent to prevent such attacks. Let’s examine the number of applications an organization potentially uses that require the internet to function:
Similar to any business decision, deciding whether to implement cyber security boils down to the return on investment – more specifically the total cost of an outage due to an attack should be significantly more than the cost to prevent it. For example, if DDoS attacks negatively impacted an organization $100,000 annually and the cost to mitigate them was $15,000, the ROI for this preventative control would be
Aside from impacting availability, DDoS attacks have been used as a diversionary tactic for data exfiltration and are part of a growing trend in extortion.
You’re concerned. What should you do? Unfortunately, there aren’t effective DIY solutions to implement because attacks will continue to get larger — making it a cost prohibitive arms race for any organization. This leaves partnering with a service provider that can help mitigate the attack upstream, away from your network. When evaluating potential solutions, take into consideration how fast a threat can be detected and the available response options. How a mitigation works and does it require your involvement? Is monitoring included or is it an option you can add? Can the provider protect internet circuits that belong to another ISP? Last, how is the service priced – is it a fixed monthly fee or is pricing dynamic and driven by factors such as attack frequency and size.
In conclusion, take the time now when things are calm to consider how much internet downtime your organization can withstand, 10mins, 30mins, 1hour, 24hours, etc. Early planning can also save a substantial amount of money as emergency mitigation services are more expensive and can require time to setup.
Trusted security solutions require trusted partnerships
Windstream Enterprise’s DDoS mitigation solution includes 15-minute SLAs for both notification and mitigation, ensuring Internet circuits and web-facing applications stay up and available during attempted DDoS attacks. Optional proactive mitigation and auto-mitigation can reduce the response to mitigate to near real time. With the help of an experienced, trusted network security partner (Windstream Enterprise, etc.), your organization can put a flexible, adaptable DDoS mitigation plan in place – as part of a broad integrated suite of IT security solutions – so you and your team can spend more of your own time focused on strategic initiatives that help you innovate and advance your business.
Most employers take great care in protecting any and all employee personal information they store, such as social security numbers and credit cards used for travel. When that care doesn’t extend to making sure employees, themselves are taking effective measures for protection, the result is multiple points of potential compromise that can severely damage an enterprise’s brand.
How is your own organization doing? Consider the following three best practices to ensure that data is more completely secured throughout your enterprise.
A solid managed network security solution can assist in many of these measures with automated, 24/7 threat protection, including intrusion protection, anti-virus protection, DDoS mitigation and immediate updates when new threats emerge. In many cases, these services will, for example, automatically scan emails with attachments and block documents that contain viruses and malware. Any enterprise that does not have such a solution, and those that haven’t upgraded recently, are encouraged to make sure they have a high level of managed security. Be sure to extend this to remote employees, who should be covered by protection on their personal internet access points.
It’s also important to remember that no managed security solution can button up an enterprise 100%. Complete security requires vigilance on the part of employees, who can form an important front-line defense against intruders who seek to gain access to information within the workplace. A program based on the three principles outlined above is a great place to start.
Quick: Which of the following poses the greatest threat to network operations?
B: Distributed denial of service (DDoS) attacks
Correct answer: “B.” If you chose “A,” consider that the question concerns “operations” – the DDoS target. Meaning, making business come to a grinding halt.
DDoS attacks caused 22% of all network outages in 2016, with an average business cost of over $740,000 per attack. For banks, DDoS attacks can impact ATMs and shut down online transactions. For healthcare providers, they can wipe out continuity of care and team coordination. For retailers, DDoS attacks frequently shut down online shopping, sending customers elsewhere.
Simply put, your network exists to deliver services; DDoS attacks seek to deny those services and disrupt your business. Threats don’t come any more direct than that.
So why do we sometimes assume that DDoS is a lower level of threat? Or forget to think about it at all?
Why we think about breaches more than DDoS
Large-scale data breaches make national headlines because they potentially affect large numbers of news followers. The recent Equifax breach got wall-to-wall news coverage because it exposed the sensitive personal information of some 143 million Americans. That is absolutely newsworthy.
It was also the latest in a series of events involving tens of millions of consumers and leading corporations. Frequent headlines contribute to serious top-of-mind awareness.
DDoS attacks don’t command that level of attention, mainly because their extensive damage falls squarely on the targeted enterprise, as business disruption. Plus, the name “DDoS” sounds like the dated DOS (or MS-DOS) operating system of the ‘80s, with a passé ring to it.
But when your own network is the target of a successful DDoS attack, it’s exceedingly bad news and a devastating hit to business continuity. Any threat causing 22% of network outages and totaling more than $740,000 per occurrence deserves serious and sustained attention.
Bring the threat of downtime toward zero
Taking a proactive approach to the problem, Windstream now offers a DDoS Mitigation service that is available at very affordable subscription pricing. The service, which is ISP agnostic, includes a 15-minute SLA to detect and verify attacks, followed by a 15-minute SLA to begin mitigation – ensuring there is little to no downtime.
And because the service is integrated into the network, the entire monitor/detect/verify/mitigate process can happen without customer involvement. It’s the sophisticated defense against an increasingly sophisticated threat. And one of the first that combines both monitoring and mitigation in a single package, along with consistent pricing regardless of the number or scale of attacks.
If you’re one of the many enterprises that remain vulnerable to DDoS attacks, you really should look into it, and make DDoS Mitigation an essential element of your overall enterprise security strategy. Your customers will definitely enjoy the continuous uptime experience – and your enterprise leaders and users will appreciate the continuity of business operations.
We invite you to share your thoughts on DD0S and learn more about Windstream’s new approach to DDoS Mitigation services.
Enter your business location zip code below for business solutions in your area.
Find business zip code