By: Trend Micro June 04, 2024 Read time: 3 min (709 words)
In its ninth year, the annual SANS Threat Hunting Survey delves into global organizational practices in threat hunting, shedding light on the challenges and adaptations in the landscape over the past year.
The 2024 survey highlights a growing maturity in threat-hunting methodologies, with a significant increase in organizations adopting formal processes.
This marks a shift towards a more standardized approach in cybersecurity strategies despite challenges such as skill shortages and tool limitations. Additionally, the survey reveals evolving practices in sourcing intelligence and an increase in outsourcing threat hunting, raising questions about the efficiency and alignment with organizational goals. This summary encapsulates the essential findings and trends, emphasizing the critical role of threat hunting in contemporary cybersecurity frameworks.
Participants
Figure 1: Survey demographics
This year’s survey attracted participants from a wide array of industries, with cybersecurity leading at 15% and 9% of respondents from the manufacturing sector, which has recently faced significant challenges from ransomware attacks. The survey participants varied in organization size, too, ranging from those working in small entities with less than 100 employees (24%) to large corporations with over 100,000 employees (9%).
The respondents play diverse roles within their organizations, highlighting the multidisciplinary nature of threat hunting. Twenty-two percent are security administrators or analysts, while 11% hold business manager positions, showcasing a balance between technical, financial, and personnel perspectives in threat-hunting practices.
However, the survey does note a geographical bias, with 65% of participants coming from organizations based in the United States, which could influence the findings related to staffing and organizational practices, though it’s believed not to affect the technical aspects of threat hunting.
Significant findings and implications
The survey examines the dynamic landscape of cyber threats and the strategies deployed by threat hunters to identify and counteract these risks. Notably, it sheds light on the prevalent types of attacks encountered:
Business email compromise (BEC): BEC emerges as the foremost concern, with approximately 68% of respondents reporting its detection. BEC involves malicious actors infiltrating legitimate email accounts to coerce individuals into transferring funds through social engineering tactics.
Ransomware: Following closely behind is ransomware, detected by 64% of participants. Ransomware operations encrypt data and demand payment for decryption, constituting a significant threat in the cybersecurity landscape.
Tactics, techniques, and procedures (TTPs): The survey found that TTPS are employed in different attack scenarios. In ransomware incidents, threat actors often deploy custom malware, target specific data for exfiltration, utilize off-the-shelf tools like Cobalt Strike, attempt to delete traces, and sometimes resort to physical intrusion into target companies.
Evolving threat-hunting practices
SANS also found that organizations have significantly evolved their threat-hunting practices, with changes in methodologies occurring as needed, monthly, quarterly, or annually.
Outsourced threat hunting is now used by 37% of organizations, and over half have adopted clearly defined methodologies for threat hunting, marking a notable advancement.
Additionally, 64% of organizations formally evaluate the effectiveness of their threat-hunting efforts, showing a decrease in those without formal methodologies from 7% to 2%. The selection of methods is increasingly influenced by available human resources, recognized by 47% of organizations.
The chief information security officer (CISO) plays a key role in developing threat-hunting methodologies, with significant involvement in 40% of cases.
Benefits of better threat-hunting efforts
Significant benefits from threat hunting include improved attack surface and endpoint security, more accurate detections with fewer false positives, and reduced remediation resources.
About 30% of organizations use vendor information as supplemental threat intelligence, with 14% depending solely on it. Incident response teams’ involvement in developing threat-hunting methodologies rose to 33% in 2024, indicating better integration within security functions.
Challenges such as data quality and standardization issues are increasing, underscoring the complexities of managing expanding cybersecurity data.
Final thoughts
The SANS 2024 Threat Hunting Survey highlights the cybersecurity industry’s evolution and focuses on improving cyber defense capabilities. Organizations aim to enhance threat hunting with better contextual awareness and data tools, with 51% looking to improve response to nuanced threats.
Nearly half (47%) plan to implement AI and ML to tackle the increasing complexity and volume of threats. There’s a significant planned investment in both staff and tools, with some organizations intending to increase their investment by over 10% or even 25% in the next 24 months, emphasizing threat hunting’s strategic importance.
However, a small minority anticipate reducing their investment, hinting at a potential shift in security strategy.
By: Trend Micro June 18, 2024 Read time: 4 min (1135 words)
The latest MITRE Engenuity ATT&CK Evaluations pitted leading managed detection and response (MDR) services against threats modeled on the menuPass and BlackCat/AlphV adversary groups. Trend Micro achieved 100% detection across all 15 major attack steps with an 86% actionable rate for those steps— balancing detections and business priorities including operational continuity and minimized disruption.
Trend took part in the MITRE Engenuity ATT&CK Evaluations for managed detection and response (MDR) services—building on a history of strong performance in other MITRE Engenuity tests. Key to that ongoing success is our platform approach, which provides high-fidelity detection of early- and mid-chain tactics, techniques, and procedures (TTPs) enabling quick and decisive counteractions before exfiltration or encryption can occur. Of course, we know real-world outcomes matter more than lab results. That’s why we’re proud to support thousands of customers worldwide with MDR that brings the most native extended detection and response (XDR) telemetry, leading threat intelligence from Trend™ Research and our Trend Micro™ Zero-Day Initiative™ (ZDI) under a single service to bridge real-time threat protection and cyber risk management.
The evaluation focused on our Trend Service One™ offering, powered by Trend Vision One, which included XDR, endpoint and network security capabilities. The results proved Trend Micro MDR is a great alternative to managed services that rely on open XDR platforms or managed SIEM platforms.
Our detection of adversarial activity early in the attack chain combined with our platform’s deeply integrated native response capabilities enables rapid mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR). At the same time, comprehensive visibility and protection gives security teams greater confidence.
Full detection across all major steps
This most recent MITRE Engenuity ATT&CK Evaluations for Managed Services featured attacks modeled on the real-world adversaries menuPass and BlackCat/AlphV. These took the form of advanced persistent threats (APTs) designed to dwell in the network post-breach and execute harmful activity over time.
Trend MDR achieved full detection coverage, reflecting and reinforcing our achievements in cybersecurity:
100% across all major attack steps
100% for enriched detail on TTPs
86% actionable rate for major steps
How Trend MDR delivers
To put its MDR evaluation in context, MITRE Engenuity conducted a survey prior to testing, gaining insights into market perceptions and expectations of managed cybersecurity services. More than half (58%) of respondents said they rely on managed services either to complement their in-house SOC or as their main line of defense. For companies with fewer than 5,000 employees, that tally increased to 68%.
Our MDR service at Trend helps meet those needs by combining AI techniques with human threat expertise and analysis. We correlate data and detect threats that might otherwise slip by as lower severity alerts. Our experts prioritize threats by severity, determine the root cause of attacks, and develop detailed response plans.
XDR is a key technology to achieve these security outcomes, extending visibility beyond endpoints to other parts of the environment where threats can otherwise go undetected: servers, email, identities, mobile devices, cloud workloads, networks, and operational technologies (OT).
Integrated with native XDR insights is deep, global threat intelligence. Native telemetry enables high-fidelity detections, strong correlations and rich context; global threat intelligence brings highly relevant context to detect threats faster and more precisely. Combined with a broad third-party integration ecosystem and response automation across vectors, Trend Vision One introduces a full-spectrum SOC platform for security teams to speed up investigations and frees up time to focus on high-value, proactive security work including threat hunting and detection engineering. In some cases, smaller teams rely on our MDR service completely for their security operations.
With Trend Vision One, teams have access to a continuously updated and growing library of detection models—with the ability to build custom detection models to fit their unique threat models.
Proven strength in delivering higher-confidence alerts
Security and security operations center (SOC) teams are inundated with detection alerts and noise. Our visibility and analytics performance achieves a finely tuned balance between providing early alerts of critical adversarial tactics and techniques and managing alert fatigue to improve the analyst experience. Our MDR operations team takes advantage of the platform advantage and knows only to alert customers when critical.
