Skip to content

Set and protect. A cybersecurity road map for small and home offices

In the evolving world of cyberthreats, small and home offices share a single need: a reliable security solution.

If you’re leading a small office, you are likely no stranger to working 12 hours a day. It might even feel like 24/7, doing taxes, communicating with clients, and marketing your business on social media platforms.

You likely have also personally installed a firewall on your laptop, but still, one day, you find out that your bank account got breached or your business data has been compromised. This might mean losing money or the trust of your clients, and it definitely means losing precious time to put the wheels back on your business. 

Today, basic protection doesn’t just mean having a firewall; it requires endpoint security with scanning tools, a password manager, and data encryption. Simply put, many businesses who invested into separate products over time to address basic risks just aren’t equipped to handle today’s threats.

Try ESET Small Business Security!

This is the reality for a massive number of small offices/home offices around the world that face growing risks from digital threats.  For example, 31% of businesses with fewer than 10 employees surveyed in the UK during the winter of 2022-2023 experienced a cyber-attack or a security breach. To understand the full scope of the situation, there are 5.28 million such businesses in the UK.

These cyberthreats leave users facing a diversity of complex security challenges – challenges for which individual solutions like firewalls, well-suited to block malicious traffic, are simply not built to counter. Today’s online tools and business processes require cybersecurity solutions that layer multiple advanced technologies for detection, browsing protection, anti-phishing, and botnet protection, as well as exploitation, ransomware, and network protections supported by artificial intelligence and machine learning to stop threats.

The backbone of the economy makes for an interesting target

The small offices and home offices discussed in this blog are tiny when taken individually, but collectively, they comprise a massive workforce. For example, according to the latest data gathered back in 2019, 78.5% of U.S. businesses had 1-9 employees.

The situation is similar elsewhere. Businesses with 1-9 employees make up 74.1% of Canadian businesses and 82% of all UK businesses.

This makes these small offices/home offices sit nicely in the sweet spot user group for ESET’s Small Business Security offering; they’re the second largest source of wealth, right behind home equity. This also means that this group is substantial enough to factor into cybercriminal campaigning and simultaneously poses easy targets even for what have become common risks like simple password spraying attacks.

These businesses are often easy targets for cybercriminals because:

• They do not believe they are an interesting target for cybercrime because they are too small.

• They believe they cannot afford comprehensive high-tech security solutions.

• They often use outdated and unsupported software.

• Heads of small offices/home offices often don’t have IT education, don’t have time for cybersecurity awareness trainings, and lack finances to hire IT staff.

What threats are out there?

The complexity and scale of these threats are global, but let’s take Australian farmers as an example. In the first half of 2022, farmers fell victim to a series of cyberattacks with an accumulated loss of AUD 1.2 million (USD 792,026).

Some of those farmers fell victim to fake livestock sellers on Facebook or phishing websites pretending to sell machinery, while in reality farmers were sending money for nothing.

Here are some of the most common attacks threatening small offices and home offices:

  • (Banking) Data breaches – Losing sensitive data, especially banking and payment information, is the most feared cyberattack among small offices/home offices participating in an ESET internal survey. This can often happen due to phishing or an account breach.     
  • Compromised personal devices – Attackers can abuse employees’ personal devices to compromise business systems. According to the Samsung 2023 survey, 48% of organizations with a Bring Your Own Device (BYOD) policy witnessed malware introduced through an employee’s personal phone.
  • Physical theft – Almost 60% of small offices/home offices participating in an ESET internal survey expressed concerns about lost devices and data. Over 2 million laptops are reported stolen each year in the U.S., with the associated data losses estimated at over $7 billion.

Setting up defenses

Such a long list of threats can be a headache considering how much should be done to protect your business: backing up your data, protecting servers, having a good password policy ideally combined with MFA, installing endpoint protection on all your devices, an anti-theft solution, and taking cybersecurity awareness training to identify common red flags for prevalent scams.

However, alongside their normal duties and responsibilities, it is quite understandable that small offices/home offices don’t find time to worry about cyberattacks. And trying to deal with all these threats by setting up a VPN, password manager, firewall, mobile security solution, data encryption, and banking protection in a piecemeal fashion is unsustainable.

Some of those businesses openly admit this: “We’re a small company. The biggest issue is trying to survive on a week-by-week basis. We can’t afford to allocate sums to cybersecurity. I’ll spend it as and when I have it, or when I need to,” said a participating managing director surveyed by the UK Department for Science, Innovation & Technology in 2023.

