Friday, September 28, 2007
Where risk meets opportunity: Part 1
A growth market
Until recently, PDA and smartphone adoption moved slowly, hampered by limited device capabilities and slow wireless links. But last year, device and network innovations finally put a kink in that curve. According to Canalys, global PDA and smartphone shipments jumped 75 percent between 3Q04 and 3Q05.
By mid-2005, Gartner estimates that PDA adoption had reached 47 million—about half the installed base of laptops.
Many mobile devices are purchased by individuals, without employer funding or blessing. But business use is quite common, especially among executives, sales, and other on-the-go workers. In a Pepperdine University survey, 38 percent of US professionals said that they had used their PDA to access their company's network. By 2007, IDC predicts that 90 percent of enterprise mailboxes will be accessed from mobile devices.
This surge in mobile device use is creating many new revenue opportunities, from mobile network services and business applications, to mobile device management and security. Gartner reports that mobile data protection sales were greater in 2004 alone than for the previous three years combined, and IDC projects that $1 billion will be spent on mobile device security in 2008. A diverse crop of security software vendors, old and new, are jockeying for position in this growth market.
ISPs are in a great position to re-sell and deploy mobile security products to individual subscribers, SMBs, and enterprise customers. Doing so can expand an ISP's portfolio, make existing internet service packages more attractive, and avoid customer erosion by 3G wireless carriers. For example:
* Any ISP that already sells secure remote access services or software for laptop users can complement that offering by adding similar measures for PDAs and smartphones, helping to retain customers as workforces shift to using mobile devices.
* ISPs can capitalize on today's unmanaged mobile device fleet to fix a growing problem not yet addressed by corporate IT. Customers who appreciate the risk but lack mobile security know-how may be happy to offload that job to a service provider with whom they have an existing relationship.
To help you determine whether mobile device security represents an opportunity for your business, this article explores today's mobile devices, their built-in security features, and after-market products that can be used to augment those capabilities.
Mobile devices and operating systems
Personal Digital Assistants (PDAs) and cellular phones are rapidly converging into what many generically refer to as "smartphones." Gartner defines a PDA as a data-centric handheld that may include a cellular radio. IDC considers any device that offers cellular voice to be a mobile phone or a converged device (aka smartphone). No matter how you slice the pie, many mobile devices shipping today offer more than one wireless interface:
* Bluetooth for peripheral (e.g., earbud or PC) connection,
* Wi-Fi for internet hotspot and corporate WLAN access, and/or
* 2G/3G wireless for voice, messaging, and mobile packet-switched data.
Older devices relied on "graffiti" pen-strokes or telephone keypads, but newer devices use thumb-wheel menu navigation and tiny QWERTY keyboards to better support e-mail and other text-based business applications. Personal Information Manager (PIM) applications (e.g., contacts, calendars, tasks) are still common, but are now frequently accompanied by internet clients (e.g., web browser, POP/SMTP e-mail, instant messaging (IM)), multimedia applications (e.g., media player, photo capture), and document viewers or editors (e.g., Acrobat, Office Mobile). Of course, the data associated with these applications also requires space: 64 to 128 MB of RAM and 2 GB removable storage are now typical.
Mobile devices are not limited to these factory-installed applications. A healthy crop of after-market consumer and business applications have emerged for mobile devices that offer APIs and SDKs for third-party development.
However, porting applications to mobile devices is no simple task—capabilities vary across devices and models, and processors and operating systems are very different. Most of today's mobile devices run one of the following operating systems:
http://www.isp-planet.com/technology/2006/mobile_security_1a.html
Managed Security Service Providers
Managed Security Service Providers (MSSPs) are filling the growing gap between need and capability. From small offices with no IT staff to over-burdened enterprises, many companies now implement their security policy by partnering with an MSSP. This approach might save your business time and money while yielding more effective security—IF you choose the right partner to defend your networked assets.
Purchasing a managed security service means establishing a trust relationship with subject matter experts. It means asking that third party to assess your security requirements and vulnerabilities, then install and configure appropriate countermeasures. It means hiring an outsider to monitor and analyze traffic that threatens your networked assets—in some cases, taking action on your behalf to block intrusions or neutralize attacks. These and other security-related tasks can be shared to varied degrees, depending on the provider and service(s) you choose.
Available managed security services range from managed firewall and virtual private network (VPN) devices to intrusion prevention (IPS) and anti-virus/anti-spyware (AV/AS) solutions, and content filtering solutions. MSSPs leverage economies of scale to deliver these services with higher quality, at lower cost.