In each simulation during the MITRE Engenuity ATT&CK Evaluations, there was no scenario where menuPass and BlackCat/AlphV attack attempts successfully breached the environment without being detected or disrupted.
It’s important to note that MITRE Engenuity doesn’t rank products or solutions. It provides objective measures but no scores. Instead, since every service and solution functions differently, the evaluation reveals areas of strength and opportunities for improvement within each offering.
About the attacks
The menuPass threat group has been active since at least 2006. Some of its members have been associated with the Tianjin State Security Bureau of the Chinese Ministry of State Security and with the Huaying Haitai Science and Technology Development Company. It has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government targets—and in 2016–17 went after managed IT service providers. BlackCat is Rust-based ransomware offered as a service and first observed in November 2021. It has been used to target organizations across Africa, the Americas, Asia, Australia, and Europe in a range of sectors.
Putting our service to the test
In cybersecurity, actions speak louder than words. Our significant investment in research and development extend to our MDR service offering to support thousands of enterprises around the world.
We’re dedicated to continuous iteration and improvement to equip security teams with cutting-edge solutions to keep their organizations safe. As we evolve our solutions, MITRE Engenuity continues to evolve its evaluation approach as well. The category of “actionability” was new in this evaluation, determining if each alert provided enough context for the security analyst to act on. The actionability testing category is an area we’re investing in heavily from a process and technology standpoint to ensure contextual awareness, prioritization, and intelligent guidance are included while maintaining manageable communication cadences and minimizing false positive alerts.
Overall, areas for improvement surfaced through the test scenarios have been resourced with dedicated engineering and development efforts to match the high standard we hold ourselves to-and that our users expect. We are pleased to see our MDR service demonstrated a strong balance of detection capabilities across the entire attack chain, both within the service itself and embedded in the underlying Trend Vision One platform.
We invite all our MDR customers to take a look at the MITRE Engenuity ATT&CK Evaluations for Managed Services to better understand the strength of their defensive posture, and to come to us with any questions or thoughts.
Next steps
For more on Trend MDR, XDR, and other related topics, check out these additional resources:
At Trend, we are dedicated to continuous iteration and improvement to equip security teams with cutting-edge solutions to keep their organizations safe. These relevant areas of improvement surfaced through the scenarios have been resourced with dedicated engineering and development efforts to match the high standard we hold ourselves to and which our users expect.
There’s a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you’ve got to remain prepared to confront those very same threats.
As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard, you’re only as secure as your weakest link. There’s still one group that can inadvertently open the gates to unwanted threat actors—your own people.
Security must be second nature for your first line of defense #
For your organization to thrive, you need capable employees. After all, they’re your source for great ideas, innovation, and ingenuity. However, they’re also human. And humans are fallible. Hackers understand no one is perfect, and that’s precisely what they seek to exploit.
This is why your people must become your first line of defense against cyber threats. But to do so, they need to learn how to defend themselves against the treachery of hackers. That’s where security awareness training (SAT) comes in.
The overall objective of an SAT program is to keep your employees and organization secure. The underlying benefit, however, is demonstrating compliance. While content may differ from program to program, most are generally similar, requiring your employees to watch scripted videos, study generic presentations, and take tests on cyber “hygiene.” At their core, SAT programs are designed to help you:
Educate your employees on recognizing cybersecurity risks such as phishing and ransomware
Minimize your organization’s exposure to cyber threats
Maintain regulatory compliance with cyber insurance stipulations
These are all worthwhile goals in helping your organization thrive amidst ever-evolving cyber threats. However, attaining these outcomes can feel like a pipe dream. That’s because of one unfortunate truth about most SAT programs: they don’t work.
If you oversee cybersecurity for an organization, then you’re likely familiar with the pain that comes with implementing one, managing it, and encouraging its usage. Given their complexities, traditional SAT solutions practically force non-technical employees to become full-on technologists.
Challenges for Administrators
Challenges for Employees
Challenges for Your Organization
Complex, ongoing management is frustrating. Plus, through it all they just find poor results.
They’re bored. Unengaging content is detrimental, as it doesn’t lead to knowledge retention. Boring, unengaging content doesn’t help with knowledge retention.
Most SATs aren’t effective because they’re created by generalists, not real cybersecurity experts And many are designed with little reporting capabilities, leading to limited visibility into success rates
Because most SAT programs are complex to manage, they’re usually dismissed as a means to an end. Just check a box for compliance and move on. But when done right, SAT can be a potent tool to help your employees make more intelligent, more instinctive, security-conscious decisions.
Ask the Right Questions Before Choosing Your SAT Solution#
When it comes to choosing the right solution for your organization, there are some questions you should first ask yourself. By assessing the following, you’ll be better equipped to select the option that best fits your specific needs.
Learning-Based Questions
Are the topics covered in this SAT relevant to my organization’s security and compliance concerns?
Are episodes updated regularly to reflect current threats and scenarios?
Does this SAT engage users in a unique, meaningful manner?
Is this SAT built and supported by cybersecurity practitioners?
Is the teaching methodology proven to increase knowledge retention?
Management-Based Questions
Can someone outside of my organization manage the SAT for me?
Can it be deployed quickly?
Does it automatically enroll new users and automate management?
Is it smart enough to skip non-human identities so I don’t assign training to, say, our copy machine?
Is it simple and intuitive enough for anyone across my organization to use?
Your ideal SAT will allow you to answer a resounding “Yes” to all of the above.
A SAT solution that’s easy to deploy, manage, and use can have a substantial positive impact. That’s because a solution that delivers “ease” has considered all of your organization’s cybersecurity needs in advance. In other words, an effective SAT does all the heavy lifting on your behalf, as it features:
Relevant topics …based on real threats you might encounter.
What to look for:
To avoid canned, outdated training, choose a SAT solution that’s backed by experts. Cybersecurity practitioners should be the ones regularly creating and updating episodes based on the latest trends they see hackers leveraging in the wild. Additionally, every episode should cover a unique cybersecurity topic that reflects the most recent real-world tradecraft.
Full management by real experts …so you don’t have to waste time creating, managing, and assigning training.
What to look for:
Ideally, you want a SAT solution that can manage all necessary tasks for you. Seek a SAT solution that’s backed by real cybersecurity experts who can create, curate, and deploy your learning programs and phishing scenarios on your behalf.
Memorable episodes …with fun, story-driven lessons that are relatable and easy to comprehend.
What to look for:
Strive for a SAT solution that features character-based narratives. This indicates the SAT is carefully designed to engage learners of all attention spans. Remember, if the episodes are intentionally entertaining and whimsical, you’re more likely to find your employees conversing about inside jokes, recurring characters, and, of course, what they’ve learned. As a result, these ongoing discussions only serve to fortify your culture of security.
Continual enhancements …so episodes are updated regularly in response to real-world threats.
What to look for: Seek out a SAT solution that provides monthly episodes, as this will keep your learners up to date. Regular encounters with simulated cybersecurity scenarios can help enhance their abilities to spot and defend against risks, such as phishing attempts. These simulations should also be dispersed at unpredictable time intervals (i.e. morning, night, weekends, early in the month, later in the month, etc.), keeping learners on their toes and allowing them to put their security knowledge into practice.
Minimal time commitment …so you don’t have to invest countless hours managing it all.
What to look for: For your learners, choose a SAT solution that doesn’t feel like an arduous chore. Look for solutions that specialize in engaging episodes that are designed to be completed in shorter periods of time. For your own administrative needs, select a SAT that can sync regularly with your most popular platforms, such as Microsoft 365, Google, Okta, or Slack. It should also sync your employee directories with ease, so whenever you activate or deactivate users, it’ll automatically update the information. Finally, make sure it’s intelligent enough to decipher between human and non-human identities, so you’re only charged for accounts linked to real individuals.
Real results …through episodes that instill meaningful security-focused behaviors and habits.
