Managed Service Providers

Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

MSP Insight: Netstar Shares Cyber Resilience Strategies for Remote Work

Reading Time: ~ 5 min.

Guest blog by Mit Patel, Managing Director of London based IT Support company, Netstar.

In this article, Webroot sits down with Mit Patel, Managing Director of London-based MSP partner, Netstar, to discuss the topic of remote work during a pandemic and tips to stay cyber resilient.

Why is it important to be cyber resilient, specifically when working remote?

It’s always important to be cyber resilient, but a lot has changed since the start of the COVID-19 lockdown that needs to be taken into consideration.

Remote work has posed new problems for businesses when it comes to keeping data secure. Since the start of lockdown, there has been a significant increase in phishing scams, ransomware attacks and malicious activity. Scammers now have more time to innovate and are using the widespread anxiety of coronavirus to target vulnerable people and businesses.

Moreover, the sudden shift in working practices makes the pandemic a prime time for cyber-attacks. Employees can no longer lean over to ask a colleague if they are unsure about the legitimacy of an email or web page. Instead, they need to be confident in their ability to spot and avoid potential security breaches without assistance.

Remote work represents a significant change that can’t be ignored when it comes to the security of your business. Instead, businesses need to be extra vigilant and prioritise their cyber resilience.

What does cyber resilience mean to you?

It’s important to differentiate between cyber resilience and cyber security. Cyber security is a component of cyber resilience, referring to the technologies and processes designed to prevent cyber-attacks. Whereas, I believe cyber resilience goes a step further, referring to the ability to prevent, manage and respond to cyber threats. Cyber resilience recognises that breaches can and do happen, finding effective solutions that mean businesses recover quickly and maintain functionality. The main components of cyber resilience include, training, blocking, protecting, backing up and recovering. When all these components are optimised, your cyber resilience will be strong, and your business will be protected and prepared for any potential cyber threats.

Can you share some proactive methods for staying cyber resilient when working remote?

Absolutely. But it’s important to note that no solution is 100% safe and that a layered approach to IT security is necessary to maximise protection and futureproof your business.

Get the right antivirus software. Standard antivirus software often isn’t enough to fully protect against viruses. Businesses need to consider more meticulous and comprehensive methods. One of our clients, a licensed insolvency practitioner, emphasized their need for software that will ensure data is protected and cyber security is maximised. As such, we implemented Webroot SecureAnywhere AnitVirus, receiving excellent client feedback, whereby the client stressed that they can now operate safe in the knowledge that their data is secure.

Protect your network. DNS Protection is a critical layer for your cyber resilience strategy. DNS will protect you against threats such as malicious links, hacked legitimate websites, phishing attacks, CryptoLocker and other ransomware attacks. We have implemented DNS Protection for many of our clients, including an asset management company that wanted to achieve secure networks with remote working capability. In light of the current remote working situation, DNS Protection should be a key consideration for any financial business looking to enhance their cyber resilience.

Ensure that you have a strong password policy. Keeping your passwords safe is fundamental for effective cyber resilience, but it may not be as simple as you think. Start by making sure that you and your team know what constitutes a strong password. At Netstar, we recommend having a password that:

  • Is over 10 characters long
  • Contains a combination of numbers, letters and symbols
  • Is unpredictable with no identifiable words (even if numbers or symbols are substituted for letters)

You should also have different passwords for different logins, so that if your security is compromised for any reason, hackers can only access one platform. To fully optimise your password policy, you need to consider multi-factor authentication. Multi-factor authentication goes a step further than the traditional username-password login. It requires multiple forms of identification in order to access a certain email account, website, CRM etc. This will include at least two of the following:

  • Something you know (e.g. a password)
  • Something you have (e.g. an ID badge)
  • Something you are (e.g. a fingerprint)

Ensure that you have secure tools for communication. Collaboration tools, like Microsoft Teams, are essential for remote working. They allow you to communicate with individuals, within teams and company-wide via audio calls, video calls and chat.

When it comes to cyber resilience, it’s essential that your team know what is expected of them. You should utilise collaboration tools to outline clear remote working guidance to all employees. For example, we would recommend discouraging employees from using personal devices for work purposes. The antivirus software installed on these devices is unlikely to be of the same quality as the software installed on work devices, so it could put your business at risk.

Furthermore, you need to be confident that your employees can recognise and deal with potential security threats without assistance. Individuals can no longer lean across to ask a colleague if they’re unsure of the legitimacy of something. They need to be able to do this alone. Security awareness training is a great solution for this. It will teach your team about the potential breaches to look out for and how to deal with them. This will cover a range of topics including, email phishing, social media scams, remote working risks and much more. Moreover, courses are often added and updated, meaning that your staff will be up to date with the latest scams and cyber threats.

Implement an effective backup and disaster recovery strategy

Even with every preventive measure in place, things can go wrong, and preparing for disaster is crucial for effective cyber resilience.

In fact, a lot of companies that lose data because of an unexpected disaster go out of business within just two years, which is why implementing an effective backup and disaster recovery strategy is a vital layer for your cyber resilience strategy.

First, we advise storing and backing up data using an online cloud-based system. When files are stored on the cloud, they are accessible from any device at any time. This is particularly important for remote working; it means that employees can collaborate on projects and access necessary information quickly and easily. It also means that, if your device is wiped or you lose your data, you can simply log in to your cloud computing platform and access anything you might need. Thus, data can easily be restored, and you’re protected from potential data loss.

Overall, disaster recovery plans should focus on keeping irreplaceable data safe. Consider what would happen to your data in the event of a disaster. If your office burned down, would you be confident that all your data would be protected?

You should be working with an IT support partner that can devise an effective and efficient disaster recovery plan for your business. This should set out realistic expectations for recovery time and align with your insurance policy to protect any loss of income. Their goal should be to get your business back up and running as quickly as possible, and to a high standard (you don’t want an IT support partner that cuts corners). Lastly, your IT support provider should regularly test your strategy, making sure that if disaster did occur, they could quickly and effectively restore the functionality of your business.

What else should fellow MSPs keep in mind during this trying time?

In the last four years, cyber resilience has become increasingly important; there are so many more threats out there, and so much valuable information that needs protecting.

