Personal Data Privacy

How Much Data Are You Sharing?

By Crystal Johnston - January 28, 2020

National Data Privacy day is today, so how much data are you sharing?
We have all done it, downloaded a new operating system for our phone, or did an update to our computer, and up pops the all too familiar “Agree to the Terms and Conditions.” We naturally just scroll to the bottom and click “Agree.”

Well, do you really know what we are agreeing to?

To demonstrate just how many people seem to glance over the “T&C”, a few organizations took it upon themselves to add to their T&C some interesting terms that different people would agree to. Purple, a Wi-Fi provider in the UK, added to their T&C that agreeing to their terms meant that you would be responsible for over 1,000 HOURS of community service. The “Community Service Clause” within the T&C only had one person, out of over 22,000 people, come forward stating that they read the “Community Service Clause,” and that person actually received a reward for doing so.

Will Purple hold over 22,000 people accountable for their agreed upon 1,000 hours of community service? Most likely not, but what Purple did do is make people aware of how important it is that not only you understand what you are agreeing to, but how your data may be used.

Let’s dive in a bit further.

By hitting “Agree” you are signing your electronic name to a site, and therefore signing over your agreeance to them to use your data in ways they deem fit. This could be sharing your data with 3rd parties (advertising and spam calls), using your data for research, retargeting your data (digital ads), or even selling your data (IP Address, phone number, email, surfing behaviors.) Not to mention, you could be like a group of college kinds in 2016 who registered for a fake social media platformed called NameDrop. These students unknowingly authorized NameDrop to obtain their first-born child, as well as authorizing NameDrop to forward all personal information to the National Security Agency.

 Now, if you are anything like me, you are thinking to yourself “I still do not want to go over pages and PAGES of T&C. I don’t have the time, nor can I understand half the crap they are talking about. Well, there’s a way that you can at least somewhat get through the endless jumbled words of the T&C.

When it pops up, just hit “Ctrl+F”, this kicks off the “find” feature, or just skim the document like the good ole days. Look for terms that include: Agree, Submit, Acknowledge, Permission, Accept, Authorize, Retain, Retention, and Third Party. These terms do not tackle all areas of the T&C but is it at least a bit better than just clicking “agree” and hoping you didn’t just give up your first born.

For another added measure, you can use a browser plugin that will scan a T&C and let you know its graded level of issue (A-F.) ToS;DR or “Terms of Service; Did not Read” is a plugin that can assist with going through the T&C to detect what risks may be involved in clicking the “I Acknowledge” button. Is it fool proof? No, but it is just one more tool to help keep your data safe with YOU.

Understanding what data we are sharing not only benefits our own selves, but it can help those around us that are not as computer savvy, and who trust what the web has to say. When a new T&C comes through, or an update, I make sure to get my parents on the phone so that they can be walked through exactly what they are signing up for. The last thing I would ever want is to see is individuals who do not know about these “agreements” sign away their information to be used in anyway deemed fit.

While surfing the web, make sure you have your life vest on and are watching for sharks!

Information for this blog was obtained from
Hern, A. 
Guynn, J.

Just deployed SD-WAN on Cisco NFVIS …

feeling cute, idk might delete later and redeploy something else…

By Liam Keegan - January 23, 2020

I’ve found my new favorite platform for branch infrastructure. I’m talking about the Cisco ENCS 5400 appliance, paired with Cisco’s NFVIS virtualization software.

Who should read this article? Financial, retail and other multi-location organizations that want to simplify and standardize their branch infrastructure while at the same time making it much easier to react to business curve-balls. If you’d like to discuss this possibility for your organization, let’s book a time.

There are two things here to explain:

  • Cisco ENCS 5400: This is a hardware virtualization appliance. It’s a 1U box and comes in a variety of memory and processor configurations (the smaller spec’d configuration is the Cisco ENCS 5100 — you can find all relevant information on the data sheet).

ENCS-5412–1U with 8 LAN ports, 2 WAN ports, 1 NIM slot and 2 Hard Drive modules
  • Cisco NFVIS (Network Functions Virtualization Infrastructure Software). That’s a mouthful. NFVIS is a software hypervisor that is designed to run virtualized software images. NFVIS can be run on an ENCS platform, as well as UCS servers.

With a traditional branch router (or SD-WAN gateway), you’re limited to just that box’s functionality. An ISR router is an ISR router. A PAN firewall is a PAN firewall. When your business requirements change, you’re rolling a truck. With ENCS+NVFIS, there are no more redeployments when you get a curveball.

Why for a branch?