What to look for: An impactful SAT should deliver monthly training that’s rooted in science-backed teaching methodologies proven to help your employees internalize and retain lessons better. Your SAT should feature engaging videos, text, and short quizzes that showcase realistic cyber threats you and your employees are likely to encounter in the wild, such as:PhishingSocial engineeringPhysical device securityand more
Measurable data …with easy-to-read reports on usage and success rates.
What to look for: An impactful SAT program should provide robust reporting. Comprehensible summaries should highlight those learners who haven’t taken their training or those whom a phishing simulation has compromised. Additionally, detailed reports should give you all the data you need to help prove business, insurance, and regulatory compliance.
Easy adoption ….that makes it easy to deploy and easy to scale with your organization.
What to look for: Choose a SAT solution that’s specially built to accommodate organizations with limited time and resources. A solution that’s easy to implement can be deployed across your organization in a matter of minutes.
Compliance …with a range of standards and regulations
What to look for: While compliance is the bare minimum of what a SAT should offer your organization, it shouldn’t be understated. Whether to meet insurance check boxes or critical industry regulations, every business has its own compliance demands. At the very least, your SAT solution should cover the requirements of: Health Insurance Portability and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI)Service Organization Control Type 2 (SOC 2)EU General Data Protection Regulation (GDPR)
The Threat Landscape is Changing. Your SAT Should Change With It. #
Cybercriminals think they’re smart, maliciously targeting individuals across organizations like yours. That’s why you need to ensure your employees are smarter. If they’re aware of the ever-changing tactics hackers employ, they can stand as your first line of defense. But first, you need to deploy a training solution you can trust, backed by real cybersecurity experts who understand emerging real-world threats.
Minimize time-consuming maintenance and management tasks
Improve knowledge retention through neuroscience-based learning principles
Update you and your employees on the current threat landscape
Establish a culture that values cybersecurity
Inspire meaningful behavioral habits to improve security awareness
Engage you and your employees in a creative, impactful manner
Assure regulatory compliance
Keep cyber criminals out of your organization
Discover how a fully managed SAT can free up your time and resources, all while empowering your employees with smarter habits that better protect your organization from cyber threats.
Say goodbye to ineffective, outdated training. Say hello to Huntress SAT.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
By: Shannon Murphy, Greg Young March 20, 2024 Read time: 2 min (589 words)
On February 26, 2024, the National Institute of Standards and Technology (NIST) released the official 2.0 version of the Cyber Security Framework (CSF).
What is the NIST CSF?
The NIST CSF is a series of guidelines and best practices to reduce cyber risk and improve security posture. The framework is divided into pillars or “functions” and each function is subdivided into “categories” which outline specific outcomes.
As titled, it is a framework. Although it was published by a standards body, it is not a technical standard.
https://www.nist.gov/cyberframework
What Is the CSF Really Used For?
Unlike some very prescriptive NIST standards (for example, crypto standards like FIPS-140-2), the CSF framework is similar to the ISO 27001 certification guidance. It aims to set out general requirements to inventory security risk, design and implement compensating controls, and adopt an overarching process to ensure continuous improvement to meet shifting security needs.
It’s a high-level map for security leaders to identify categories of protection that are not being serviced well. Think of the CSF as a series of buckets with labels. You metaphorically put all the actions, technology deployments, and processes you do in cybersecurity into these buckets, and then look for buckets with too little activity in them or have too much activity — or repetitive activity — and not enough of other requirements in them.
The CSF hierarchy is that Functions contain many Categories — or in other words, there are big buckets that contain smaller buckets.
What Is New in CSF 2.0?
The most noteworthy change is the introduction of Governance as a sixth pillar in the CSF Framework. This shift sees governance being given significantly more importance from just a mention within the previous five Categories to now being its owna separate Function.
According to NIST the Govern function refers to how an organization’s, “cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.” This is a positive and needed evolution, as when governance is weak, it often isn’t restricted to a single function (e.g. IAM) and can be systemic.
Governance aligns to a broader paradigm shift where we see cybersecurity becoming highly relevant within the business context as an operational risk. The Govern expectation is cybersecurity is integrated into the broader enterprise risk management strategy and requires dedicated accountability and oversight.
There are some other reassignments and minor changes in the remaining five Categories. CSF version 1.0 was published in 2014, and 1.1 in 2018. A lot has changed in security since then. The 2.0 update acknowledges that a review has been conducted.
As a framework, the CISO domain has not radically changed. Yes, the technology has radically evolved, but the greatest evolution in the CISO role really has been around governance: greater interaction with C-suite and board, while some activities have been handed off to operations.
So How Will This Impact Me in the Short Term?
The update to the NIST CSF provides a fresh opportunity to security leaders to start or reopen conversations with business leaders on evolving needs.
The greatest impact will be to auditors and consultants who will need to make formatting changes to their templates and work products to align with version 2.0.
CISOs and security leaders will have to make some similar changes to how they track and report compliance.
But overall, the greatest impact (aside from some extra billable cybersecurity consulting fees) will be a boost of relevance to the CSF that could attract new adherents both through security leaders choosing to look at themselves through the CSF lens and management asking the same of CISOs.
Updated: Jan 31, 2024, 13:03 PM By Claire Broadley Content Manager REVIEWED By Jared Atchison Co-owner
Do you want to set up Postmaster Tools… but you’re not sure where to start?
Postmaster Tools lets you to monitor your spam complaints and domain reputation. That’s super important now that Gmail is blocking emails more aggressively.
Thankfully, Postmaster Tools is free and easy to configure. If you’ve already used a Google service like Analytics, it’ll take just a couple of minutes to set up.
You should set up Postmaster Tools if you meet any of the following criteria:
1. You Regularly Send Emails to Gmail Recipients
Postmaster Tools is a tool that Google provides to monitor emails to Gmail users.
Realistically, most of your email lists are likely to include a large number of Gmail mailboxes unless you’re sending to a very specific group of people, like an internal company mailing list. (According to Techjury, Gmail had a 75.8% share of the email market in 2023.)
Keep in mind that Gmail recipients aren’t always using Gmail email addresses. The people who use custom domains or Google Workspace are ‘hidden’, so it’s not always clear who’s using Gmail and who isn’t. To be on the safe side, it’s best to use it (it’s free).
2. You Send Marketing Emails (or Have a Large Website)
Postmaster Tools works best for bulk email senders, which Google defines as a domain that sends more than 5,000 emails a day.
If you’re sending email newsletters on a regular basis, having Postmaster Tools is going to help.
Likewise, if you use WooCommerce or a similar platform, you likely send a high number of transactional emails: password reset emails, receipts, and so on.
If you don’t send a large number of emails right now, you can still set up Postmaster Tools so you’re prepared for the time you might.
Just note that you may see the following message:
No data to display at present. Please come back later. Postmaster Tools requires your domain to satisfy certain conditions before data is visible for this chart.
This usually means you’re not sending enough emails for Google to be able to calculate meaningful statistics.
It’s up to you if you want to set it up anyway, or skip it until your business grows a little more.
How to Add a Domain to Postmaster Tools
Adding a domain to Postmaster Tools is simple and should take less than 10 minutes.
To get started, head to the Postmaster Tools site and log in. If you’re already using Google Analytics, sign in using the email address you use for your Analytics account.
The welcome popup will already be open. Click on Get Started to begin.
Next, enter the domain name that your emails come from.
This should be the domain you use as the sender, or the ‘from email’, when you’re sending emails from your domain. It will normally be your main website.
If your domain name is already verified for another Google service, that’s all you need to do! You’ll see confirmation that your domain is set up.
If you haven’t used this domain with Google services before, you’ll need to verify it. Google will ask you to add a TXT record to your DNS.
To complete this, head to the control panel for the company you bought your domain from. It’ll likely be your domain name registrar or your web host. If you’re using a service like Cloudflare, you’ll want to open up your DNS records there instead.
Locate the part of the control panel that handles your DNS (which might be called a DNS Zone) and add a new TXT record. Copy the record provided into the fields.