But there is a better way. Digital security doesn’t have to mean a long and complicated shopping list composed of individual cyber defenses. You can get one affordable subscription that covers them all.

ESET Small Business Security presents an all-in-one solution coming with ESET HOME as the complete security management platform and support that won a 2023 SC Award for delivering best-in-class customer support and services.

ESET Small Business Security offers:

  • Reliable, easy-to-use security, with a minimum system footprint
  • Multi-OS protection including Windows, Android, MacOS and Windows Server
  • Safe Banking
  • Safe Browsing
  • Password Manager
  • VPN
  • Ransomware Shield
  • Anti-Theft
  • Botnet Protection
  • Network Inspector
  • Safe Server – The protection of company and customer data stored on a file server running on Windows Server operating system; it also automatically scans all inserted USB flash drives, memory cards, and CDs/DVDs
  • Support for 5 up to 25 devices

Let someone else put in the effort

Considering the previously mentioned surveys, it is safe to say that globally, millions of small offices/home offices fall victim to cybercrime every year. And it looks like some of those people just accept their fate. The truth is that when businesses put effort into cybersecurity, it is rarely ever appreciated. However, when something goes wrong, that failure is always criticized.

However, there is a way to mitigate those cyber risks without spending too much time and money. ESET can put in the effort instead of you with its reliable and multilayered functionalities all packed in one solution. Simple, isn’t it?

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

24.3.5 Voyager released

Changes compared to 24.3.4

Enhancements

  • Added retrying for intermittent errors that occur when restoring data to UNC paths

Bug Fixes

  • Fixed sorting of logs on the Server Logs page on the Comet Server web interface
  • Fixed an issue which caused the user detail page to fail to load for usernames with certain lengths in the Comet Server web interface
  • Fixed an issue where the Comet Server web interface failed to remember column selections for usernames containing an @ symbol
  • Fixed an issue with missing hints for valid usernames in the Comet Server web interface
  • Fixed a cosmetic issue with missing or misplaced loading animations in the Comet Server web interface
  • Fixed an issue with remote-controlled restores from the Comet Server web interface being unable to write to user home directories
  • Fixed an issue with backup job progress bars being left below 100% after the job completed
  • Fixed an issue with searching for items in Office 365 backup snapshots
  • Fixed an issue with unusable content when attempting to restore EFS-encrypted files to an archive
  • Fixed an issue with failing to restore directory timestamps
  • Fixed a cosmetic issue with EFS-encrypted files appearing as directories in the Comet Server web interface

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Comet
We are a team of dedicated professionals committed to developing reliable and secure backup solutions for MSP’s, Businesses and IT professionals. With over 10 years of experience in the industry, we understand the importance of having a reliable backup solution in place to protect your valuable data. That’s why we’ve developed a comprehensive suite of backup solutions that are easy to use, scalable and highly secure.

Remote virtual machine access using port forwarding and SSH private/public keys

Virtualization technology allows us to create multiple virtual machines (VMs) on the same physical machine.

A virtual machine operates like a software program running on a computer, simulating the behavior of an independent machine.

In essence, it establishes a computer within another computer.

When operating within a window on the host computer, a virtual machine offers users an experience that’s nearly identical to using a separate computer.

For many software developers, using a virtual machine is preferable for easy cross-platform compatibility purposes; they also offer greater security, flexibility, and scalability.

When setting up your virtual machine, you can access its graphic user interface (GUI) to interact with the virtual machine separately from the other machine(s) or operating systems on your physical computer.

However, relying solely on the GUI may not always be practical if you’re a software developer, especially if you need to access a VM remotely.

In such cases, you should use the Secure Shell protocol (SSH) to execute remote logins or commands securely over an unsecured network.

Parallels Desktop enables remote access to virtual machines with SSH and port forwarding.

By default, Parallels Desktop operates in shared network mode, which works “out of the box” and does not require any specific configuration.

Parallels Desktop will work as a virtual router for your virtual machines when you use this networking mode. However, it also means that the VMs cannot be accessed from external computers.

The port forwarding (also known as port mapping) functionality allows computers on your local network and the Internet to connect to any virtual machines that use the shared networking mode.

According to the port-forwarding rule, the connection to a specific port on your Mac will be redirected to a specific port of your virtual machine.