We have happy clients because their machines run quickly, they experience less IT downtime, and they rarely encounter viruses or malicious activity. We know that we need to fix customers’ problems quickly, while also ensuring that problems don’t happen in the first place. Innovation is incredibly important to us, which is why we’ve placed a real focus on proactive client advisory over the last 24 months.

That’s where a strong cyber resilience strategy comes into play. MSPs need to be able to manage day-to-day IT queries, while also focusing on how technology can help their clients grow and succeed in the future.There is plenty of advice around the nuts and bolts of IT but it’s the advisory that gives clients the most value. As such, MSPs should ensure they think like a customer and make technological suggestions that facilitate overall business success for their clients.

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Reading Time: ~ 4 min.

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now more than ever.

MSPs are ideally positioned to deliver the solutions businesses need in order to adapt to the current environment. In this post, we’ll briefly summarize four ways to fine-tune your cybersecurity GTM strategy for capitalizing on the shifting demands of today’s market.

1. Build an Offering That Aligns with Your Customer’s Level of Cyber Resilience

A cybersecurity GTM strategy is not a one-size-fits-all proposition. Each customer has unique needs. Some operate with higher levels of remote workers than others. Some may have more sensitive data than others. And some will have lower tolerances to the financial impact of a data breach than others. So, understand the current state of your customer’s ability to adequately protect against, prevent, detect and respond to modern cyberthreats, and then focus on what aspects of cybersecurity are important to them.

2.  Leverage Multi-Layered Security

Today’s businesses need a cybersecurity strategy that defends against the methods and vectors of attack employed by today’s cybercriminals. This includes highly deceptive and effective tactics like Ransomware, phishing and business email compromise (BEC). These methods require a layered approach, where each layer addresses a different vulnerability within the larger network topology:

  • Perimeter – This is the logical edge of your customer’s network where potentially malicious data may enter or exit. Endpoints (wherever they reside), network connectivity points, as well as email and web traffic all represent areas that may need to be secured.
  • User – The employee plays a role when they interact with potentially malicious content. They can either be an unwitting victim or actually play a role in stopping attacks. This makes it necessary to address the user as part of your GTM strategy.
  • Endpoint – Consider the entire range of networked devices, including corporate and personal devices, laptops, tablets and mobile phones. Every endpoint needs to be protected.
  • Identity – Ensuring the person using a credential is the credential owner is another way to keep customers secure. 
  • Privilege – Limiting elevated access to corporate resources helps reduce the threat surface.
  • Applications – These are used to access information and valuable data. So, monitoring their use by those with more sensitive access is critical.
  • Data – inevitably, it’s the data that is the target. Monitoring who accesses what provides additional visibility into whether an environment is secure.

For each layer, there’s a specific tactic or vector that can form the basis of an attack, as well as specific solutions that address vulnerabilities at that layer.

3. Determine the Right Pricing Model

Pricing can make or break a managed service. Too high and the customer is turned off. Too low and there’s not enough perceived value. Pricing is the Goldilocks of the MSP world. It needs to be just right.

Unlike most of your other services, cybersecurity is a constantly moving target, which can make pricing a challenge. After all, a predictable service offering equates to a profitable one. The unpredictability of trying to keep your customers secure can therefore impact profitability. So, it’s imperative that you get pricing correct. Your pricing model needs to address a few things:

  • It needs to be easy to understand – Like your other services, pricing should be straightforward.
  • It should demonstrate value – The customer needs to see how the service justifies the expense.
  • It needs to focus on protection – Because you have no ability to guess the scope and frequency of attacks, it’s important to keep the services centered around preventive measures.
  • Consider all your costs – Cost is always a factor for profitability. As you determine pricing, keep every cost factor in mind.

4. Rethink How You Engage Prospects

Assuming you’re going to be looking for new customers with this service offering (in addition to selling it to existing customers), it’s important to think about how to engage prospects. The days of cold outreach are long gone as 90% of buyers don’t respond to cold calls3. Instead, today’s buyer is looking to establish connections with those they believe can assist their business. Social media sites have become the primary vehicle for a number of aspects of the buyer’s journey:

Build a Cybersecurity GTM Strategy that Works

The biggest challenge with bringing a cybersecurity service to market is meeting the expectations of the prospective customer. Demonstrate value from the very first touch through social media engagement and content. Meet their unique needs with comprehensive solutions that address all their security vulnerabilities. And finally, make sure your pricing is simple, straightforward and easy to understand.

10 Ways a Commercial DNS Filtering Service Improves Your Cyber Resilience

Reading Time: ~ 3 min.

If you’ve landed on this blog, then there’s a good chance you’re already aware that DNS is undergoing a major overhaul. DNS 2.0—aka encrypted DNS, DNS over HTTPS, or DoH—is a method for encrypting DNS requests with the same HTTPS standard used by numerous websites, such as online banking, to protect your privacy when dealing with sensitive information display.

While there’s no doubt that DoH offers incredible privacy benefits, it also has the potential to be a major security risk for businesses. That’s because DoH effectively wraps DNS requests in encryption protocols, which prevent traditional DNS or web filtering security solutions from being able to filter requests to malicious, risky, or otherwise unacceptable or inappropriate websites.

Although some DNS filtering solutions are now making moves to modernize, many of them simply provide the option to either allow or block all DoH requests, rather than offering any sort of nuanced control.

“That’s really where Webroot® DNS Protection differs from the competition,” says George Anderson, product marketing director at Webroot, an OpenText company. “Ours is currently the only DNS security product that lets businesses fully leverage DoH and its privacy benefits. Our solution encrypts data using HTTPS to route DNS requests through secure Webroot resolvers to prevent eavesdropping, manipulation, or exploitation of data.”

How a Commercial DNS Filtering Service is a Game Changer

According to George, the cyber resilience benefits of using a private, commercial DNS security service that fully supports DoH are numerous. When we asked him to narrow down to his top 10, here’s what he had to say.