When an MSSP issues an RFP, conducts a field trial, and selects a "best of breed" platform, those efforts support hundreds of future installations. When an MSSP outfits a security operations center (SOC) with certified specialists and sophisticated Security Event Management (SEM) tools, those costs are amortized over thousands of devices. Customers get to benefit from the latest and greatest in security, while providers reap return on investment through monthly service fees.
This concept may be simple, but choosing the right MSSP is complex. When selecting a security partner, is it vital to consider history and reputation. You should evaluate the processes used by the MSSP to provision services, respond to incidents, support in-house investigations, and report on events. You must clearly understand the division of labor between you and your provider and how you will interact, not just during activation, but for the years to follow.
To assist our readers with this endeavor, ISP-Planet has conducted MSSP surveys since 1999. What follows is our fifth MSSP survey, conducted during Q4 2006. With this survey, we hope to provide you with insight into seven of today's most popular managed security services.
To create a representative sample, we invited over sixty providers—small to large, national to global—to complete an in-depth questionnaire. Invitees included past survey participants, companies that contacted us after our last survey, and many other players in the MSSP landscape.
http://www.isp-planet.com/technology/mssp/2006/mssp1a.html
Bolting the Back Door with NAC
Why this flurry of NAC activity? What the heck is NAC anyway? And why should you care? In this four part series, we examine the business needs driving NAC, compare today's major flavors of NAC, and show NAC in action by taking one popular implementation for a test drive: Juniper Network's Unified Access Control.
Turning network security inside out
Over the years, perimeter defenses have gradually improved. Today, almost everyone understands that private business networks must be protected from perils posed by the public internet. However, many network owners still turn a blind eye to threats emanating from internal systems connected to their own wired and wireless LANs.
Historically, all systems inside the network perimeter have been viewed as trustworthy, and their users have enjoyed a great deal of freedom to reach private servers and data. Compared to measures commonly applied at the internet edge, internal LAN access controls are frequently weak or absent.
Many organizations still rely on physical security measures like entrance badge checks and wall port disablement to deter unauthorized LAN access. Every system that manages to connect to a physical or virtual LAN becomes a trusted endpoint that can send packets to every other network endpoint, without regard to system integrity or user identity. While logins are often required to actually use sensitive services or fileshares, those measures do nothing to insulate the network itself from attack or misuse.
In truth, the assumption that LAN endpoints are trustworthy was always shaky. Insider attacks by disgruntled employees have long been a significant but under-appreciated risk. For example, the 2006 CSI/FBI Computer Crime and Security Survey (1.5 MB .pdf file) found that 2 in 5 companies attributed over 20 percent of their cybercrime losses to insider attacks. But over the past few years, evolving business conditions and network technologies have rewritten the ground rules and imposed costly penalties.
* Workforces have become increasingly mobile, carrying corporate laptops (and more!) from work to home to hotspot. When those endpoints connect to external LANs, they are directly exposed to a myriad of network-borne threats. Laptop anti-virus and personal firewalls help, but easily become outdated or disabled. When a compromised endpoint returns to work and connects to the internal LAN, it becomes a source of infection or intrusion. Trojan downloaders, keyloggers, and other spyware have become especially troublesome, resisting removal while causing identity theft or financial loss.
* Most offices are now visited daily by guests, contractors, auditors, and other users who require some degree of public or private network access. If accommodations are not made, visiting endpoints are likely to find their way onto your LAN anyway—for example, by borrowing a cubicle Ethernet jack or an employee's WLAN access password. When connected in this fashion, visitors become like any other trusted endpoint, gaining access to confidential documents, financial records, personnel files, management systems, and other sensitive resources.
* Malware recovery is costly, but pales in comparison to the fear instilled by government and industry regulation compliance. For example, companies that process credit/debit card transactions must comply with the Payment Card Industry (PCI) data security standard by protecting and controlling access to cardholder data. Public US companies must now comply with the Sarbanes-Oxley Act (SOX), a law created to deter accounting errors and fraud. Hundreds of regulations exist worldwide that require organizations to not only secure affected networks, systems, and/or data, but to prove they have done so through logs and audits. Breach or audit failure due to non-compliance can result in direct costs, legal fees, hefty fines, even imprisonment.
The role of network access control
These changes have caused many organizations to reconsider internal network security policies, implementations, and practices—in many cases, following C-level mandates to reduce associated business risk. While no silver bullet, NAC can help to address these concerns by overhauling the way we control access to internal network resources.
NAC is an evolving strategy with many possible implementations. At an abstract level, NAC avoids granting unfettered LAN access to known/trusted endpoints. Instead, NAC bases network access decisions on individual user identity, the security state of that user's endpoint, and policies which define who should be allowed to use which resources, under what pre-conditions.