Note: Most providers will ask you to enter a Name, which isn’t shown in Google’s instructions. If your provider doesn’t fill this out by default, you can safely enter @ in the Name field.
Now save your record and wait a few minutes. Changes in Cloudflare can be near-instant, but other registrars or hosts may take longer.
After waiting for your change to take effect, switch back to Postmaster Tools and hit Verify to continue.
And that’s it! Now your domain has been added to Postmaster Tools.
How to Read the Charts in Google Postmaster Tools
Google is now tracking various aspects of your email deliverability. It’ll display the data in a series of charts in your account.
Here’s a quick overview of what you can see.
As I mentioned, keep in mind that the data here is only counted from Gmail accounts. It’s not a domain-wide measurement of everything you send.
Spam Rate
Your spam rate is the number of emails sent vs the number of spam complaints received each day. You should aim to keep this below 0.1%.
You can do that by making it easy for people to unsubscribe from marketing emails and using double optins rather than single optins.
It’s normal for spam complaint rates to spike occasionally because Google measures each day in isolation.
If you’re seeing a spam rate that is consistently above 0.3%, it’s worth looking into why that’s happening. You might be sending emails to people who don’t want to receive them.
IP Reputation
IP reputation is the trustworthiness of the IP address your emails come from. Google may mark emails as spam if your IP reputation is poor.
Keep in mind that IP reputation is tied to your email marketing provider. It’s a measure of their IP as well as yours.
If you see a downward trend, check in with the platform you’re using to ask if they’re seeing the same thing.
Domain Reputation
Domain reputation is the trustworthiness of the domain name you’ve verified in Postmaster Tools. This can be factored into Google’s spam scoring, along with other measurements.
The ideal scenario is a consistent rating of High, as shown in our screenshot above.
Wait: What is IP Reputation vs Domain Reputation?
You’ll now see that Google has separate options for IP reputation and domain reputation. Here’s the difference:
IP reputation measures the reputation of the server that actually sends your emails out. This might be a service like Constant Contact, ConvertKit, or Drip. Other people who use the service will share the same IP, so you’re a little more vulnerable to the impact of other users’ actions.
Domain reputation is a measure of the emails that are sent from your domain name as a whole.
Feedback Loop
High-volume or bulk senders can activate this feature to track spam complaints in more detail. You’ll need a special email header called Feedback-ID if you want to use this. Most likely, you won’t need to look at this report.
Authentication
This chart shows you how many emails cleared security checks.
In more technical terms, it shows how many emails attempted to authenticate using DMARC, SPF, and DKIM vs. how many actually did.
Encryption
This chart looks very similar to the domain reputation chart we already showed. It should sit at 100%.
If you’re seeing a lower percentage, you may be using outdated connection details for your email provider.
Check the websites or platforms that are sending emails from your domain and update them from an SSL connection to a TLS connection.
Delivery Errors
Last but not least, the final chart is the most useful. The Delivery Errors report will show you whether emails were rejected or temporarily delayed. A temporary delay is labeled as a TempFail in this report.
If you see any jumps, click on the point in the chart and the reason for the failures will be displayed below it.
Small jumps here and there are not a huge cause for concern. However, very large error rates are a definite red flag. You may have received a 550 error or a 421 error that gives you more clues as to why they’re happening.
Here are the 3 most important error messages related to blocked emails in Gmail:
421-4.7.0 unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited.
550-5.7.1 Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.
550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for example.com did not pass with ip: 192.186.0.1.
If you’re seeing these errors, check that your domain name has the correct DNS records for authenticating email. It’s also a good idea to examine your emails to ensure you have the right unsubscribe links in them.
Note: WP Mail SMTP preserves the list-unsubscribe headers that your email provider adds. That means that your emails will have a one-click unsubscribe option at the top.
If you’re using a different SMTP plugin, make sure it’s preserving that crucial list-unsubscribe header. If it’s not there, If not, you may want to consider switching to WP Mail SMTP for the best possible protection against spam complaints and failed emails.
Are your emails from WordPress disappearing or landing in the spam folder? You’re definitely not alone. Learn how to authenticate WordPress emails and ensure they always land in your inbox.
Ready to fix your emails? Get started today with the best WordPress SMTP plugin. If you don’t have the time to fix your emails, you can get full White Glove Setup assistance as an extra purchase, and there’s a 14-day money-back guarantee for all paid plans.
If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.
Just in time for Data Privacy Day 2024 on January 28, the EU Commission is calling for evidence to understand how the EU’s General Data Protection Regulation (GDPR) has been functioning now that we’re nearing the 6th anniversary of the regulation coming into force.
We’re so glad they asked, because we have some thoughts. And what better way to celebrate privacy day than by discussing whether the application of the GDPR has actually done anything to improve people’s privacy?
The answer is, mostly yes, but in a couple of significant ways – no.
Overall, the GDPR is rightly seen as the global gold standard for privacy protection. It has served as a model for what data protection practices should look like globally, it enshrines data subject rights that have been copied across jurisdictions, and when it took effect, it created a standard for the kinds of privacy protections people worldwide should be able to expect and demand from the entities that handle their personal data. On balance, the GDPR has definitely moved the needle in the right direction for giving people more control over their personal data and in protecting their privacy.
In a couple of key areas, however, we believe the way the GDPR has been applied to data flowing across the Internet has done nothing for privacy and in fact may even jeopardize the protection of personal data. The first area where we see this is with respect to cross-border data transfers. Location has become a proxy for privacy in the minds of many EU data protection regulators, and we think that is the wrong result. The second area is an overly broad interpretation of what constitutes “personal data” by some regulators with respect to Internet Protocol or “IP” addresses. We contend that IP addresses should not always count as personal data, especially when the entities handling IP addresses have no ability on their own to tie those IP addresses to individuals. This is important because the ability to implement a number of industry-leading cybersecurity measures relies on the ability to do threat intelligence on Internet traffic metadata, including IP addresses.
Location should not be a proxy for privacy
Fundamentally, good data security and privacy practices should be able to protect personal data regardless of where that processing or storage occurs. Nevertheless, the GDPR is based on the idea that legal protections should attach to personal data based on the location of the data – where it is generated, processed, or stored. Articles 44 to 49 establish the conditions that must be in place in order for data to be transferred to a jurisdiction outside the EU, with the idea that even if the data is in a different location, the privacy protections established by the GDPR should follow the data. No doubt this approach was influenced by political developments around government surveillance practices, such as the revelations in 2013 of secret documents describing the relationship between the US NSA (and its Five Eyes partners) and large Internet companies, and that intelligence agencies were scooping up data from choke points on the Internet. And once the GDPR took effect, many data regulators in the EU were of the view that as a result of the GDPR’s restrictions on cross-border data transfers, European personal data simply could not be processed in the United States in a way that would be consistent with the GDPR.
This issue came to a head in July 2020, when the European Court of Justice (CJEU), in its “Schrems II” decision1, invalidated the EU-US Privacy Shield adequacy standard and questioned the suitability of the EU standard contractual clauses (a mechanism entities can use to ensure that GDPR protections are applied to EU personal data even if it is processed outside the EU). The ruling in some respects left data protection regulators with little room to maneuver on questions of transatlantic data flows. But while some regulators were able to view the Schrems II ruling in a way that would still allow for EU personal data to be processed in the United States, other data protection regulators saw the decision as an opportunity to double down on their view that EU personal data cannot be processed in the US consistent with the GDPR, therefore promoting the misconception that data localization should be a proxy for data protection.
In fact, we would argue that the opposite is the case. From our own experience and according to recent research2, we know that data localization threatens an organization’s ability to achieve integrated management of cybersecurity risk and limits an entity’s ability to employ state-of-the-art cybersecurity measures that rely on cross-border data transfers to make them as effective as possible. For example, Cloudflare’s Bot Management product only increases in accuracy with continued use on the global network: it detects and blocks traffic coming from likely bots before feeding back learnings to the models backing the product. A diversity of signal and scale of data on a global platform is critical to help us continue to evolve our bot detection tools. If the Internet were fragmented – preventing data from one jurisdiction being used in another – more and more signals would be missed. We wouldn’t be able to apply learnings from bot trends in Asia to bot mitigation efforts in Europe, for example. And if the ability to identify bot traffic is hampered, so is the ability to block those harmful bots from services that process personal data.