  1. First, it provides a very secure, reliable, multi-point of presence connection to the internet with high availability.
  2. Second, trusted DNS resolvers process ALL of your internet requests—we are talking any user, server, or application using the internet with a single, tamperproof choke point for admin and policy request controls.
  3. Third is confidentiality. It keeps your organization’s internet requests private and invisible to malicious actors, your ISP, and so-called “free” DNS resolvers—all of whom can abuse this data.
  4. It then gives your organization full visibility and log access to all of your internet traffic requests, allowing for security analysis and management through reports or ingestion via a SIM/SIEM.
  5. With Webroot, you also get transparent security policy filtering of both encrypted (DoH) and clear text (DNS) requests.
  6. Webroot BrightCloud® threat intelligence data automatically applies the latest and most accurate internet domain security in real time to every outbound request, regardless of source, meaning we stop the majority of malicious and suspicious request responses that could have led to a breach.
  7. A commercial service also provides the flexibility to manage internet access for guest/public WiFi networks, IP address ranges, user groups down to individual user, and lets you filter using a wide range of domain categories.
  8. In the context of WFH, if the user is connected to the internet via VPN or a local DNS agent on their device, then a DNS filtering solution protects them no matter where they connect.
  9. Also, from a WFH perspective, you need your DNS security service to integrate with the majority of VPNs and work easily with your other security and network technologies.
  10. Lastly, and definitely key your organization, a commercial DNS security service can offer great visibility into internet usage with scheduled executive reporting that lets you oversee internet use, assist with HR initiatives, and help ensure compliance.

As DoH continues to grow in adoption, George advises all businesses to be proactive about their cyber resilience strategies. Particularly as more work is conducted outside of more traditional office settings, it’s critical to understand and embrace the value that a flexible cloud gateway—whose protection is not confined to a physical network—can offer.

“Ultimately, in a world where many companies continue to support remote workers, businesses really can’t afford not to use a filtering solution that provides both privacy and security control.”

– George Anderson, product marketing director at Webroot, an OpenText company

Learn more about Webroot’s answer to DNS filtering or take a free trial of Webroot DNS Protection here.

Bouncing Back from the Pandemic A Step-By-Step Guide for MSPs

Reading Time: ~ 3 min.

To try to fight the isolation and uncertainty brought on by the COVID-19 outbreak, a few weeks ago we began what we’re referring to as “Office Hours” on the Webroot Community. It’s meant to be a forum where users can come together and pose their COVID/cybersecurity-related questions to some of our experts, and we try to help however we can.

The quality of questions and value of the dialogue were high right off the bat. It’s proven to be an excellent reminder of the usefulness of the Community in general. Some of the questions were even topical and popular enough to warrant a deep dive.

How can MSPs help their clients bounce back from these challenging times?” is a good example.

As the question suggests, it’s not all bad being an MSP right now. With many employees migrating to remote work, IT services are in high demand. That could explain why, according to a study by the RMM platform Datto, though about 40% of MSPs anticipate cutting revenue projections for the year, 84% still say it’s a good time to be an MSP.

There’s both opportunity and necessity in developing a plan to help small business clients stay afloat in a flagging economy. On the opportunity side, exceptional customer service can be a great way MSPs to stand out in an industry with typically tight margins. On the other hand, if an MSP’s clients’ tank, they will longer be around to need the MSPs services. So, the ability to be an IT advisor for clients’ through tough times is intimately tied to the success of the MSP themselves.

What follows are a few pieces of advice for doing that, but’s important to remember that there’s no stock solution for bouncing back as a business. Every client is unique and so are the pressures applied by the coronavirus and subsequent economic slowdown. But here are some generic tips for being your client’s go-to adviser for weathering the storm.

  1. Set-up a virtual ‘discovery’ meeting to discuss with them what their situation really is? This should be a (perhaps painfully) honest conversation about the state of the business and what obstacles stand on the way of then getting back to “business as usual.”
  2. Devise an agenda based on the services you provide today and the associated costs. Based on the client’s challenges (or strengths) what is affordable what can maybe be minimized? Has the business direction changed at all? Many SMBs may be looking to pivot considering COVID-19.
  3. Aim to be flexible (while remaining profitable) and willing to accommodate the period between their business restarting and establishing a new normal. Ask yourself if taking a slight hit in monthly income or margins is an acceptable sacrifice to make in order to help keep a potentially long-term client afloat?
  4. Next, work with a client to draw up a joint “Recovery Plan” with a timeline for scaling back up the workload and how you can specifically assist with their recovery. This may involve stressing the costliness of a data breach, downtime, and other ways your services help the clients bottom line suffering.
  5. Finally, schedule regular client account reviews (hopefully, you already have some version of these in place) to monitor technology-related pain points and assist with addressing them as reasonably as possible.

Economic recovery for small businesses will undoubtedly entail some tough decisions. But doing everything you can as an MSP to assist with that recovery by being proactive and establishing a common recovery plan will lead to a much stronger business relationship in the future. Not to mention establishing you as a trusted, reasonable business advisor for the life of the relationship. So, take advantage of the opportunity of helping your clients’ bounce back from this pandemic.

Evasive Scripts: What They Are, and What We’re Doing About Them

Reading Time: ~ 4 min.

“What’s an evasive attack? At a very basic level, it’s exactly what it sounds like; it’s a cyberattack that’s designed to hide from you,” says Grayson Milbourne, Security Intelligence Director at Webroot, an OpenText company.

Based on Grayson’s initial explanation, you can imagine that evasive tactics are pretty common throughout cybercriminal activities. But they’re especially prevalent in the context of scripts. Scripts are pieces of code that can automate processes on a computer system. They have tons of legitimate uses, but, when used maliciously, they can be extremely effective and difficult to detect or block.

With Grayson’s help, we’ll talk you through some of the common script evasion techniques that criminals use.

LolBins

Living off the Land Binaries (“LoLBins”) are applications that a Windows® system already has on it by default. Funny name aside, they’re extremely useful for attackers because they provide a way to carry out common steps of an attack without having to download anything new onto the target system. For example, criminals can use them to create persistency (i.e. enable the infection to continue operating after a reboot), spread throughout networked devices, bypass user access controls, and extracting passwords or other sensitive information.

There are dozens of LoLBins for criminals to choose from that are native to the Windows OS, such as powershell.exe, certutil.exe, regsr32.exe, and many more. Additionally, there are a variety of common third party applications that are pretty easy to exploit if present, such as java.exe, winword.exe, and excel.exe.