To gain remote access to a VM via port forwarding, you must first configure Parallels Desktop to accept the connection using a port forwarding rule.

This is achieved by following the process outlined below.

Establishing port forwarding rules

Note: Port forwarding is only available in Parallels Desktop for Mac Pro and Parallels Desktop Business Edition.

1. Open the Parallels Desktop Command Center

2. Select the VM you want to access remotely 

Then, click the Configure button.

3. Once the Configuration window opens, select the Hardware tab

Then the Network option on the left side, then click “Advanced.”

4. Click on the “Open Networking Preferences” button

5. Click the Add (+) button below the Port forwarding rules list

6. In the displayed window, perform the following actions

  • In the Protocol field, specify the port type you want to establish network connections. You can choose between the TCP or UDP port types.
  • In the Source Port field, type the incoming port number on your Mac.
  • In the Forward to section, indicate the name or IP address of the virtual machine you want to connect to.
  • In the Destination Port field, type the port on the virtual machine to which the data will be transferred.

  7. Click OK to add the rule

Checking port forwarding

To check that the rule works properly, enable, e.g., SSH on your virtual machine (some Linux distributions have it enabled by default).

As an example for SSH, use the following rule:

Protocol TCP
Source PortChoose a different port number between 1024 to 49151 for each VM
Forward toChoose your virtual machine
Destination Port22

To make sure that port forwarding is enabled from your Mac inside a virtual machine, use one of the following scenarios (in these examples, port 8081 is redirected to a Linux VM, and port 8888 is to a Windows VM) :

Scenario 1: connect from the same Mac

In Terminal, type in the following command and press Enter:

ssh -l <your_VM_username> -p <source_port> 127.0.0.1

Enter the password for the user in the virtual machine and press Enter:

Scenario 2: connect from another Mac or PC in the same network

In Terminal (on Mac) or PowerShell (on Windows), type in the following command and press Enter:

ssh -l <your_VM_username> -p <source_port> <host_machine_IP_address>

Enter the password for the user in the virtual machine and press Enter.

To check that you logged into the virtual machine, execute the following command in Terminal:

uname -a

If you successfully log into the virtual machine, you will see a Linux kernel version.

The same method can also be used to set up an SSH port forward for a Windows machine by adding that to the port forwarding list:

You can run a “systeminfo” command to verify the system you are on.

Using SSH key pairs

Now we have the systems tested and working using password authentication, we can make them more secure.

SSH public/private keypairs offer a more secure, convenient, and scalable authentication mechanism than traditional password-based methods.

By leveraging SSH keypairs, organizations can strengthen their security posture and ensure secure remote access to their systems, eliminating the need to transmit passwords over the network.

With keypairs, the private key remains securely stored on the user’s computer.

In contrast, the public key is stored on the server, significantly reducing the risk of interception by malicious actors.

Because the keypairs are generated using cryptographic solid algorithms, they are much longer than passwords, making them highly resistant to brute force attacks.

Once SSH keypairs are set up, users can seamlessly log in to SSH-enabled systems without entering a password, adding convenience for automated processes and scripts.

Generating SSH public/private keys

The SSH key pair consists of two cryptographic keys: public and private keys.

These keys are mathematically related but are designed so that it is computationally infeasible to derive the private key from the public key.

The public key is shared securely with the server or system you want to access.

It can be freely distributed and stored on several servers or systems and is provided when you attempt to connect to a server.

The private key is kept securely on your local computer or device. It should never be shared with anyone else.

This key is used to decrypt encrypted messages with the corresponding public key, and when you attempt to connect to a server, your local SSH client uses your private key to prove your identity.

When you attempt to connect to a server using SSH, the server sends a message encrypted with your public key.

Your SSH client decrypts this message using your private key and sends back a response.

If the server can successfully decrypt your response using your public key, it knows you possess the corresponding private key, allowing you to access the system.

SSH keypairs are typically generated using cryptographic algorithms such as RSA or DSA.

Your local SSH client software can generate these keys for you. The keys are often stored in files (e.g., “id_rsa” for the private key and `id_rsa.pub` for the public key) in a hidden .ssh directory in your user’s home directory.

Creating SSH keypairs

To explain how to generate and use the SSH keypairs, I have three systems: a Mac, which is my local machine; an Ubuntu VM, which will be the remote machine; and a Mac VM, which will use the port forwarding rules.