The need for industry-leading cybersecurity measures is self-evident, and it is not as if data protection authorities don’t realize this. If you look at any enforcement action brought against an entity that suffered a data breach, you see data protection regulators insisting that the impacted entities implement ever more robust cybersecurity measures in line with the obligation GDPR Article 32 places on data controllers and processors to “develop appropriate technical and organizational measures to ensure a level of security appropriate to the risk”, “taking into account the state of the art”. In addition, data localization undermines information sharing within industry and with government agencies for cybersecurity purposes, which is generally recognized as vital to effective cybersecurity.
In this way, while the GDPR itself lays out a solid framework for securing personal data to ensure its privacy, the application of the GDPR’s cross-border data transfer provisions has twisted and contorted the purpose of the GDPR. It’s a classic example of not being able to see the forest for the trees. If the GDPR is applied in such a way as to elevate the priority of data localization over the priority of keeping data private and secure, then the protection of ordinary people’s data suffers.
Applying data transfer rules to IP addresses could lead to balkanization of the Internet
The other key way in which the application of the GDPR has been detrimental to the actual privacy of personal data is related to the way the term “personal data” has been defined in the Internet context – specifically with respect to Internet Protocol or “IP” addresses. A world where IP addresses are always treated as personal data and therefore subject to the GDPR’s data transfer rules is a world that could come perilously close to requiring a walled-off European Internet. And as noted above, this could have serious consequences for data privacy, not to mention that it likely would cut the EU off from any number of global marketplaces, information exchanges, and social media platforms.
This is a bit of a complicated argument, so let’s break it down. As most of us know, IP addresses are the addressing system for the Internet. When you send a request to a website, send an email, or communicate online in any way, IP addresses connect your request to the destination you’re trying to access. These IP addresses are the key to making sure Internet traffic gets delivered to where it needs to go. As the Internet is a global network, this means it’s entirely possible that Internet traffic – which necessarily contains IP addresses – will cross national borders. Indeed, the destination you are trying to access may well be located in a different jurisdiction altogether. That’s just the way the global Internet works. So far, so good.
But if IP addresses are considered personal data, then they are subject to data transfer restrictions under the GDPR. And with the way those provisions have been applied in recent years, some data regulators were getting perilously close to saying that IP addresses cannot transit jurisdictional boundaries if it meant the data might go to the US. The EU’s recent approval of the EU-US Data Privacy Framework established adequacy for US entities that certify to the framework, so these cross-border data transfers are not currently an issue. But if the Data Privacy Framework were to be invalidated as the EU-US Privacy Shield was in the Schrems II decision, then we could find ourselves in a place where the GDPR is applied to mean that IP addresses ostensibly linked to EU residents can’t be processed in the US, or potentially not even leave the EU.
If this were the case, then providers would have to start developing Europe-only networks to ensure IP addresses never cross jurisdictional boundaries. But how would people in the EU and US communicate if EU IP addresses can’t go to the US? Would EU citizens be restricted from accessing content stored in the US? It’s an application of the GDPR that would lead to the absurd result – one surely not intended by its drafters. And yet, in light of the Schrems II case and the way the GDPR has been applied, here we are.
A possible solution would be to consider that IP addresses are not always “personal data” subject to the GDPR. In 2016 – even before the GDPR took effect – the Court of Justice of the European Union (CJEU) established the view in Breyer v. Bundesrepublik Deutschland that even dynamic IP addresses, which change with every new connection to the Internet, constituted personal data if an entity processing the IP address could link the IP addresses to an individual. While the court’s decision did not say that dynamic IP addresses are always personal data under European data protection law, that’s exactly what EU data regulators took from the decision, without considering whether an entity actually has a way to tie the IP address to a real person3.
The question of when an identifier qualifies as “personal data” is again before the CJEU: In April 2023, the lower EU General Court ruled in SRB v EDPS4 that transmitted data can be considered anonymised and therefore not personal data if the data recipient does not have any additional information reasonably likely to allow it to re-identify the data subjects and has no legal means available to access such information. The appellant – the European Data Protection Supervisor (EDPS) – disagrees. The EDPS, who mainly oversees the privacy compliance of EU institutions and bodies, is appealing the decision and arguing that a unique identifier should qualify as personal data if that identifier could ever be linked to an individual, regardless of whether the entity holding the identifier actually had the means to make such a link.
If the lower court’s common-sense ruling holds, one could argue that IP addresses are not personal data when those IP addresses are processed by entities like Cloudflare, which have no means of connecting an IP address to an individual. If IP addresses are then not always personal data, then IP addresses will not always be subject to the GDPR’s rules on cross-border data transfers.
Although it may seem counterintuitive, having a standard whereby an IP address is not necessarily “personal data” would actually be a positive development for privacy. If IP addresses can flow freely across the Internet, then entities in the EU can use non-EU cybersecurity providers to help them secure their personal data. Advanced Machine Learning/predictive AI techniques that look at IP addresses to protect against DDoS attacks, prevent bots, or otherwise guard against personal data breaches will be able to draw on attack patterns and threat intelligence from around the world to the benefit of EU entities and residents. But none of these benefits can be realized in a world where IP addresses are always personal data under the GDPR and where the GDPR’s data transfer rules are interpreted to mean IP addresses linked to EU residents can never flow to the United States.
Keeping privacy in focus
On this Data Privacy Day, we urge EU policy makers to look closely at how the GDPR is working in practice, and to take note of the instances where the GDPR is applied in ways that place privacy protections above all other considerations – even appropriate security measures mandated by the GDPR’s Article 32 that take into account the state of the art of technology. When this happens, it can actually be detrimental to privacy. If taken to the extreme, this formulaic approach would not only negatively impact cybersecurity and data protection, but even put into question the functioning of the global Internet infrastructure as a whole, which depends on cross-border data flows. So what can be done to avert this?
First, we believe EU policymakers could adopt guidelines (if not legal clarification) for regulators that IP addresses should not be considered personal data when they cannot be linked by an entity to a real person. Second, policymakers should clarify that the GDPR’s application should be considered with the cybersecurity benefits of data processing in mind. Building on the GDPR’s existing recital 49, which rightly recognizes cybersecurity as a legitimate interest for processing, personal data that needs to be processed outside the EU for cybersecurity purposes should be exempted from GDPR restrictions to international data transfers. This would avoid some of the worst effects of the mindset that currently views data localization as a proxy for data privacy. Such a shift would be a truly pro-privacy application of the GDPR.
Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.
To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.
AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company’s production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack.
AnyDesk is a remote access solution that allows users to remotely access computers over a network or the internet. The program is very popular with the enterprise, which use it for remote support or to access colocated servers.
The company reports having 170,000 customers, including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations.
AnyDesk hacked
In a statement shared with BleepingComputer late Friday afternoon, AnyDesk says they first learned of the attack after detecting indications of an incident on their production servers.
After conducting a security audit, they determined their systems were compromised and activated a response plan with the help of cybersecurity firm CrowdStrike.
AnyDesk did not share details on whether data was stolen during the attack. However, BleepingComputer has learned that the threat actors stole source code and code signing certificates.
The company also confirmed ransomware was not involved but didn’t share too much information about the attack other than saying their servers were breached, with the advisory mainly focusing on how they responded to the incident.
As part of their response, AnyDesk says they have revoked security-related certificates and remediated or replaced systems as necessary. They also reassured customers that AnyDesk was safe to use and that there was no evidence of end-user devices being affected by the incident.
“We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate,” AnyDesk said in a public statement.
While the company says that no authentication tokens were stolen, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing the password if it’s used on other sites.