According to Grayson, this is one of the ways malicious hackers disguise their activities, because default OS applications are unlikely to be detected or blocked by an antimalware solution. He warns, “unless you have strong visibility into the exact commands that these processes are executing, then it can be very hard to detect malicious behavior originating from LoLBins.

Script Content Obfuscation

Like LoLBins and scripting overall, hiding the true content or behavior of a script—or content “obfuscation”—has completely legitimate purposes. But, in terms of malicious hacking, it’s pretty self-explanatory why obfuscation would lend itself to criminal activities. The whole point is not to get caught, right? So it makes sense that you’d take steps to hide bad activities to avoid detection. The screenshots below show an example of obfuscated code (top), with its de-obfuscated version (bottom).

Fileless and Evasive Execution

Using scripts, it’s actually possible to execute actions on a system without needing a file. Basically, a script can be written to allocate memory on the system, then write shellcode to that memory, then pass control to that memory. That means the malicious functions are carried out in memory, without a file, which makes detecting the origin of the infection (not to mention stopping it) extremely difficult.

Grayson explains, “one of the issues with fileless execution is that, usually, the memory gets cleared when you reboot your computer. That means a fileless infection’s execution could be stopped just be restarting the system. Persistence after a reboot is pretty top-of-mind for cybercriminals, and they’re always working on new methods to do it.”

Staying Protected

The Windows® 10 operating system now includes Microsoft’s Anti-Malware Scan Interface (AMSI) to help combat the growing use of malicious and obfuscated scripts. That means one of the first things you can do to help keep yourself safe is to ensure any Windows devices you own are on the most up-to-date OS version.

Additionally, there are several other easy steps that can help ensure an effective and resilient cybersecurity strategy.

  • Keep all applications up to date
    Check all Windows and third party apps regularly for updates (and actually run them) to decrease the risk of having outdated software that contains vulnerabilities criminals could exploit.
  • Disable macros and script interpreters
    Although enabling macros has legitimate applications, the average home or business user is unlikely to need them. If a file you’ve downloaded gives you a warning that you need to enable macros, DON’T. This is another common evasive tactic that cybercriminals use to get malware onto your system. IT admins should ensure macros and script interpreters are fully disabled to help prevent script-based attacks. You can do this relatively easily through Group Policy.
  • Remove unused 3rd party apps
    Applications such as Python and Java are often unnecessary. If present and unused, simply remove them to help close a number of potential security gaps.
  • Educate end users
    End users continue to be a business’ greatest vulnerability. Cybercriminals specifically design attacks to take advantage of their trust, naiveté, fear, and general lack of technical or security expertise. By educating end users on the risks, how to avoid them, and when and how to report them to IT personnel, businesses can drastically improve their overall security posture.
  • Use endpoint security that includes evasive script protection
    In a recent update to Webroot® Business Endpoint Protection, we released a new Evasion Shield policy. This shield leverages AMSI, as well as new, proprietary, patented detection capabilities to detect, block, and quarantine evasive script attacks, including file-based, fileless, obfuscated, and encrypted threats. It also works to prevent malicious behaviors from executing in PowerShell, JavaScript, and VBScript files, which are often used to launch evasive attacks

Malicious hackers are always looking to come up with new ways to outsmart defenses. Grayson reminds us, “It’s up to all of us in cybersecurity to research these new tactics and innovate just as quickly, to help keep today’s businesses and home users safe from tomorrow’s threats. There’s always more work to be done, and that’s a big part of what drives us here at Webroot.”


To learn more about evasive scripts and what Webroot is doing to combat them, we recommend the following resources:

We Need the Security Benefits of AI and Machine Learning Now More Than Ever

Reading Time: ~ 3 min.

As these times stress the bottom lines of businesses and SMBs alike, many are looking to cut costs wherever possible. The problem for business owners and MSPs is that cybercriminals are not reducing their budgets apace. On the contrary, the rise in COVID-related scams has been noticeable.

It’s simply no time to cut corners in terms of cybersecurity. But there is hope. Cybersecurity, traditionally suffering from a lack of qualified and experienced professionals, can be a source of savings for businesses. How? Through the automation and efficiency that artificial intelligence (AI) and machine learning can offer.

AI & ML in Today’s Cybersecurity Landscape

By way of background, Webroot has been collecting IT decision makers’ opinions on the utility of AI and machine learning for years now. Results have been…interesting. We’ve seen a steady rise in adoption not necessarily accompanied by an increase in understanding.

For instance, during a 2017 survey of IT decision makers in the United States and Japan, we discovered that approximately 74 percent of businesses were already using some form of AI or ML to protect their organizations from cyber threats. In 2018, 74 percent planned even further investments.

And by 2019, of 800 IT professional cybersecurity decisionmakers across the globe, a whopping 96 percent reported using AI/ML tools in their cybersecurity programs. But, astonishingly, nearly seven out of ten (68%) of them agreed that, although their tools claim to use AI/ML, they aren’t sure what that means.

Read the full report: “Do AI and Machine Learning Make a Difference in Cybersecurity?”

So, are these tools really essential to securing the cyber resilience of small businesses? Or are they unnecessary luxuries in an age of tightening budgets?

AI and ML in the Age of Covid-19

Do AI and ML have something unique to offer businesses—SMBs and MSPs alike—in this age of global pandemic and remote workforces?

We asked the topically relevant question to it to one of the most qualified individuals on the planet to answer it: literal rocket scientist, BrightCloud founder, and architect behind the AI/ML engine known as the Webroot Platform, Hal Lonas.

Can AI and machine learning tools help people do their jobs more effectively now that they’re so often remote?

Put directly, the Carbonite and Webroot CTO and senior VP’s response was bullish.

“AI and machine learning tools can absolutely help people do their jobs more effectively now more than ever,” said Lonas. “Security professionals are always in short supply, and now possibly unavailable or distracted with other pressing concerns. Businesses are facing unprecedented demands on their networks and people, so any automation is welcome and beneficial.”

In machine learning, a subset of AI, algorithms self-learn and improve their findings and results without being explicitly programmed to do so. This means a business deploying AI/ML is improving its threat-fighting capabilities without allocating additional resources to the task– something that should excite cash-strapped businesses navigating tough economic realities.