I like the ENCS platform because it has everything you need for a branch and nothing more. I believe that 90% of organizations need a router/SD-WAN gateway, maybe a firewall, and maybe a local utility server.

Even with an SD-WAN, adding a 4G backup connection usually makes sense. With the ENCS platform, you can add a 4G NIM, without an external router.

If you’re running one-off NIM cards in your ISRs, this topology may require you to make some compromises. If you have FXO interfaces, move them to SIP, convert FXS ports to ATAs, etc. Everything in this business is about choice and compromise, so the need for flexibility might override changing supplementary service form factors.

The ENCS-5100 has a smaller desktop footprint and reduced specs, at a lower price point.

But all I need is a router!

With the ENCS, you get that, and more if your business demands ever change! At heart, ENCS is a virtualization platform. Need a router? Install Cisco ISRv. Want a firewall? No problem... vFTD. Have a Cisco SD-WAN? Deploy a Viptela image.

By decoupling, you increase flexibility.

Think about this: you’re doing a significant upgrade. Instead of modifying production infrastructure, you setup your new router/firewall in parallel, then flip to it. Something goes wrong? Just change back. A/B testing for your network!

Flip flop between VMs. Does it get any better than that?

Here’s where this gets awesome… look at all the non-Cisco stuff you can deploy.

  • Want to deploy a local Microsoft Windows 2019 Core branch server? No problem, just load the ISO.
  • Deploying Palo Alto firewalls? There’s an image for that.
  • Bob from Marketing is hounding you about installing an Ubuntu server for digital signage? Go for it.
  • Do you need separate “stuff” for HIPPA, PCI or SCADA separation? Assign a dedicated Ethernet port and you’re done.

Need more awesome? Let’s automate!

The NFVIS platform is designed to be zero-touch provisioned and has a full suite of APIs to manage the environment. If your team is configuring these boxes via console cable, you’re leaving a lot of efficiencies on the table. Let’s look at a real-world example using a bank.

Use Case: A 200-branch financial institution with Cisco SD-WAN (Viptela) and a FirePower appliance for guest Internet.

Let’s look at a next-gen deployment for BankCo, who go all-in on the ENCS platform.

BankCo’s vendor (24/7 Networks, of course!) sends a spreadsheet with all the serial numbers of the ENCS units. Plug and Play (PnP) configuration templates are generated that configure each serial number to the chassis :

  • CIMC and system management services, including logging, TACACS and SNMP
  • Virtual network configurations for a dual-NIC outside and single LAN inside configuration.
  • NFVIS software version and image

After the NFVIS software running on the ENCS is in a known-good state (verified by making API queries against the unit), we start the deployment process.

  • Both the vEdge and FTDv gold images are downloaded from the local deployment server.
  • The local deployment server sends device information to both vManage and FirePower Management Center (FMC) for the new virtual devices.
  • The local deployment server sends NFVIS API commands to spin up a vEdge and FTDv virtual machine, with the IP addresses of vManage (for the SD-WAN image) and FMC. The virtual machines register to their respective management systems and they download their application configuration right from those platforms.

At this point, it doesn’t matter if BankCo deploys one or one thousand ENCS systems. In traditional deployments, the hard part is getting to the finish line. With an automated deployment, all the work goes into getting the first one out the door. After that, it’s just a matter of scale.

Lather. Rinse. Repeat.

In Summary

When it comes time to look at branch refresh, take a peek at ENCS + NFVIS and see if it’s the right fit for your organization and the business needs. There are some drawbacks, and the cost may not be at par, but you may gain operational efficiencies that make it worth it as your organization changes and evolves.

If you’d like to discuss this as an option for your organizationbook 30 minutes on my calendarLet’s virtually whiteboard to see if it makes sense for you and your team. No pressure, no pitch.

And, seriously, that picture is untouched. Seriously. I mean it. Seriously.

No more console cables, people.

It is the New Year Which Means New(ish) Phishing Scams

3 Steps to Catch a Fake

By Crystal Johnston - January 2, 2020

Have you ever opened your email and noticed an alert from you bank asking if $XXX.XX was a recent charge to your account? Did they ask you to click a link to verify the charge? Did you click that link? Well, you may be like thousands of Americans who have been phished through a new(ish) type of scam.
Why do I say it is newish? Well, the scam has been around for a long time, the click bate scam. You get an email, with a link, you click that link and BAM thieves have total control of your information through your device. What makes this new is the method that is used to obtain that information.
Let us break it down so you can see what to look for!