Each system has a different theme for the terminal windows to make it easier to follow.

First, I will check my local machine to ensure no local keys exist, using the command:

ls ~/.ssh/id_*

As no matches were found, no keys were present on our local machine. If they are present, you should back them up in case they are accidentally removed or lost.

Next, we can generate our SSH key on the local machine.

To do this, type in the command:

ssh-keygen

The command replies that it is generating a public/private keypair using rsa as the default encryption.

If you wish to use a different algorithm you can use the -t flag to select from the following alternatives: dsa, ecdsa, ecdsa-sk, ed25519, ed25519-sk.

I will also add a comment using the -C flag so that I can quickly identify what the key is for.

My command line would look like this:

ssh-keygen -C "Test for SSH Keys on Mac & Ubuntu"

By default, the file is saved in my user directory in the .ssh folder, so I hit enter to accept that.

I also hit enter for the passphrase question, which adds an extra layer of security but also means I would have to enter it each time I connect. I am trying to avoid that in this example.

Retrieving the public key

If we rerun the ls command, we can see two files in the .ssh directory: the private and public keys.

Move into the .ssh directory, open the contents of the public file, and copy them so that we can add them to the remote machine in a file called authorized_keys.

cd .ssh 

ls -la 

cat id_rsa.pub

Adding the public key to the remote machine

To enable SSH access to a remote machine, you must upload the public key from your SSH key pair onto the remote server. This allows the remote machine to decrypt connections initiated by your local computer, which uses its corresponding private key for encryption.

On the remote machine, go to your home directory and check if the .ssh subdirectory exists:

cd ~
ls -al ~

If it does exist cd into that directory, and if it doesn’t, create the subdirectory, and then go into it and check to see if the authorized_keys file exists:

mkdir .ssh
cd .ssh
ls -al

If the authorized_keys file does not exist, create one using the following command:

touch authorized_keys

Then edit the file using your editor of choice to add the public key copied from the local machine.

If you already have an authorized_keys file in the directory with content, add your new key on a new line and save the file.

Putting it all together

Now that our private and public keys are created, we need to check that they work.

Check the IP address of your virtual machine from the Parallels devices-> networking tab

Now ssh into that system from your local host that has the private key installed on it:

ssh <user>@<ip address>

And as you can see, we are logged in without providing a password.

As we have set up port forwarding on our local host, we should also be able to access the Ubuntu VM from a different system, but going through the host machine and using the port that was assigned at the beginning of this article, that being 8081 of the Mac system.

If I go to my Mac VM running on the same host, I can copy a key to the Ubuntu box, but this time, instead of cut/paste, I will use the ssh-copy-id command to add to my authorized_keys file on the Ubuntu system, but using port 8081 of my host system:

ssh-copy-id -p <port> <user>@<ip address>

We can check the key was correctly added by going back to the Ubuntu VM, and checking the authorized_keys file:

 

The text highlighted in red is the new key from the Mac on the VM. If we return to that VM, we can execute the ssh command displayed at the end of the ssh-copy-id command message to access the Ubuntu VM system from my Mac’s VM system via my host Mac:

And as you can see from the command prompt at the end, I am back on the Ubuntu System.

Ready to try it yourself? Sign up now for a free 14-day trial to see how easy it is to implement port forwarding and secure key pairs using Parallels Desktop Pro. 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Parallels 
Parallels® is a global leader in cross-platform solutions, enabling businesses and individuals to access and use the applications and files they need on any device or operating system. Parallels helps customers leverage the best technology available, whether it’s Windows, Linux, macOS, iOS, Android or the cloud.

Conquer new worlds in Age of Empires on your Mac

In a world where strategy is paramount and maintaining your dominion requires both strength and wisdom, the Age of Empires games have long captivated players with their immersive universe of historical grandeur and warfare.

This iconic series invites players to traverse time by commanding powerful civilizations through the ages, from the humble beginnings of the Stone Age to the formidable heights of the Imperial Age.

Through meticulous management of resources, strategic planning, and diplomatic finesse, players shape the destinies of empires, leading their chosen people to glory or ruin.

https://www.parallels.com/blogs/age-of-empires/(opens in a new tab)

For loyal Mac users, the dream of commanding mighty civilizations once seemed a distant fantasy, hindered by the lack of availability for Mac and Windows exclusivity.