Identity-based controls let us differentiate between employees, contractors, and guests and treat them accordingly. Assessing each endpoint's health and policy compliance lets us spot compromised laptops before they can communicate with the rest of the network. Mapping those endpoints onto defined authorizations lets us dynamically permit or deny access on a "need to know" basis. For example, we could give guests internet-only access while admitting only healthy accounting department users to the finance LAN.
Furthermore, instead of the static pass/fail approach associated with conventional ACLs, NAC can reshape permissions on the fly. An infected endpoint might be re-directed to a remediation server for cleansing, while an endpoint missing critical patches or programs might be sent to a download server. Remedied endpoints could then be automatically re-authenticated and receive trusted resource access, while healthy endpoints that fail periodic re-assessments could be sent right back to "quarantine."
This utopian vision of NAC involves a large number of moving parts, all working together seamlessly to enforce and audit defined security policies. In reality, today's early-adopter NAC deployments are far less ambitious. Juniper estimates that 57 percent of companies want to deploy NAC incrementally, starting with a pilot that addresses a specific near-term need in a confined network segment. For example, many companies pursue NAC to enforce policy compliance for selected managed (employee) endpoints. Others deploy NAC to facilitate unmanaged (guest, contractor, phone) access. In fact, the first step towards NAC deployment is deciding what you hope to accomplish.
http://www.isp-planet.com/technology/2007/nac_1.html
Find a DSL Internet Service - Choosing a DSL ISP Provider
If you are interested in DSL internet service, you probably value high speed internet access. When it comes to high speed broadband internet access, you generally have the choice between DSL providers, satellite internet and cable internet services. Read this page to learn background information and when you're ready visit our page to compare DSL Internet companies.
There are two components to internet speed, bandwidth and latency, and these can be something to keep in mind when choosing DSL internet access. Read our article on How to Choose Cable for detailed explanations of bandwidth and latency. In summary, bandwidth is the maximum sustained rate at which data can be downloaded, and high bandwidth is important if you download large files, movies, music, TV clip, or if you stream audio or video. Latency is basically the delay in processing requests, such as the lag between clicking on a link and when the page begins to download. Latency if of supreme importance if you do a lot of internet browsing.
For DSL internet and cable internet, you can usually find the maximum bandwidth offered. Sometimes with DSL providers there are different plans, offering higher bandwidth for higher prices. Even the lowest priced plan is usually many times faster than a dialup connection, so for many people the budget plan is the best choice for DSL access.
However, it should be noted that the actual bandwidth you see with DSL internet connections can vary due to your distance from the phone company central office terminating your connection, the load at the ISP and other factors, just as cable and dialup speeds vary from the maximums.
Likewise, the other component of internet speed, latency, can vary from hour to hour and day to day on the same DSL internet service. DSL providers and other ISPs do not typically give any latency data, making it hard to compare internet service providers based on latency. Fortunately, most DSL services provide low latency on a consistent basis, so you generally do not even have to worry about it.
When you are looking for DSL internet access, you may find that your local telephone company is your only choice for DSL internet access. For example, if you are in an area where SBC is your local phone company, SBC DSL may be your only choice for DSL internet access. Likewise if Verizon is your local phone service, Verizon DSL is likely your only choice for DSL internet. However, in addition to your local telephone company, you should also check into Earthlink DSL.
http://www.getisp.info/find-dsl.html
Charter High-Speed Internet ISP Review
My main problem with their customer service is that they put you on hold for an extremely long time, sometimes even hanging up on you. When you finally get someone on the phone, they usually rush through the conversation without fully answering questions, and are not very friendly. They do not seem to care at all about their customers.
Charter High-Speed offers a choice between three different speeds: 3 Mbps, 5 Mbps, or 10 Mbps. Their highest speed is not quite as fast as the exceptional Cox High Speed Internet, but it is very fast, and definitely better than DSL or dial-up. The 10 Mbps speed is quite good when it's working, and even the 3 Mbps speed is generally better than DSL. The speed may decrease quite a bit in busy areas, however, since Internet over cable is always shared with all the other cable users on the same line.
Another problem with the Charter High-Speed Internet service, however, is that the connection goes down quite often, and they do not seem to make a very good attempt at restoring the connection quickly. After researching other reviews online, I find that this again seems to be a local issue, but seems to correlate with customer service. If the customer service in your area is poor, then your down times may be greater.
I suppose when the Charter High-Speed service is bad, it's really bad, but when the service is good, it's really good. In the High Desert, California area, it's really bad. Internet service can be down for many hours, and sometimes even days. This may be more likely in some areas such as the High Desert where high winds are common of course, but the real problem is that they do not seem to care enough to fix the problem quickly, even when the weather is pleasant outside. If you have bad weather in your area (especially with above-ground cable lines), have bad customer service in your area, and live in a busy city, your Internet connection may be of very little use.