“AnyDesk is designed in a way which session authentication tokens cannot be stolen. They only exist on the end user’s device and are associated with the device fingerprint. These tokens never touch our systems, “AnyDesk told BleepingComputer in response to our questions about the attack.
“We have no indication of session hijacking as to our knowledge this is not possible.”
The company has already begun replacing stolen code signing certificates, with Günter Born of BornCity first reporting that they are using a new certificate in AnyDesk version 8.0.8, released on January 29th. The only listed change in the new version is that the company switched to a new code signing certificate and will revoke the old one soon.
BleepingComputer looked at previous versions of the software, and the older executables were signed under the name ‘philandro Software GmbH’ with serial number 0dbf152deaf0b981a8a938d53f769db8. The new version is now signed under ‘AnyDesk Software GmbH,’ with a serial number of 0a8177fcd8936a91b5e0eddf995b0ba5, as shown below.
Signed AnyDesk 8.0.6 (left) vs AnyDesk 8.0.8 (right) Source: BleepingComputer
Certificates are usually not invalidated unless they have been compromised, such as being stolen in attacks or publicly exposed.
While AnyDesk had not shared when the breach occurred, Born reported that AnyDesk suffered a four-day outage starting on January 29th, during which the company disabled the ability to log in to the AnyDesk client.
“my.anydesk II is currently undergoing maintenance, which is expected to last for the next 48 hours or less,” reads the AnyDesk status message page.
“You can still access and use your account normally. Logging in to the AnyDesk client will be restored once the maintenance is complete.”
Yesterday, access was restored, allowing users to log in to their accounts, but AnyDesk did not provide any reason for the maintenance in the status updates.
However, AnyDesk has confirmed to BleepingComputer that this maintenance is related to the cybersecurity incident.
It is strongly recommended that all users switch to the new version of the software, as the old code signing certificate will soon be revoked.
Furthermore, while AnyDesk says that passwords were not stolen in the attack, the threat actors did gain access to production systems, so it is strongly advised that all AnyDesk users change their passwords. Furthermore, if they use their AnyDesk password at other sites, they should be changed there as well.
Every week, it feels like we learn of a new breach against well-known companies.
When having trouble getting a good performance from your wireless router or access point, the first settings that people usually change is the WiFi channel. And it makes sense considering that it may be just a bit ‘too crowded’, so change the number, save and the WiFi speed should come back to life, right?
It is possible to see an increase in throughput, but you should never change the settings blindly, hoping that something may stick. I admit that I am guilty of doing just that some time ago, but the concept behind the WiFi channels doesn’t need to be mystifying. So let’s have a look at what they are, their relationship with the channel bandwidth and which should be the suitable settings for your network.
I am sure that most of you are familiar with the 2.4GHz and the 5GHz radio band, but you need to understand that they’re not some fixed frequency points, instead, they’re more like a spectrum of frequencies. The 2.4GHz has a range of frequencies from 2,402MHz to 2,483MHz and, when you tune to a specific frequency within this spectrum, you essentially are selecting a WiFi channel for your data transmission.
2.4GHz Channels – 20MHz channel bandwidth.
For example, the channel 1 is associated with the 2,412MHz (the range is between 2,401 to 2,423MHz), the channel two is 2,417MHz (2,406 to 2,428MHz range), channel 7 is 2,442MHz (2,431 to 2,453MHz range) and the channel 14 is 2,484MHz (2,473 to 2,495MHz range). As you can see, there is some overlapping in the frequency range between certain channels, but we’ll talk more about it in a minute. The range of 5GHz radio band spans between 5.035MHz and 5.980MHz.
This means that the channel 36 is associated with the 5,180MHz (the range between 5,170 and 5,190MHz), the channel 40 is 5,200MHz (between 5,190 and 5,210MHz) and channel 44 can be associated with the 5,220MHz frequency (the range between 5,210 and 5,230MHz). Now, let’s talk about overlapping and non-overlapping channels.
Overlapping vs non-overlapping channels
If you had a look at the channel representation that I put together for the 2.4GHz frequency band using the 20MHz WiFi channel bandwidth, you can see that three channels are different from the others. The channels 1, 6 and 11 are non-overlapping and you can see from the graph that if your APs are using these channels, then they’re far less prone to interference.
5GHz – Channel allocation.
To get an even better idea is to have a look at the graph representing the 5GHz channels and the way they’re grouped to create a larger channel bandwidth. We have talked about the two main types of interference, the co-channel and the adjacent channel interference when we analyzed the best channel bandwidth to use for the 5GHz band. And the idea is that when using the same channel, the devices will be forced to take turns, therefore slowing down the network.
But it’s also possible that the adjacent channels may bleed into each other, adding noise to the data, rendering the WiFi connection unusable. That’s why most people suggest to keep a less wide channel bandwidth and use non-overlapping channels if there are lots of APs in the area (which are not properly adjusted by a system admin).
Changing the channel, but not the channel bandwidth
We already know that changing the channel bandwidth will have a significant impact on the WiFi performance because 20MHz or 40MHz will deliver a far more stable throughput on the 5GHz frequency band (although not that high) in a crowded environment.
Multiple wireless access points.
But what happens when we change the WiFi channel, while keeping the same channel bandwidth? Again, it depends if you’re switching from overlapping to non-overlapping channels because doing so, you may see a noticeable increase in performance (just keep an eye on the available channels because the wider the channel bandwidth, the less the non-overlapping channels will be available for you to use). Now, in the ideal scenario, where there is no interference, when moving from one channel to the other within the same bandwidth shouldn’t really make that much of a difference in terms of data transfer rate.
Auto or manual WiFi channel selection?
The wireless routers and access points usually have the WiFi channel selection set to auto, which means that you may see that your neighbors change theirs annoyingly often. That’s because every time they restart the router/AP or there’s a power outage, the channel may be changed, so that it’s the least crowded available.
Abundance of Wireless Access Points.
If you choose yours manually, you will have to keep up with the changes to your neighboring WiFi networks, which is why it’s a good idea to keep the WiFi channel on your AP on auto as well. If we’re talking about an office or some large enterprise network, it’s obviously better to have full control on how the network behaves, so the manual selection is better.
When you should use DFS channels?
DFS stands for Dynamic Frequency Selection and it refers to those frequencies that are usually limited for military use or for radars (such as weather devices or airport equipment), which means that they can differ from country to country. So make sure to check whether you’re allowed to use certain channels (especially if you got the wireless router or AP from abroad), before you get a knock on your door. Also, it’s pretty much obvious that you won’t be able to use these channels if you live near an airport.
Engenius EWS850AP access point.
That being said, the main benefit to using DFS channels is that you are no longer impacted by interference from your neighbors WiFi. But do be aware that, depending on the router, there is a high chance that in case it detects a near-by radar using the same frequency, then it will switch to another WiFi channel automatically.
Also, there is another problem that I have often encountered. Not that many client devices will actually connect to a WiFi network that uses DFS channels, so you may find out that while your PC and smartphone continue to have access to the Internet, pretty much every other smart or IoT device will drop the connection.
I do get the question of whether the WiFi 6 routers have better range from time to time and my answer is that some do have a better range than the WiFi 5 router, while some don’t. It’s only normal that an expensive new piece of technology will behave better than an old, battle-scarred router. But, in general, are the WiFi 6 routers able to cover more space than the devices from the older WiFi generation?
Especially since we are promised that the OFDMA will just make everything way better, so just go and buy the new stuff, throw away the old! The idea behind the WiFi 6 standard (IEEE 802.11ax) was not really about speed or increased coverage, it was about handling a denser network, with a lot of very diverse client devices in an environment prone to lots of interference.
Abundance of Wireless Access Points.
As a consequence, you may see some benefits in regard to coverage and throughput, despite not really being the main aim. It’s clear that those that stand to get the most benefit are SMBs and especially the enterprise market, so why do Asus, Netgear, TP-Link and other home-network-based manufacturers keep on pushing WiFi 6 routers forward? The tempting response is money, which is true, but only partially.