It’s no longer an epic battle to play Age of Empires games on your Mac, especially the popular Age of Empires II: Definitive Edition. This could be the pinnacle of the Age of Empires universe — at least according to fans of the beloved series.

With Parallels Desktop, players can weave together the olden times and the modern era on their hardware of choice.

Discover how you can step into epic tales of the past, equipped with your trusty Mac.

If you’re ready to embark on this legendary journey through the Age of Empires, let the gaming capabilities of Parallels Desktop Pro lead the way.

How to play Age of Empires on a Mac

It’s time to take command of your realm in the Age of Empires. Here’s how to get started conquering new realms in Age of Empires II with Parallels Desktop:

1. Install Parallels Desktop

If you don’t already have it, download and install the latest version of Parallels Desktop. The Pro or Business edition is recommended for the best gaming performance.

2. Create a Windows 11 Virtual Machine

Open Parallels Desktop and set up the Windows 11* virtual machine using prompts on the screen.

3. Adjust virtual machine settings on Pro or Business Edition

Access the Parallels Desktop Control Center and navigate to the “Hardware” section.

If you are using Parallels Desktop Professional or Business editions, you can adjust the virtual machine settings by allocating an adequate amount of RAM, CPU, and GPU resources to ensure a seamless gaming experience.

You can accomplish this by enabling the Gaming Profile.

When the Gaming Profile is enabled, Parallels Desktop provides more RAM and CPU to Windows, enters full-screen view for greater immersion, and toggles the mouse mode for better compatibility with games.

To enable the Gaming Profile:

1. Shut down Windows via the Start menu and open its configuration

2. Click “Change” and select “Games only”. 

*Note that you’ll need to purchase a Windows license if you don’t already have one.

Can I run Age of Empires II: Definitive Edition on Mac?

Age of Empires II: Definitive Edition is primarily designed for Windows but can be run on Mac using virtualization software like Parallels Desktop.

As a Mac user, you can experience the excitement of building empires and leading armies in this legendary game if your Mac meets the minimum requirements:

RequirementMinimal
OSWindows 10
ProcessorIntel Core 2 Duo or AMD Athlon 64×2 5600+
GraphicsNVIDIA® GeForce® GT 420 or ATI™ Radeon™ HD 6850 or Intel® HD Graphics 4000 or better with 2 GB VRAM
DirectXVersion 11
NetworkBroadband Internet Connection
Storage15 GB available space
Memory4 GB RAM

Does Age of Empires work on an M-series Mac?

Yes, you can transform your Mac into a formidable stronghold for playing Age of Empires on an M1, M2, or M3 chip Mac.

This video guide covers everything from setting up your virtual machine to improving its performance, getting you ready to play Age of Empires II: Definitive Editions as if you were playing on a Windows machine.

What versions of Age of Empires work on Mac?

The Age of Empires franchise has journeyed through time, with nine games released since 1997. Each chapter adds new lands to conquer, civilizations to develop, and challenges to overcome. As the series progresses, it brings more sophisticated gameplay, diverse cultures, and deeper historical narratives.

The Age of Empires universe encompasses:

  • Age of Empires (1997)
  • Age of Empires: The Rise of Rome (Expansion – 1998)
  • Age of Empires II: The Age of Kings (1999)
  • Age of Empires II: The Conquerors (Expansion – 2000)
  • Age of Mythology (2002)
  • Age of Mythology: The Titans (Expansion – 2003)
  • Age of Empires III (2005)
  • Age of Empires III: The WarChiefs (Expansion – 2006)
  • Age of Empires III: The Asian Dynasties (Expansion – 2007)
  • Age of Empires: Definitive Edition (2018)
  • Age of Empires II: Definitive Edition (2019)
  • Age of Empires III: Definitive Edition (2020)

With the release of Age of Empires IV in October 2021, the series achieved new heights, offering advanced graphics, refined mechanics, and an even broader historical scope.

The good news? You can play any of the Age of Empires games that are available on Windows on your Mac, provided your Mac meets the minimum game requirements.

Playing Age of Empires on Mac

The barriers that once prevented Mac users from partaking in the grand sagas of Age of Empires have been dismantled — if you use Parallels Desktop.

Embrace the challenge of strategy, conquer distant civilizations, and relive pivotal moments of history, all from sleek platform of your Mac.