Charter High-Speed Internet offers a couple of decent extras to go with your high speed Internet connection. Included is a security suite including anti-virus software, firewall, spam filtering, and parental controls. You also get ten email addresses with about 100 MB storage each, for a total of 1 GB of storage. These services are good, but many other companies are now offering the same services (or more) in order to compete.
http://www.associatedcontent.com/article/113069/charter_highspeed_internet_isp_review.html
Selecting Your First Satellite Internet Provider
Internet connectivity in rural areas has been dominated by dial-up for many years. Satellite Internet is becoming a common service upgrade in these areas however now that the demand for broadband has begun to rise, and of course the availability has increased. Satellite TV led the way to new Internet service for rural communities and providers are now focusing more attention to markets outside metropolitan areas.
Selecting a Satellite Internet Service can be confusing for a first-time user. Discussed below are the things to avoid in a service, as well as what to look for.
What to Avoid
Avoid a provider that doesn’t provide the required hardware if possible. Most offer third party hardware and will install it as well, and for a first-time user this can be important. Find out what hardware a potential provider uses and make sure they are authorized to sell it and install it. Installation will probably come with a fee, but service providers will sometimes work out a special deal that includes this cost.
Having tech support close to home can be a big advantage. If a provider doesn’t have a local office, then make sure they have contractors in the area that can respond quickly to a problem. Having to wait 2 weeks for a tech support agent to arrive might be a bit frustrating.
Traditionally satellite connections come in two flavors, one-way and two-way. By using proxy servers and an additional phone line it is possible to surf the Internet via a one-way connection, but it is slow and unnecessarily complicated. Almost every provider now offers two-way Satellite Internet connections, but it doesn’t hurt to make sure. One-way connectivity was a very early satellite Internet technology and has been almost completely replaced.
What to Look For
Many satellite services use more than one satellite in orbit. This is done to offer increased coverage as well as a higher level of redundancy to avoid outages. When choosing a provider ask how many satellites that have in use and how they are making sure the uptime of their users is maximized.
A provider that services its own hardware is important, but so is a service level agreement that offsets this cost to the provider. Look for a service contract that includes regular maintenance as well as equipment upgrades as technology changes. There will almost certainly be a cost associated with this, but make sure the provider is sharing this burden.
Internet connection speed is important with any service. Satellite Internet Service will not be as fast as cable or DSL in the foreseeable future, but it is a great alternative to dial-up. Latency is always an important issue when discussing satellite internet. Hardware optimization and compression will help mitigate the effects, but there is no way to completely avoid it. Ask a potential provider how they are dealing with the inherent latency issue.
http://www.americanchronicle.com/articles/viewArticle.asp?articleID=28412
Choosing an Internet Service Provider
An Internet Service Provider is the company that takes care of the technical aspects of connecting your computer(s) to the internet. Enabling your computer to access the world wide web, email, newsgroups and other Internet resources.
What are the choices?
Business vs Home packages
Packages are often divided up between those targeting home users, almost always the cheapest, and those catering for businesses, which offer more features at a higher price. Small voluntary organisations often sit between these two categories, and can be tempted to go for the cheaper option. A low-cost home package may restrict future development, such as use of a domain name. The key deciding factor should be service quality and the ability to alter the package at a later date, to meet your developing needs.
Dial-up
Until a few years ago Dial-up was the main mechanism for connecting to the internet. This is really just like a simple phone connection. Because dial-up access uses normal telephone lines, the speed and quality of connection is very basic. Having a dial up internet connection also means your phone line is tied up when you’re connected to the Internet so this can be a problem if you only have one phone line.
Increasingly dial-up is seen as a back-up or secondary connection method.
Broadband
Broadband is the term used to describe a high speed Internet connection. There are two main types of broadband connection, ADSL (Asymmetric Digital Subscriber Line) and Cable, for the purposes of this article the term broadband will be used to cover both types of connection. Over the last few years the price of Broadband has come down dramatically. It is the most prevalent type of connection to the internet, for this reason this article will focus on broadband when looking at choosing an ISP.What is an ISP?
An Internet Service Provider is the company that takes care of the technical aspects of connecting your computer(s) to the internet. Enabling your computer to access the world wide web, email, newsgroups and other Internet resources.
What are the choices?