We have started to get more denser networks even in our homes (smart and IoT devices) and living in a city means your neighbors will also add to the creation of denser networks, so WiFi 6 could make sense, right? With the correct client devices, yes and you may also see a better range. So, let’s do a slightly deeper dive into the subject and understand whether WiFi 6 routers have a better range in real-life conditions.
The main factors that can determine the range of a router can be considered the transmit power, the antenna gain and the interference in the area where the signal needs to travel. The SoC will also play an important role on the WiFi performance of the router.
1. The Transmit Power
I have covered this topic a bit in a separate article, where I discussed whether the user should adjust the transmit power to their access point or leave the default values. And the conclusion was that the default values are usually wrong and yes, you should adjust them in a manner as to get a more efficient network, even if it may seem that the coverage will suffer. But before that know that there are legal limitations to the transmit power.
The FCC says that the maximum transmitter output power that goes towards the antenna can go up to 1 Watt (30dBm), but the EIRP caps that limit to 36dBm. The EIRP is the sum between the maximum output power that goes towards the antenna and the antenna gain.
This means that the manufacturer is free to try different variations between the power output and the antenna gain as to better reach the client devices, while keeping that limit in mind. This factor has not changed from the previous WiFi standard, so, the WiFi 6 has the same limit put in place as the WiFi 5 (and the previous wireless standards). The advice is to still lower the transmit gain as much as possible for the 2.4GHz radio and to increase it to the maximum for the 5GHz radio. That’s because the former radiates a lot better through objects, while the latter does not, but it provides far better speeds.
2. The Antenna Gain
This ties in nicely with the previous section since, just like the output power, the antenna gain needs to be adjusted by the manufacturer within the limits dictated by the FCC. And there is an interesting thing that I noticed with the newer WiFi 6 routers, something that was not common with the previous gen routers. The antennas can’t be removed on most routers, only on the most expensive models.
This means that in most cases, you can’t upgrade the antennas, potentially having a better range. Before, you could take an older router, push the transmit power to the maximum (you could also push it past its hardware limits with DDWRT or some other third-party software) and then add some high-gain antennas.
Old TP-Link router.
This way, the range could have been better, but could you actually go past the allowed limit? The chipset inside the router most likely kept everything within the allowed limit, but you could still get closer to that limit. Would you see any benefit though? That’s another story because years ago, when there were way fewer wireless devices around, pushing everything to the maximum made sense due to the less amount of interference.
Nowadays, you’re just going to annoy your neighbors, while also making a mess of your WiFi clients connection. Sure, you will connect to a faraway client device, but will it be able to transfer data at a good speed? Doubt it, so it will just hog the entire network. The WiFi 6 standard does help alleviate this problem a bit, but we’ll talk more about it in a minute.
3. The WiFi Interference
This factor comes in different flavors. It can be from other devices that use the same channel, other access points that broadcast the signal through your house over the same channels or it can even be from your microwave. Ideally, you want to keep your WiFi inside your home, so that it doesn’t interfere with the WiFi signal from other routers or dedicated access points. Which is why the 5GHz radio has become the default option for connecting smartphones, laptops, TVs or PCs, while the 2.4GHz is usually left for the IoT devices.
Interesting antenna patterns to limit interference. Left: Zyxel WAX630S. Right Zyxel WAX650S.
At least this has been true for the WiFi 5 routers because the WiFi6 routers can use OFDMA on the 2.4GHz band and help push the throughput to spectacular levels (where it would actually be if there were little to no interference, it’s not an actual boost in speed). For example, the Asus RT-AX86U can reach up to 310Mbps at 5 feet (40MHz channel bandwidth), but very few routers implement it on both radios due to the cost constraints.
For example, the Ubiquiti U6-LR only uses OFDMA on the 5GHz radio band, further showing the tendency to leave the 2.4GHz for the IoT devices. Now let’s talk about the walls. There are two main behaviors that you need to keep in mind. First, there’s the obstacle aspect which is obvious since you can see that when you move your client device in another room than your router, the signal drops a bit. Moving it farther will add more attenuation and the speed will drop even more.
For example, I have an office that’s split into two by a very thick wall so, on paper, one router positioned in the middle should suffice for both sides, right? Not quite because this wall is very thick and made of concrete, so it works as a phenomenal signal blocker.
Asus AiMesh.
That’s why I needed two routers in the middle of the office to cover both sides effectively. The other aspect is signal reflection. What this means is that if you broadcast the signal in the open, it will reach let’s say up to 70 feet, but, if you broadcast it in a long hallway, you can get a great signal at the end of the hallway (could be double the distance than in the open field). But this also means that you may see some very weird, inconsistent coverage with your client devices.
What about the client devices?
This is a very important factor that is often overlooked when people talk about WiFi range and it’s incredibly important to understand the role of the network adapter especially in regard to the WiFi 6 client devices. First of all, understand that not all client devices are the same, some have a great receiver which can see the WiFi signal from very far away, others are very shy and want to be closer to the router. Then, there’s the specific features compatibility.
MU-MIMO, Beamforming and now the OFDMA have become a standard with newer routers, but, if the wireless client devices don’t support these features, it doesn’t really matter if they’re implemented or not. And this is one of the reasons why you may have noticed (even in my router tests) that a WiFi 5 client will most likely yield similar results when connected to a WiFi 5 router as well as when it’s connected to a WiFi 6 router. So, if you want to see improvements when using WiFi 6 routers, make sure that you have compatible adapters installed in your main client devices. Otherwise, there is no actual point to upgrading.
WiFi 6 adapter.
How can OFDMA improve range?
Yes, yes, I know OFDMA was not designed to improve the speed, nor the range of the network, but even so, the consequences of its optimizations are exactly these. A better throughput and a perceived far better range. The Orthogonal Frequency-Division Multiple Access breaks the channel frequency into smaller subcarriers, and it assigns them to individual clients.
So, while before, one client would start transmitting and every other client device had to wait until it was done, now, it’s possible to get multiple simultaneous data transmissions, greatly improving the efficiency of the network and significantly lowering the latency (which is excellent news for online gaming). I have talked about how a far-away client device can hog the network when I analyzed the best settings for the transmit power – that was because it would connect to the AP or router and transmit at a very low data speed rate.
Using OFDMA, in this type of scenario, it can improve the network behavior and, even if the range itself isn’t changed, due to the way the networks are so much denser nowadays, you’ll get a more efficient network behavior for both close and far away client devices. So yes, better range and more speed.
BSS Coloring to tame the interference
I already mentioned that the interference from other APs or wireless routers will have a major impact on the perceived range of your network.
And one of the reasons is the co-channel interference which occurs when multiple access points use the same channel and are therefore constrained to share it between them. As a consequence, you get a slower network because if there are lots of connected clients, they’ll easily fill up the available space. The BSS coloring assigns a color code to each client device which is then assigned to its closest access point.
This way, the signal broadcast is reduced from the client side as to not interfere with the other APs or client devices in the proximity. Obviously, the power output is still high enough to ensure a proper communication with the AP. And I know you haven’t seen this feature advertised as much on the boxes of APs or routers, which is due to cost constraints. I have seen it on the EnGenius EWS850AP, a WiFi 6 outdoors access point which is a device suitable for some very specific applications, but not on many other WiFi 6 networking devices.
Besides cost, the reason why it’s not that common especially on consumer-type WiFi 6 routers is that it’s not yet that useful. I say that because unless all the clients in the area are equipped with WiFi 6 adapters, the WiFi 5 (and lower) client devices will still broadcast their signal as far away as they can, interfering with the other WiFi devices.
Do WiFi 6 routers actually have a better range?
In an ideal, lab environment, most likely not, since as I said, the idea is to handle denser networks and not to push the WiFi range farther.