An email comes in from Chase Bank and it looks just like all the other emails you have seen before. The email says, “Dear Sir or Madam, we have noticed some possibly fraudulent charges on your bank account and would like to have you verify these charges”. The email then continues to say, “Please click the following link to verify the charge of $XX.XX from SOME COMPANY”.

You say to yourself, “I didn’t buy something from SOME COMPANY for $XX.XX” so you go to click to tell them it is fraud. STOP yourself RIGHT THERE!
Time to break apart this email and see if it is in fact from your bank.
  1. Does the “from” address have your bank’s name in the email or does it have an address that looks to be a bit weird?
    1.  (less likely to be fraudulent)
    2. (most likely to be fraudulent)
  2. Is the email directed to you or is it generalized?
    1. Dear FIRST NAME (less likely to be fraudulent)
    2. Dear Sir or Madam (most like to be fraudulent)
  3. Does the email include the last four digits of your credit card number?
    1. Yes (less likely to be fraudulent)
    2. No (most likely to be fraudulent)
If these all are true but you still have a weird feeling, contact the bank from the back of your credit/debit card or go to their site directly and check it for yourself. Clicking anything on the email could be dangerous so try and stay one step ahead of these con artists. Remember, fraud emails and phishing get more advanced each day and it is important to stay ahead of the crooks. If you would like more information on how your company can be better protect, please contact us at 303-991-2224 or

Information provided by Jefferson Graham, USA TODAY - USA TODAY - Wednesday, January 1, 2020

Happy New Year!

Have some free stuff...

Nothing beats free, or in this case: freemium. I’ve put together a list of a few free SaaS services that will make your lives easier, and don’t have huge hurdles to implement.

All of my recommendations have enhanced paid-for plans, but what good is spending money on stuff if you’re not getting even the most basic value first? Start small, realize success quickly, then build upon that.

Without further interruption…..

Two Factor Authentication

Cisco’s Duo Security offers 10 free 2FA users, and UNLIMITED protected devices. How many IT departments are more than ten people? For the low, low cost of FREE, you should make it your New Years resolution to enable 2FA on EVERY. SINGLE. SERVICE. that is accessible via the Internet or has a privileged login.

Duo is brain-dead simple. To protect a Windows machine, double-click on an MSI file. To protect a Linux box, load the Duo PAM module. Have a Cisco/Palo Alto/Checkpoint VPN, or any infrastructure that uses RADIUS for authentication? Install the Duo authentication proxy and those devices are 2FA secured. Protection in a matter of minutes.

See everyone that’s logged into everything with 2FA protection.

I can’t stress this enough — there is NO REASON that EVERY organization shouldn’t have two-factor authentication protecting everything that has a privileged administrative login or external network access.

On a final note, if you’re an Office 365 customer with an assigned license, did you know that you get Microsoft’s Authenticator two-factor application at no charge? If you don’t do anything else…


Network Monitoring

I have two freemium platforms for you. The first is one of my longtime favorites: Uptime Robot. Uptime Robot lets you monitor up to 50 devices with a 5-minute polling interval from multiple Internet points for free.

If it’s Internet-reachable, Uptime Robot can monitor it. Websites, SD-WAN devices, SaaS services, and services running on custom ports. Get a notification if your stuff that you depend on is down before your users let you know.

50 devices, absolutely free.

Top Gear Top Tip

If you’re running a Meraki firewall, you’ll automatically get a dynamic DNS hostname for each ISP on your SD-WAN firewall. Put each hostname into Uptime Robot so if an ISP drops you know about it without having to rely on managing a spreadsheet of static IP addresses. In your dashboard, you’re looking for something like this:

Simply add the IP of the device in the IP/Host field and you’re off and running.

Finally, my other recommendation for a free tool is BGPmon. BGP is the protocol that makes up the backbone of the Internet, by ensuring that networks are routed properly to their intended destination. Sometimes this delicate trust breaks, and you’re left wondering why you can’t get to where you need to go.

Create a free BGPmon account, and add up to five IP address prefixes into it. If Uptime Robot says that if all of your stuff is offline, you can cross-reference it against what BGPmon reports, ensuring that a larger backbone outage isn’t the culprit.

Add each of your netblocks (up to 5) to be monitored.

Directory as a Service (DaaS)

This one is a bit more off the map, but I’m a big fan of JumpCloud. Odds are, your organization has a Microsoft Active Directory and all of the “things” that go along with that (upgrades, patching, servers, licensing, etc).

JumpCloud provides that directory service completely in the cloud. Their free plan allows 10 users and 10 machines. You can do practically everything that you can do with Active Directory, but you’re not managing any of the back-end infrastructure.

