DNS over HTTPS – What You Need to Know about Content Filtering

In September, Mozilla announced its plans to implement the DNS-over-HTTPS (DoH) protocol by default in the Firefox browser. Subsequently, Google announced its intention to do the same for the Chrome browser. Firefox has already started to gradually shift to DOH. Chrome is expected to start shifting some traffic by the end of the year.

What is DoH?

DNS stands for Domain Name System; it’s the system for matching the domain names to IP addresses, this obviously makes it easier for us to browse the internet by name rather than having to remember IP addresses. Until now, all of that has happened via an unencrypted DNS connection. As the name DNS over HTTPs implies, DoH takes DNS and shifts it to a secure, encrypted HTTPs connection.

What is http/https?

http is a system used where a browser make a GET request to a server, then server then sends a response, typically a file containing HTML. Of course, the browser usually does not have a direct connection to the server so this request with have to pass through multiple hands before it gets to the server, the response is dealt with in the same way.

The problem with this is that anyone along the path can open the request or response and read it. There is no way of knowing what path this traffic will take so it could end up in the hands of people who do harmful things such as sharing the data or even changing it.

HTTPS fix this poor state of affairs, with https – each request/response has a lock on it. Only thye browser and the server know the combination of that lock meaning only the browser and the server can read the contents of this data.

This solves a lot of security issues, but there are still some communications happening between the browser and server that were not encrypted, this means people could pry on what you are doing. One of the places were this type of communication was exposed is in DNS. In steps DoH which works on the same idea described above to prevent tampering and eaves-dropping.

By using HTTPS to exchange the DNS packets, we ensure that no one can spy on the DNS requests that our users are making.

Mozilla and Google are making these changes to bring the security and privacy benefits of HTTPS to DNS traffic. All those warnings about the security risks of public WiFi? With DoH, you’re protected against other WiFi users seeing what websites you visit because your activity would be encrypted. DoH can also add protection against spoofing and pharming attacks and can prevent your network service providers from seeing your web activity.

Privacy vs. content filtering: a conundrum

So far, so good – we have underlined the possible privacy benefits of DoH but could there be a problem on the horizon for schools and organisations that use DNS based content filtering?

DNS-based content filtering is so prevalent that almost every parental control device (whether its installed on your network or via some type of web service) uses it. If DNS queries are now encrypted before passing through these products, they could see cease to work.

This could see broader DoH adoption by web browser disrupting existing content filtering implementations.

DNS-based filtering still possible

Since the DNS queries are only encrypted when they go beyond the router, DNS-based threat intelligence and parental control functionality can still work. For example, if someone accidentally stumbles on an adult website, the router will intercept his DNS queries and show him your custom message instead. It’ll also encrypt the rest of his innocuous queries so that people outside of your network won’t be able to exploit his browsing history.

Next steps?

You need to confirm that your existing content filtering will work when browsers start support DoH by default.

 

Security Awareness

Should You Be Offering Security Awareness Training?

Nearly half of all office workers have had their data compromised at some point. And as if that wasn’t scary enough, the numbers only get more concerning from there. Following an incident, a whopping 35% of office workers don’t change their passwords—a measure that can go a long way to preventing future information theft. And while at work, 49% of respondents admit to clicking links that were sent to them by unknown senders – so should your service provider be offering security awareness training?

In this age of heightened awareness around cybersecurity, most employees have some appreciation for the risks this kind of behavior opens their companies up to. But data thieves and scammers can be incredibly cunning and deceptive—preying on workers’ information deficits and busy schedules to sneak in under the radar.

Employees and businesses need to master the basics of good cyber hygiene to keep sensitive data safe. Educating employees in the difference between a safe link and link that’s part of a phishing scam can spare companies the time, money, and PR headache of being compromised.

Since every employee has a different level of knowledge and awareness when it comes to cybersecurity best practices, training can be an essential tool to bring everyone up to an acceptable baseline. And this isn’t just true for large organizations anymore. Nearly half of all cyberattacks today are targeted at small- and medium-sized businesses (SMBs)—and 60% of those targeted go out of business within six months of the attack. As a result, SMBs are increasingly looking for security awareness training programs to keep their employees, and their information, as safe as possible.

This presents an opportunity for MSPs to deliver even more value to their clients—and become trusted advisors in the process. And to help you make the most of this opportunity, our recent webinar, Why Security Training, Why Now, and What’s in It for Me?, covers the what, why, and how of offering cybersecurity awareness training—and doing it effectively.

Here are some of the key takeaways from the webinar to help you decide whether to offer this training to your customers.

Who Benefits From Security Awareness Training?

A properly managed security training program can be beneficial to everyone involved.

Increasingly, companies’ compliance obligations mandate that they participate in these programs—and allocate budget specifically to them. With an existing budget and a real need among customers, security awareness training represents a huge opportunity for MSPs—one that can yield significant returns.

The training can also be invaluable for the customers, saving them money and headaches in the long run. Even a tiny data breach can have wide-reaching implications, so every dollar spent on training can pay off in spades. Emphasizing the long-term benefits of security training will be an essential part in upselling existing customers and showcasing the value to prospects.

To get buy-in from individual employees, it’s also useful to point out that this training can benefit them in their personal lives—helping them keep hackers out of their bank accounts and far away from their families’ private information.

What Makes a Good Security Awareness Training Program?

The value of security awareness training programs is evident, but how can you get companies to choose your program?

The most important thing any MSP can do is make sure their program is effective. A robust program will cover everything from phishing awareness to social engineering to mobile device security. That being said, it’s important to start with the basics and build up to more complex security lessons. While some employees will come in with a thorough understanding of general best practices, others may be entirely new to the subject. Never assume that something is obvious. Besides, a little refresher course never hurt anybody.

Behavioral change takes time, so it’s also important for your program to follow a pace that refreshes participants’ memory over time without overwhelming them. Consider outlining clear participation guidelines from the start to help everyone involved understand what’s expected of them. For example, you might plan two phishing simulations per month and offer three cyber awareness courses per quarter. Knowing what’s coming, the training won’t feel like a burden to employees—it will just be another part of their week.

To help ensure the training sticks, tailor it to your audience, making it department-specific when appropriate. You can also be proactive and integrate security training into existing onboarding processes so that security is prioritized from the get-go. These steps, while seemingly small, can make security training more digestible to your audience—and make their data safer as a result.

So, Should You Offer Security Awareness Training?

There has never been a greater need for security training. With cyber threats growing increasingly deceptive and dangerous, the market for efficient, high-quality training is one that’s worth tapping into. While MSPs don’t specialize in education, this situation offers the potential for you to step in and be the hero—helping your clients protect themselves from malicious threats.


This article was provided by our service partner : connectwise