Whether you’re strategizing the construction of your empire from the ground up, leading your armies into battle, or negotiating peace treaties, Parallels Desktop + Age of Empires provides an immersive gaming experience.

Ready to start your conquest and claim your place in history?

If your heart is set on this legendary odyssey, Parallels Desktop is the gateway to this epic voyage through time. 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Parallels 
Parallels® is a global leader in cross-platform solutions, enabling businesses and individuals to access and use the applications and files they need on any device or operating system. Parallels helps customers leverage the best technology available, whether it’s Windows, Linux, macOS, iOS, Android or the cloud.

How encryption evolved to protect us from ISPs

Why ISPs monitor our traffic

ISPs are usually large telecommunications companies that manage the networks – digital subscriber line (DSL), cable, fiber optic, satellite, etc. – that facilitate ‘the information superhighway’ of internet traffic. ISPs also distribute modems and routers (usually an all-in-one box) that enable us to use the internet on multiple devices at home or elsewhere. It is through this infrastructure that ISP monitoring takes place.

It’s important to note that there are a few legitimate reasons as to why an ISP might monitor our traffic. Here are a few examples:

  • Service quality – ISPs allocate bandwidth to optimize service based on use. For example, streaming and online gaming require high speed, uninterrupted connections, so they’re given a higher priority. Simpler web activities like browsing or sending emails, which aren’t as sensitive to minor hiccups or delays, are given a lower priority.

  • Security – ISPs monitor traffic for signs of malicious activities like malware distribution, phishing attacks, and DDoS (Distributed Denial of Service) attacks. They do this primarily to keep their user base secure and intact, but can also market security upgrades and products.

  • Customer support – With a clear overview of user home networks, devices, and traffic patterns, ISP customer support can solve issues faster – and cheaper. They can often remotely access ISP-provided routers as well.

  • Regulation – ISPs can be legally obliged to pass user data to law enforcement in certain cases and are required to monitor traffic for illegal activity.

  • Targeted advertising – You stream movies? Oh, you need a 4K TV! ISPs build user profiles based on web activity, then upsell products to you or pass your profile to data brokers for targeted advertising.

There are cases when ISPs sell your data. A 2021 Federal Trade Commission report found that, in the US: “Even though several ISPs promise not to sell consumer personal data, they allow it to be used, transferred, and monetized by others, and hide disclosures about such practices in the fine print of their privacy policies.”

How ISPs monetize our data. Source: Federal Trade Commission

How ISPs monetize our data. Source: FTC

What stops ISPs from collecting your data?

1. Regulatory requirements

  • The EU’s GDPR tightly controls how ISPs collect, store, and process personal data, which generally ensures a higher level of privacy for users.

  • The US is lacking in this area, with no broad federal legislation in place, resulting in a state-by-state patchwork of privacy laws.

  • Australia, Brazil, Canada, the EFTA countries, Japan, South Korea, and Switzerland have all enacted data protection regulations.

2. Encryption

In the old days (the wild ‘90s), there was none – ISPs could see everything. Except for some e-commerce and banking services, encryption was almost non-existent. Then in 1995, Taher Elgamal of Netscape developed Secure Sockets Layer (SSL) to secure transactions. This innovation started us down the long and winding road of encryption protocols and their eventual wide scale adoption.

A brief history of SSL to TLS

Secure Sockets Layer (SSL) was developed by Netscape, the pioneering web browser developer, as a protocol to secure transactions. SSL 2.0 was the first version released to the public in 1995. SSL 3.0, which fixed many of the vulnerabilities found in SSL 2.0, came in 1996. The groundwork was laid for future internet security protocols.

Transport Layer Security (TLS) was introduced in 1999 as TLS 1.0 by the Internet Engineering Task Force. Since then, TLS has been the internet’s security standard, undergoing multiple updates and improvements. TLS 1.2, released in 2008, added support for stronger encryption algorithms and was widely adopted for its enhanced security features.

TLS 1.3 arrived in 2018. With a simplified “handshake” process, fewer interactions were needed between client and server to authenticate one another and establish a secure connection. Boasting faster and more robust cryptographic algorithms, TLS 1.3 was a big step forward in speed, security, and privacy.

As of February 2024, 99.9% of the 150,000 most popular websites support TLS 1.2. 67.8% support TLS 1.3, and that number is growing every day.

Timeline of SSL to current day.