Our AI/ML report backs up Lonas’s assertion that these technologies make a welcome addition to most business security stacks. In fact, 94 percent of respondents in our survey reported believing that AI/ML tools make them feel more comfortable in their role.

“People who use good AI/ML tools should feel more comfortable in their role and job,” he asserts. “Automation takes care of the easy problems, giving them time to think strategically and look out for problems that only humans can solve. In fact, well-implemented tools allow security workers to train them to become smarter—in effect providing the ‘learning’ part of machine learning. Each new thing the machine learns makes more capable.”

AI/ML adopters also reported:

  • An increase in automated tasks (39%)
  • An increase in effectiveness at their job/role (38%)
  • A decrease in human error (37%).
  • Strongly agreeing that the use of AI/ML makes them feel more confident in performing their roles as cybersecurity professionals. (50%)

So despite some confusion about the role these technologies play in cybersecurity (which we think vendors could help demystify for their clients), their effects are clearly felt. And because cybercriminals are willing to adopt AI/ML for advanced attacks, they may force the hands of SMBs and MSPs if they want to keep up in the cybersecurity arms race.

Given today’s limited budgets, dispersed workforces, and increasingly sophisticated attacks, the time may never be better to empower professionals to do more with less by automating defenses and freeing them to think about big-picture cybersecurity.

Your Data, Their Devices: Accounting for Cybersecurity for Personal Computers

Reading Time: ~ 3 min.

Nestled within our chapter on malware in the 2020 Webroot Threat Report is a comparison of infection rates between business and personal devices. The finding that personal devices are about twice as likely as business devices to become infected was always significant, if not surprising.

But the advent of the novel coronavirus—a development that followed the publication of the report—has greatly increased the importance of that stat.

According to a joint study by MIT, Stanford, and the National Bureau of Economic Research (NBER), more than a third (34%) of Americans transitioned to working from home as a result of COVID-19. They join approximately 14.6% of workers already working from home to bring the total to nearly half the entire American workforce.

During remote work many employees are forced or simply able to use personal devices for business-related activities. This presents unique security concerns according to Webroot threat analyst Tyler Moffitt.

“In a business setting,” he says, “when you’re given a corporate laptop it comes pre-configured based on what the IT resource considers best practices for cybersecurity. This often includes group policies, mandatory update settings, data backup, endpoint security, a VPN, et cetera.”

Individuals, on the other hand, have much more freedom when it comes to device security. They can choose to put off updates to browser applications like Java, Adobe, and Silverlight, which often patch exploits that can push malvertising. They can opt to not install an antivirus solution or use a free version. They can ignore the importance of backing up data altogether.

These risky practices threaten small and medium-sized businesses (SMBs) both immediately and when workers gradually return to their shared office spaces as the virus abates.

As our report notes, “With a higher prevalence of malware and generally fewer security defenses in place, it’s easier for malware to slip into the corporate network via an employee’s personal device.”

What’s at stake, for SMBs, is the loss of mission-critical business data due to device damage, data theft via phishing and ransomware, and GDPR and CCPA fines for data breaches. Any of these threats on their own could be existential for SMBs.

What can businesses do to prevent BYOD-enabled data loss?

“Super small businesses may not have the luxury of outlawing all use of personal devices,” says Moffitt. “BYOD is a fact of life now, especially with so many individuals at home, using home computers.”

But employers aren’t out of luck entirely. They can still purchase for their employees, and encourage the use of, several essential security tools. These include:

  • Endpoint security software – Employers should provide endpoint security for home devices when necessary. When it comes to free solutions, you get what you pay for in terms of protection. Currently, there’s the expectation, especially among younger people, that built-in antivirus solutions are enough for blocking advanced threats. In reality, layered security is essential.
  • Backup and recovery software­­ – Many SMBs rely on online shared drives for collaborating. This is dangerous because a single successful phishing attack can unlock all the data belonging to a company. GDPR and CCPA fines don’t differentiate between data stolen from personal or business devices, so this level of risk is untenable. Make sure data is backed up off-site and encrypted.
  • A VPN – IT admins or contractors should ensure that any sensitive company data requires a secure VPN connection. Especially with employees connecting on public or unsecure networks, it’s important to guard against snooping for data in transit.
  • Secure RDPs – Remote access can be a great option when working from home, but it must be done securely. Too often unsecured RDP ports are the source of attacks. But, when encrypted and protected by two-factor authentication, they can be used to access secure environments from afar. Many are even free for fewer than five computers.
  • User education – Security awareness training is one of the most cost-effective ways of protecting employees from attack on their own devices. Phishing attacks can be simulated and users in need of additional training provided it at very little additional cost. When compared to a data breach, the cost of a few licenses for security training is miniscule.

Collaboration over coercion

It’s difficult to mandate security solutions on personal devices, but managers need to at least have this conversation. Short of installing “tattleware,” this has to be a collaborative rather than a coercive effort.

“You can’t enforce a group policy on a computer or a network that you don’t own,” reminds Moffitt. “Ideally, yes, give each employee a corporate laptop to work at home that’s securely configured. But if that’s not possible, work with employees to ensure the right steps are taken to secure corporate data.”

Companies should work with IT consultants to source high-performing versions of the solutions mentioned above and cover their cost if it’s understood that personal devices should be used during this period of working from home. If taken advantage of, it can be an opportunity to foster a culture of cyber resilience and your organization will come out stronger, wherever your employees are located.

Why Your Cyber Resilience Plan Doesn’t Include Windows 7

Reading Time: ~ 2 min.

Our 2020 Threat Report shows increasing risks for businesses and consumers still running Windows 7, which ceased updates, support and patches earlier this year. This creates security gaps that hackers are all too eager to exploit. In fact, according to the report, malware targeting Windows 7 increased by 125%. And 10% of consumers and 25% of business PCs are still using it.

Webroot Security Analyst Tyler Moffitt points out that a violation due to a data breach could cost a business $50 per customer per record. “For one Excel spreadsheet with 100 lines of records, that would be $50,000.” Compare that with the cost of a new workstation that comes pre-installed with Windows 10 at around $500, and you quickly realize the cost savings that comes with offloading your historic OS. 