With their free plan, you get:

  • One login and password on every system under management. To protect a Windows or Linux device, it’s simply an MSI/installer double-click.
  • Two factor authentication: Everything can be 2FA protected via the JumpCloud environment, regardless of what you’re accessing.
  • LDAP, RADIUS and SSO/SAML: Use JumpCloud’s authentication servers for third-party access (everything from Office 365/Google Apps to routers/switches/firewalls/VPNs). For me, this is the biggest needle-mover, ensuring that I’m not having to run a bunch of infrastructure just to protect my stuff.
  • Systems Management: Create, apply and enforce PC/Mac policies on machines.

While I don’t use this for my office, I do use it for my home. I get full enterprise-grade security for my Wifi and computers that I do from an enterprise-grade corporate network, and it’s really easy to lock out my kids from the network when they’re not doing their homework!

Seriously, think about how many SMB companies could get an enterprise security and management stack for their 10 or less people for the low, low cost of FREE. For small companies, this should be a no-brainer.

DNS Filtering

Phishing emails and websites are out there. It’s just a matter of time before you (or someone like you) accidentally clicks on a link and gives up your password. For a fighting chance against them, use a DNS provider that filters results.

DNS is what turns easy-to-remember hostnames (like into IP addresses (like A DNS provider that filters blocks bad domains (like from resolving to the infected IP address.

To get basic protection, you simply need to enable your clients to use the provider’s DNS.

Cisco Umbrella offers two sets of DNS servers usable at no charge:

Comodo Secure DNS is an alternative:

  • and offer protection against malware, phishing and junk domains.

Other providers include Quad9 and CleanBrowsing, but any provider is better than no protection.

Top Gear Top Tip

Ensure your guest Wifi has some sort of filtered DNS servers configured, to keep guests from looking at content that wouldn’t be appropriate in the workplace. It’s not going to stop a determined user, but it’s better than nothing.

That’s it, folks. May you have a secure, reliable and protected 2020!


Cisco Field Notice

Self-Signed Cert Expiration Impact

Cisco published a Field Notice this week (here’s the link to the original document, CCO login required) that details how devices won’t form IPSEC connections because of the self-signed certificates expiring on January 1, 2020. It’s an issue in IOS and IOS-XE software, not for any other product lines.

We’ve been getting a lot more questions about this than usual, but the impact in our customer base has been minor, so here’s a quick recap of what’s at risk.

With all of these examples, if you’ve replaced the cert with a “real” (meaning issued by a Trusted CA) certificate, the defect doesn’t apply.


Unless you’re running X.509 based authentication (using certificates), you’re not at risk. Username and password SSH authentication is and will continue to work when you try to access the box for management access.


If you are running ‘ip http secure-server’ with a self-signed certificate, your web browser will show that your certificate is expired and untrusted. However, odds are that it says that anyways, since your browser doesn’t trust self-signed certs. If you are using RESTCONF to manage your devices and you’re doing strict certificate checking, that’ll break.

Collaboration Features

If you’re running SECURE voice (SRTP) this is an issue. This affects CME/SRST, dspfarm, SCCP and MGCP services, as well as API Gateway in HTTPS mode. This only will affect traffic going to an IOS or IOS XE gateway that’s encrypted.

IPSEC Tunnels

If you’re terminating tunnels on an IOS or IOS XE router and you are running “authentication local rsa-sig” in your ISAKMP profile with a self-signed certificate, the tunnel will break on 1/1/2020. If you have auth pre-share or auth rsa-encr in your config, you’re fine.


There’s a bug with old WAPs made before 2005 where the manufacturer certificate has an expiration date. Make sure you’re running a newer version of the code train you’re on and you should be good. Check the WAP compatibility matrix prior to upgrading. Here’s the link to that particular notice.

If you’re vulnerable, the simplest way to work around this issue (besides a software upgrade) is to generate a new certificate with OpenSSL, then import the certificate to the device. It’s documented in the Field Notice as Workaround 3.

bash# openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 4000 -out tmp.cer -subj “/CN=SelfSignedCert” &> /dev/null && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl pkcs12 -export -out certificate.pfx -password pass:Cisco123 -inkey tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer && openssl base64 -in certificate.pfx

Then, import it to the affected box and ensure the trustpoint is changed to the new entry (in this case, one named TEST):

Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki trustpoint TEST
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# exit
Router(config)#crypto pki import TEST pkcs12 terminal password Cisco123

If you have any questions, please let me know!

Happy Holidays!