SNI: Scaling up the internet

Server Name Indication (SNI), an extension to TLS introduced in 2003, massively scaled up the internet’s hosting capacity. By specifying the target hostname during the “Client Hello” message (the first step in the TLS handshake), multiple HTTPS websites or services could now share a single IP address. With IPv4 addresses running out at the time (total exhaustion occurred in 2011), this was essential to keeping the internet up and running.

SNI was integrated with the QUIC protocol in 2021, boosting performance and security further. But a problem remained. SNI is unencrypted and exposes the hostname (website) that the client is trying to connect to. This issue was highlighted when certain governments including South Korea’s began using SNI filtering as a more precise means of censorship and surveillance. SNI’s purpose had been abused by ISPs and governments to collect data.

ESNI, ECH: Final piece of the security puzzle – or not?

So along came Encrypted Server Name Indication (ESNI). Introduced in 2018, it aimed to do exactly what it says on the tin: encrypting SNI. But it would only serve as a stopgap. Cloudflare, the web services company who helped develop the standard, said: “While ESNI took a significant step forward, it falls short of our goal of achieving full handshake encryption. Apart from being incomplete — it only protects SNI — it is vulnerable to a handful of sophisticated attacks.”

Most recently in line was Encrypted Client Hello (ECH) with the more ambitious goal of encrypting the entire Client Hello message. Cloudflare rolled out ECH as a TLS 1.3-exclusive extension in September 2023, but disabled it the following month to address “a number of issues”. A re-release is planned for 2024.

However, even with ECH in place, privacy concerns won’t fully go away. ECH doesn’t fully circumvent traffic analysis or ‘sniffing’ techniques that can reveal metadata like connection times, duration, packet sizes, and more – enough to start a basic user profile for tracking. And users’ IP addresses are still always exposed when online. The Internet Protocol routes online traffic, and the client-server model for data transmission wouldn’t work without visible IP addresses.

DNS: Falling short in privacy

Closely related to the IP routing system is the Domain Name System (DNS), known as ‘the internet’s phone book.’ DNS maps domain names to IP addresses. When you type a domain name like www.example.com into your browser search bar, the browser has to find out the domain’s corresponding IP address in order to request the domain’s content for you. To do this, your computer first sends a request to a DNS server, which returns the domain’s IP address (e.g. 142.250.105.100). Without this system, your browser wouldn’t know where to go.

The problem is, ISPs often run their own DNS servers to take a peek as these requests are filled. ISP-provided routers come preconfigured to direct your DNS queries to their proprietary servers. And if ISPs control a DNS server, they can effectively block the use of Encrypted Client Hello by not including ECH configurations in the HTTPS resource records returned to clients.

Protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), which encrypt DNS requests, offer solutions to this issue. Not to be outdone, ISPs started operating their own DoH services, controlling DNS settings, and limiting configuration changes. Some providers even argued that DoH is not in the consumer’s interest. Remember: if the ISP runs the DoH service, they can see your online activities.

Even without using DNS or connecting to the wider internet, ISP-managed routers can collect information about the devices connected to them. They can track the unique Media Access Control (MAC) of each device. MAC allows devices to communicate on a local network segment, with the data being openly visible to anyone on the same network. ISPs use software on their routers to capture, fingerprint, and identify devices and their MAC addresses.

What can we do while we wait for ‘total’ encryption?

There are a few things you can take care of.

1. Be aware if you use an ISP managed router

Did it arrive at your door, perhaps with a technician ready to install it, after you signed up? Then it’s managed by the ISP, or at least set to their favored default configurations. Log in to the router, change the default password, and make sure you’re using at least WPA2 encryption. Keep in mind that if you’re using wifi calling (WhatsApp, Facetime, etc), your speech travels through these devices – another reason to fortify your network security.

2. Use a trustworthy DNS server

Look for public, privacy-focused public DNS servers. For example, Cloudflare DNS (1.1.1.1) doesn’t log DNS traffic, doesn’t save your IP address, and doesn’t sell user data to advertisers.

3. Use a VPN

Virtual private networks (VPNs) can protect your online activity by encrypting traffic going from your device to a VPN server. This server then handles your internet requests, shielding them from ISP surveillance. This protection extends to DNS queries if you use the VPN’s DNS server. Of course, using a VPN transfers your trust from the ISP to the VPN provider. That’s why no logs VPNs are among the best ways for keeping yourself safe and secure online today.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×