Windows 10 also has the added advantage of running automatic updates, which reduces the likelihood of neglecting software patches and security updates. Continuing to run Windows 7 effectively more than doubles the risk of getting malware because hackers scan for old environments to find vulnerable targets. Making matters worse, malware will often move laterally like a worm until it finds a Windows 7 machine to easily infect. And in a time when scams are on the rise, this simple OS switch will ensure you’re not the weakest link.

While businesses are most vulnerable to Windows 7 exploits, consumers can hardly breathe easy. Of all the infections tracked in the 2020 Threat Report, the majority (62%) were on consumer devices. This does, however, create an additional risk for businesses that allow workers to connect personal devices to the corporate network. While employees work from home in greater numbers due to COVID-19, this particular security risk will remain even higher than pre-pandemic levels.

Layers are key

As Moffitt points out, no solution is 100% safe, so layering solutions helps to ensure your cyber resilience is strong. But there is one precaution that is particularly helpful in closing security gaps. And that’s security awareness training. “Ninety-five percent of all infections are the result of user error,” Moffitt says. “That means users clicking on something they shouldn’t thus infecting their computer or worse, a entire network.” Consistent training – 11 or more courses or phishing simulations over a four- to six-month period – can significantly reduce the rate at which users click on phishing simulations.

Also, by running simulations, “you get to find out how good your employees are at spotting scams,” Moffitt says. “If you keep doing them, users will get better and they will increase their efficacy as time goes on.”

Fight cyber-risks with cyber resilience

The best way to close any gaps in protection you may have is to deploy a multi-layered cyber resilience strategy, also known as defense-in-depth. The first layer is perimeter security that leverages cloud-based threat intelligence to identify advanced, polymorphic attacks. But since cyber resilience is also about getting systems restored after an attack, it’s also important to have backups that enable you to roll back the clock on a malware infection.

With so many people working from home amid the global coronavirus pandemic, it’s increasingly critical to ensure cyber resilient home environments in addition to business systems. Find out what major threats should be on your radar by reading our complete 2020 Threat Report.

The Truth about Hackers, in Black and White (and Grey)

Reading Time: ~ 4 min.

Did you know there are three primary types of hacker—white hats, black hats, and grey hats—and that there are subcategories within each one? Despite what you may have heard, not all hackers have intrinsically evil goals in mind. In fact, there are at least 300,000 hackers throughout the world who have registered themselves as white hats.

Also known as ethical hackers, white hats are coders who test internet systems to find bugs and security loopholes in an effort to help organizations lock them down before black hat hackers, i.e. the bad guys, can exploit them. Black hats, on the other hand, are the ones we’re referring to when we use words like “cybercriminal” or “threat actor.” These are hackers who violate computer security and break into systems for personal or financial gain, destructive motives, or other malicious intent.

The last of the three overarching types, grey hat hackers, are the ones whose motives are, well, in a bit of a grey area. Similar to white hats, grey hats may break into computer systems to let administrators know their networks have exploitable vulnerabilities that need to be fixed. However, from there, there’s nothing really stopping them from using this knowledge to extort a fee from the victim in exchange for helping to patch the bug. Alternatively, they might request a kind of finder’s fee. It really depends on the hacker.

So, hackers can be “good guys”?

Yes, they absolutely can.

In fact, there’s even an argument that black hats, while their motivations may be criminal in nature, are performing a beneficial service. After all, each time a massive hack occurs, the related programs, operating systems, businesses, and government structures are essentially shown where and how to make themselves more resilient against future attacks. According to Keren Elezari, a prominent cybersecurity analyst and hacking researcher, hackers and hacktivists ultimately push the internet and technology at large to become stronger and healthier by exposing vulnerabilities to create a better world.

Why do they hack?

The shortest, simplest answer: for the money.

While white and grey hat hackers have altruistic motives in mind and, at least in the former group, are invested in ensuring security for all, the fact of the matter is that there’s a lot of money to be made in hacking. The average Certified Ethical Hacker earns around $91,000 USD per year. Additionally, to help make their products and services more secure, many technology companies offer significant bounties to coders who can expose vulnerabilities in their systems. For example, Apple offered a reward of $1.5 million USD last year to anyone who could hack an iPhone to find a serious security flaw. There are even groups, such as HackerOne, which provide bug bounty platforms that connect businesses with ethical hackers and cybersecurity researchers to perform penetration testing (i.e. finding vulnerabilities). Multiple hackers on the HackerOne bug bounty platform have earned over $1 million USD each.

And for black hats, theft, fraud, extortion, and other crimes can pay out significantly more. In fact, some black hats are sponsored by governments (see the Nation-State category below).

You mentioned subtypes. What are they?

As with many groups, there’s a wide range of hacker personas, each with different motivations. Here are a few of the basic ones you’re likely to encounter.

Script Kiddies

When you picture the stereotypical “hacker in a hoodie”, you’re thinking of a Script Kiddie. Script Kiddies are programming novices who have at least a little coding knowledge but lack expertise. Usually, they get free and open source software on the dark web and use it to infiltrate networks. Their individual motives can place them in black, white, or grey hat territory.

Hacktivists

Ever hear of a group of hackers called Anonymous? They’re a very well-known example of a hacktivist group who achieved notoriety when they took down the CIA’s website. Hacktivists are grey hat hackers with the primary goal of bringing public attention to a political or social matter through disruption. Two of the most common hacktivist strategies are stealing and exposing sensitive information or launching a denial of service (DDoS) attack.

Red Hats

Red hats are sort of like grey hats, except their goal is to block, confound, or straight-up destroy the efforts of black hat hackers. Think of them like the vigilantes of the hacker world. Rather than reporting breaches, they work to shut down malicious attacks with their own tools.

Nation-State

Remember earlier in this post when we mentioned that some black hats are sponsored by governments? That would be this group. Nation-state hackers are ones who engage in espionage, social engineering, or computer intrusion, typically with the goal of acquiring classified information or seeking large ransoms. As they are backed by government organizations, they are often extremely sophisticated and well trained.