But in real-life conditions, you should see a far better perceived range if the right conditions are met. And almost everything revolves around using WiFi 6 client devices that can actually take advantage of these awesome features. It’s also wise to adjust the settings of your router or AP accordingly since the default values are very rarely good. Ideally, so should your neighbors since only this way, you will see a proper improvement in both range and network performance. Otherwise, there is barely any reason to upgrade from the WiFi 5 equipment.
At the same time, it’s worth checking out the WiFi 6E which adds a new frequency band, the 6GHz, which can actually increase the throughput in a spectacular manner since the radio is subjected to far less interference (the range doesn’t seem changed though). I have recently tested the EnGenius ECW336 which uses this new standard and yes, it’s a bit pricy, but Zyxel has released a new WiFi 6E AP that is a bit cheaper, and I will be testing it soon.
In light of the current global price hikes for energy, you’re very much justified in worrying about how many Watts your PoE switch actually uses. And, unless you have solar panels to enable your ‘lavish’ lifestyle, you’re going to have a bad time running too many networking devices at the same time, especially if they’re old and inefficient. But there’s the dilemma of features. For example, if we were to put two TVs together, an older one and a newer, it would be obvious that the latter would consume less power.
EnGenius ECS2512FP Switch with lots of Ethernet cables.
But, after adding all the new features and technologies which do require more power to be drawn, plus the higher price tag and it becomes clear that it’s less of an investment than we initially thought. Still, the manufacturers are clearly pushing the users towards the use of PoE instead of the power adapter – the newer Ubiquiti access points only have a PoE Ethernet port.
And it makes sense considering that they’re easier to install, without worrying about being close to a power source, no more used outlets and the possibility to have centralized control via a PoE switch. But, for some people, all these advantages may fall short if the power consumption of such a setup exceeds the acceptable threshold, so, for those of you conflicted about whether you should give PoE Ethernet switches a try, let’s see how much Watts they actually consume.
The PoE standard started being implemented into network switches about two decades ago and it became a bit more common for SMBs about 10 years ago. The first PoE switch that I tested was from Open Mesh (the S8) and it supported the IEEE 802.3at/af.
Open Mesh S8 Ethernet Switch.
This meant that the power output per port was 30 Watts, so it can’t really be considered an old switch (unless you take into account that Open Mesh doesn’t exist anymore). But I wanted to mention this switch because while the total power budget was 150 Watts, it did need to rely on a fan to keep the case cool. Very recently I tested the EnGenius ECS2512FP which offers almost double the PoE budget, 2.5GbE ports and it relies on passive cooling.
So, even if it may not seem so at first, even in the last five years, there have been significant advancements in regard to power efficiency. Indeed, a very old Ethernet switch that supports only the PoE 802.11af standard (15.4W limit per port) most likely needed to be cooled by fans and was not really built with the power efficiency aspect in mind. Before I get an angry mob to scream that the EEE from the IEEE stands for Energy-Efficient Ethernet, so adhering to the 802.3af standard should already ensure that the switch doesn’t consume that much power, I had another standard in mind.
Multiple wireless access points.
It’s the Green Ethernet from the 802.3az standard that made the difference with network switches that had lots of Ethernet ports. And this is an important technology because it makes sure that if a host has not been active for a long time, then the port to which is connected enters a sort of stand-by mode, where the power consumption is significantly reduced.
The port will become active again once there is activity from the client side, so the switch does ping the device from time to time (what I want to say is that the power is not completely turned off). So, if the network switch is older, it may not have this technology which means that you may lose a few dollars a month for this reason alone.
How many Watts does a PoE switch use by itself?
It depends on the PoE switch that you’re using. A 48-port switch that has three fans which run at full speed all the time is going to consume far more power than the 8-port unmanaged switch. You don’t have to believe me, let’s just check the numbers. I was lucky enough to still have the FS S3400-48T4SP around (it supports the 802.3af/at and has a maximum PoE budget of 370W), so I connected it to a power source and checked how many Watts it eats up when no device is connected to any of the 48 PoE ports.
FS S3400-48T4SP – 1st: no devices connected. 2nd: TP-Link EAP660 HD connected. 3rd: Both the EAP660 HD and the EAP670 connected.
It was 24.5 Watts which is surprisingly efficient considering the size of the switch and the four fans that run all the time. The manufacturer says that the maximum power consumption can be 400W, so the approx. 25W without any PoE device falls within the advertised amount. Next, I checked the power consumption of the Zyxel XS1930-12HP.
This switch is very particular because it has eight 10Gbps Ethernet ports and it supports the PoE++ standard (IEEE 802.3bt) which means that each port can offer up to 60W of PoE budget per device. At the same time, the maximum PoE budget is 375 Watts and, while no device was connected to any port, the Ethernet switch drew an average of 29 Watts (the switch does have two fans).
Zyxel XS1930-12HP – 1st: no devices connected. 2nd: TP-Link EAP660 HD connected. 3rd: Both the EAP660 HD and the EAP670 connected.
Yes, it’s more than the 48-port from FS, so it’s not always the case that having more ports means that there is a higher power consumption – obviously, more PoE devices will raise the overall power consumption.
Unmanaged vs Managed switches
Lastly, I checked out the power consumption of an unmanaged switch, the TRENDnet TPE-LG80 which has eight PoE ports, with a maximum budget of 65W. The PoE standards that are supported are the IEEE 802.3af and the IEEE 802.3at, so it can go up to 30W per port. That being said, the actual power consumption when there was no device connected was 3 Watts.
TRENDnet TPE-LG80 – 1st: no devices connected. 2nd: TP-Link EAP660 HD connected. 3rd: Both the EAP660 HD and the EAP670 connected.
Quite the difference when compared to the other two switches, but it was to be expected for a small unmanaged Gigabit PoE switch.
Access Points: PoE vs Power adapter
I am not going to bore you with details. You know what an access point is, and you also know that some have a power adapter, while some don’t. So, I took the TP-Link EAP660 HD and the EAP670 (because I had them left on the desk after testing them) and I checked if the power consumption differs between PoE and using the provided adapter. Also, I connected the APs to the three switches mentioned above to see if there’s a difference in PoE use between brands and between managed and unmanaged switches.
The TP-Link EAP660-HD draws an average of 6.9 Watts when connected to the socket via the power adapter. The EAP670 needs a bit less, since the average was 6.4 Watts. When connected to the 48-port FS S3400-48T4SP, the EAP660 HD needed 7.7W from the PoE budget, while the EAP670 added 7.6W, so, overall, the power consumption is more elevated. Moving on to the PoE++ Zyxel XS1930-12HP switch, I saw that adding the TP-Link EAP660HD, it required 10.5W and, connecting the EAP670 meant that an additional 6.8W which is quite the difference.
Comparison Access Points: PoE vs Power adapter.
Obviously, neither access points were connected to any client device, so there should be no extra overhead. In any case, we see that the PoE consumption is once again slightly more elevated than using the power adapters. Lastly, after connecting the EAP660 HD to the unmanaged TRENDnet TPE-LG80, the power consumption rose by 10 Watts, which is in line with the previous network switch. Adding the EAP670, it showed that an extra 6.8W were drawn, which is again, the same value as on the previous switch.
As a conclusion, we can see objectively that using the power adapter means less power consumption and that’s without taking into account the power needed to keep the switch itself alive.
Does the standard matter?
I won’t really extrapolate on all the available PoE switches on the market, but in my experience, it does seem that the PoE++ switches (those that support the 802.3at standard) do consume more power than the 802.3af/at switches, so yes, the standards do matter. Is it a significant difference?
The switches and the access points that I just tested.
Well, it can add up if you have lots of switches for lots of access points but bear in mind that most APs will work just fine with the 30W limitation in place, so, unless you need something very particular, I’m not sure that the PoE++ is mandatory. For now, since it’s going to become more widespread and efficient in time.
Passive cooled PoE switches vs Fans
This one is pretty obvious. Yes, fans do need more power than a passive cooling system, so, at least in the first minutes or hours, the advantage goes to the passive cooling. But things do change when the power supply and the components start to build heat which makes the entire system less efficient than the fan-cooling systems.