Malicious Insiders

Perhaps one of the more overlooked threats to a business is the malicious insider. An insider might be a current or former employee who steals or destroys information, or it might be someone hired by a competitor to infiltrate an organization and pilfer trade secrets. The most valuable data for a malicious insider is usernames and passwords, which can then be sold on the dark web to turn a hefty profit.

What are your next steps?

Now that you better understand the hacker subtypes, you can use this information to help your organization identify potential threats, as well as opportunities to actually leverage hacking to protect your business. And if you haven’t already, check out our Lockdown Lessons, which include a variety of guides, podcasts, and webinars designed to help MSPs and businesses stay safe from cybercrime.

Beyond the educational steps you’re taking, you also need to ensure your security stack includes a robust endpoint protection solution that uses real-time threat intelligence and machine learning to prevent emerging attacks. Learn more about Webroot® Business Endpoint Protection or take a free trial here.

DNS is on the Verge of a Major Overhaul

Reading Time: ~ 4 min.

One of the things about working in internet technology is nothing lasts forever… [Students] come to me and they say, ‘I want to do something that has an impact 20, 50, or 100 years from now.’ I say well maybe you should compose music because none of this technology stuff is going to be around that long. It all gets replaced.” -Paul Mockapetris, co-inventor of the domain name system (DNS)

As foresighted as he may have been, the DNS inventor Paul Mockapetris got one thing wrong in a retrospective interview about his contribution to internet history. Namely, some aspects of technology do have at least 20-year staying power. In this case, his own invention: the domain name system.

But DNS, just three years shy of its fortieth birthday, is on the cusp of a major reimagining. One that could enhance the privacy of business and private users alike for some time to come. According to some experts, it may even be worthy of the title “DNS 2.0.”

The Problem with DNS Today

While DNS has evolved significantly in the more than 35 years since originally conceived, the skeletal structure remains much the same. DNS is the internet’s protocol for translating the URLs humans understand into the IP addresses machines do.

The problem is that this system never meant to consider privacy or security. With DNS today, requests are made and resolved in plain text, providing intrusive amounts of information to whomever may be resolving or inspecting them. That is most likely an internet service provider (ISP), but it may be a government entity or some other source. In authoritarian countries, governments can use this information to prosecute individuals for visiting sites with outlawed content. In the United States, it’s more likely to be monetized for its advertising value.

“The problem with DNS is it exposes what you’re doing,” says Webroot product manager and DNS expert Jonathan Barnett. “If I can log a user’s DNS requests, I can see when they work, when they don’t, how often they use Facebook, the Sonos Speakers and Google Nests on their network, all of that. From a privacy perspective, it shows what on the internet is associating with me and my network.”

This can be especially problematic in terms of home routers. Whereas business networks tend to be relatively secure—patched, up-to-date, and modern—”everyone’s home router tends to be set up by someone’s brother-in-law or an inexperienced ISP technician,” warns Barnett. In this case, malicious hackers can change DNS settings to redirect to their own resolvers.

“If you bring a device onto this network and try to navigate to one of your favorite sites, you may never wind up where you intended,” says Barnett.

In the age of COVID-19, it’s becoming an even bigger problem for employers. With a larger workforce working from home than perhaps ever before, traditional defenses at the network perimeter no longer remain.

“To maintain resilience,” says Barnett, “companies need to extend protection beyond the business network perimeter. One of the best ways to do that is through DNS protection that ensures requests are resolved through a trusted resolver and not a potentially misconfigured home network.”

DoH: The Second Coming of DNS

In response to these concerns, DNS over HTTPS (DoH) offers a method for encrypting DNS requests. Designed by the Internet Engineering Task Force, it leverages HTTPS privacy standard to mask these requests from those who may seek to use the information improperly. The same encryption standards used by banks, credit monitoring services, and other sites dealing in sensitive information display to prove their legitimacy is also used with DoH.

It does this by effectively ‘wrapping’ DNS requests with the HTTPS encryption protocols to ensure the server you connect with is the server you intended to connect with and that no one is listening in those requests, because all the traffic is encrypted.

“It makes sure no one is messing with a user by changing the results of a request before it’s returned,” says Barnett.

In addition to improving privacy around device usage—remember any internet-connected device needs to “phone home” occasionally, therefore initiating a DNS request—DoH also addresses several DNS-enabled attack methods. This includes DNS spoofing, also called DNS hijacking, whereby cybercriminals redirect a DNS request to their own servers in order to spy on or alter communications. By encrypting this traffic, it essentially becomes worthless as a target.

So, while the domain name system has served the internet and its users well for decades, the time may have come for a change.

“The creators of DNS, in their wildest dreams, imagined the system may be able to accommodate up to 50 million domains. We’re at 330 million now. It’s amazing what they achieved,” says Barnett. “But DNS needs to evolve. It’s been a great tool, but it wasn’t designed with privacy or security as a priority. DoH represents the logical evolution of DNS.”

Toward A DoH-Enabled Future

Several major tech players, like Mozilla with its Firefox browser, have already made the leap to using DoH as its preferred method of resolving requests. Many companies, however, would prefer to retain control of DNS and are concerned about applications making independent rogue DNS requests. Losing this control can compromise security as it limits the ability of a business to filter and process these requests.

As application creators strive for better privacy for their users and business always look improve security, a balance must be found. By limiting whether applications can enable DoH, Webroot® DNS Protection has designed its agent to retain control of DNS requests, and while also running each request through Webroot’s threat intelligence platform, both privacy and security is improved.

It’s next release, expected in the coming months, will be fully compatible with the new DoH protocol in service to the security and privacy of its users.

Shoring Up Your Network and Security Policies: Least Privilege Models

Reading Time: ~ 3 min.

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the most important, if overlooked, aspects of a data security plan. 

Appropriate privilege

When we say “least privilege”, what we actually mean is “appropriate privilege”, or need-to-know. Basically, this kind of approach assigns zero access by default, and then allows entry as needed. (This is pretty much the opposite of what many of us are taught about network access.) But by embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Obviously, you want employees to be able to do their jobs; but, by limiting initial access, you can minimize the risk of an internal breach.

If you haven’t already, now is the perfect time to take a look at your network access policies. After all, it’s about protecting your business and customers—not to mention your reputation.

Listen to the podcast: Episode 6 | Shoring Up Your Network Security with Strong Policies to learn more about implementing the Principle of Least Privilege and other network security best practices.

Navigating the difficult conversations around access control

It’s no surprise that employees enjoy taking liberties at the workplace. In fact, Microsoft reports that 67% of users utilize their own devices at work. Consequently, they may push back on POLP policies because it means giving up some freedom, like installing personal software on work computers, using their BYOD in an unauthorized fashion, or having unlimited usage of non-essential applications.

Ultimately, you need to prepare for hard conversations. For example, you’ll have to explain that the goal of Principle of Least Privilege is to provide a more secure workplace for everyone. It’s not a reflection on who your employees are or even their seniority; it’s about security. So, it’s essential for you, the MSP or IT leader, to initiate the dialogue around access control––often and early. And, at the end of the day, it’s your responsibility to implement POLP policies that protect your network.

Firewalls and antivirus aren’t enough 

There’s a common misconception in cybersecurity that the firewall and/or antivirus is all you need to stop all network threats. But they don’t protect against internal threats, such as phishing or data theft. This is where access policies are necessary to fill in the gaps.

Here’s a prime example: let’s say you have an employee whose job is data entry and they only need access to a few specific databases. If malware infects that employee’s computer or they click a phishing link, the attack is limited to those database entries. However, if that employee has root access privileges, the infection can quickly spread across all your systems.

Cyberattacks like phishingransomware, and botnets are all designed to circumvent firewalls. By following an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.

Tips to achieve least privilege

When it comes to implementing POLP in your business, here are some tips for getting started:

  • Conduct a privilege audit. Check all existing accounts, processes, and programs to ensure that they have only enough permissions to do the job.
  • Remove open access and start all accounts with low access. Only add specific higher-level access as needed.
  • Create separate admin accounts that limit access. 
    • Superuser accounts should be used for administration or specialized IT employees who need unlimited system access. 
    • Standard user accounts, sometimes called least privilege user accounts (LUA) or non-privileged accounts, should have a limited set of privileges and should be assigned to everyone else.
  • Implement expiring privileges and one-time-use credentials.
  • Create a guest network leveraging a VPN for employees and guests.
  • Develop and enforce access policies for BYOD or provide your own network-protected devices whenever possible.
  • Regularly review updated employee access controls, permissions, and privileges.
  • Upgrade your firewalls and ensure they are configured correctly.
  • Add other forms of network monitoring, like automated detection and response.

Why MSPs Should Expect No-Conflict Endpoint Security

Reading Time: ~ 3 min.

“Antivirus programs use techniques to stop viruses that are very “virus-like” in and of themselves, and in most cases if you try to run two antivirus programs, or full security suites, each believes the other is malicious and they then engage in a battle to the death (of system usability, anyway).”

“…running 2 AV’s will most likely cause conflicts and slowness as they will scan each other’s malware signature database. So it’s not recommended.”

The above quotes come from top answers on a popular computer help site and community forum in response to a question about “Running Two AVs” simultaneously.

Seattle Times tech columnist Patrick Marshall has similarly warned his readers about the dangers of antivirus products conflicting on his own computers.

Click here to see 9 top endpoint protection competitors go head to head to see who’s most efficient.

Historically, these comments were spot-on, 100% correct in describing how competing AV solutions interacted on endpoints. Here’s why.

The (Traditional) Issues with Running Side-by-Side AV Programs

In pursuit of battling it out on your machine for security supremacy, AV solutions have traditionally had a tendency to cause serious performance issues.

This is because:

  • Each is convinced the other is an imposter. Antivirus programs tend to look a lot like viruses to other antivirus programs. The behaviors they engage in, like scanning files or scripts and exporting information about those data objects, can look a little shady to a program that’s sole purpose is to be on the lookout for suspicious activity.
  • Each wants to be the anti-malware star. Ideally both AV programs installed on a machine would be up to the task of spotting a virus on a computer. And both would want to let the user know when they’d found something. So while one AV number one may isolate a threat, you can bet AV number two will still want to alert the user to its presence. This can lead to an endlessly annoying cycle of warnings, all-clears, and further warnings.
  • Both are hungry for your computer’s limited resources. Traditional antivirus products store static lists of known threats on each user’s machine so they can be checked against new data. This, plus the memory used for storing the endpoint agent, CPU for scheduled scans, on-demand scans, and even resource use during idling can add up to big demand. Multiply it by two and devices quickly become sluggish.

Putting the Problem Into Context

Those of you reading this may be thinking, But is all of this really a problem? Who wants to run duplicate endpoint security products anyway?

Consider a scenario, one in which you’re unhappy with your current AV solution. Maybe the management overhead is unreasonable and it’s keeping you from core business responsibilities. Then what?

“Rip and replace”—a phrase guaranteed to make many an MSP shudder—comes to mind. It suggests long evenings of after-hours work removing endpoint protection from device after device, exposing each of the machines under your care to a precarious period of no protection. For MSPs managing hundreds or thousands of endpoints, even significant performance issues can seem not worth the trouble.

Hence we’ve arrived at the problem with conflicting AV software. They lock MSPs into a no-win quagmire of poor performance on the one hand, and a potentially dangerous rip-and-replace operation on the other.

But by designing a no-conflict agent, these growing pains can be eased almost completely. MSPs unhappy with the performance of their current AV can install its replacement during working hours without breaking a sweat. A cloud-based malware prevention architecture and “next-gen” approach to mitigating attacks allows everyone to benefit from the ability to change and upgrade their endpoint security with minimal effort.

Simply wait for your new endpoint agent to be installed, uninstall its predecessor, and still be home in time for dinner.

Stop Wishing and Expect No-Conflict Endpoint Protection

Any modern endpoint protection worth its salt or designed with the user in mind has two key qualities that address this problem:

  1. It won’t conflict with other AV programs and
  2. It installs fast and painlessly.

After all, this is 2019 (and over 30 years since antivirus was invented) so you should expect as much. Considering the plethora of (often so-called) next-gen endpoint solutions out there, there’s just no reason to get locked into a bad relationship you can’t easily replace if something better comes along.

So when evaluating a new cybersecurity tool, ask whether it’s no conflict and how quickly it installs. You’ll be glad you did.