Business vs Home packages
Packages are often divided up between those targeting home users, almost always the cheapest, and those catering for businesses, which offer more features at a higher price. Small voluntary organisations often sit between these two categories, and can be tempted to go for the cheaper option. A low-cost home package may restrict future development, such as use of a domain name. The key deciding factor should be service quality and the ability to alter the package at a later date, to meet your developing needs.
Dial-up
Until a few years ago Dial-up was the main mechanism for connecting to the internet. This is really just like a simple phone connection. Because dial-up access uses normal telephone lines, the speed and quality of connection is very basic. Having a dial up internet connection also means your phone line is tied up when you’re connected to the Internet so this can be a problem if you only have one phone line.
Increasingly dial-up is seen as a back-up or secondary connection method.
Broadband
Broadband is the term used to describe a high speed Internet connection. There are two main types of broadband connection, ADSL (Asymmetric Digital Subscriber Line) and Cable, for the purposes of this article the term broadband will be used to cover both types of connection. Over the last few years the price of Broadband has come down dramatically. It is the most prevalent type of connection to the internet, for this reason this article will focus on broadband when looking at choosing an ISP.
Other options
Both Dial-up and most broadband connections rely on having access to a BT line. If this is not possible there are other options such as 3G phones and satellite broadband. The I Can’t Get Broadband - Help! article on the Knowledgebase goes through the alternative ways of getting connected.
Considerations
There are so many ISPs out there offering a bewildering array of packages the best approach is to focus on some key considerations to enable comparison between different providers.
Terms and conditions
Always check! Areas to look out for include – length of contract (do you have to stay for a given amount of time), switching providers (what will you have to pay to terminate contract) and connection or any other hidden charges.
Support
Hopefully you will not need to call on support from your ISP. If you do clarify what support is offered – 24 hours a day? 7 days a week? Is this done through a premium rate phone number? When thinking about support also consider the skills and knowledge you have within your organisation.
Length of contract
Many ISPs ask you to sign up for a specific time – usually a year or eighteen months. They may offer a discounted price to customers who do this. If you are not given the choice, make sure that you can get out of the contract if the ISP does not deliver the service they agreed to.
Free services
Nothing in life is truly free. All ISPs have to make money on service somehow. “Free” services may do this through advertising when you connect or more likely an expensive technical support line.
Connection Speed
Although broadband is considered a fast Internet connection there are still differences in speed. This can vary from 512Kb to 8Mb connections. Exactly how important speed is depends on intended use of the connection. Generally speaking, 512Kbps should be more than adequate for 90% of Internet tasks (website browsing/updating, e-mails). However this will be affected by factors like the number of computers sharing the Internet connection within your organisation, the type and amount of content you need to download, and contention (see below).
If you’re likely to need to download larger quantities of data (e.g. large documents, audio and video content, or to use your connection to make cheaper Phone calls over the Internet?) then 2Mbps or greater should be the aim. 2Mbps is essentially four times the speed of a 512Kbps connection and is generally adequate for most online content and downloads.
Uptime/Service levels/contention issues
As with purchasing any service you want to know about what level you are going to get.
Uptime
This is the percentage of time the Internet service provider's (ISP's) service is running properly. Establish what uptime figure the ISP claims for its services. Will it guarantee this uptime and discount your account if it fails?
Contention
Each ISP will have a contention ratio; this means the number of connections sharing an exchange. A ration of 50:1 means that the exchange could be shared between 50 different users, the level of this ratio may affect how much of full broadband speed is achieved.
Service levels
When considering a service level agreement, it is particularly important to bear in mind two things. First, that allowance should be made for any planned downtime for maintenance of the server which should be excluded from the calculation of the time during which the server is unavailable. Second, it is not possible for anyone to guarantee a 100% connection success rate
Download caps or Fair Usage Policy
Although broadband is an always available service some providers limit the amount of information you can download in a given time period (this is usually monthly). If you use your connection for browsing the Internet and sending/receiving emails then a service capped at 5Gb will usually be adequate. If you are downloading a large number of files this could be an issue but there are packages allowing up to 30Gb per month. Some ISPs will allow you to go over this download limit but will charge for doing so, for example a charge will be levied per Gb over, as well as and administration charge.
Some providers who do not issue a specific download limit often use the term “Fair Usage Policy”. It is essential that you check the small print to determine what this level is. The problem is that most Fair Usage Policies fail to identify a specific level of consumption, so you can be left with no real practical basis with which to asses their expected usage against the ISP’s limitations.
Both Dial-up and most broadband connections rely on having access to a BT line. If this is not possible there are other options such as 3G phones and satellite broadband. The I Can’t Get Broadband - Help! article on the Knowledgebase goes through the alternative ways of getting connected.
Considerations
There are so many ISPs out there offering a bewildering array of packages the best approach is to focus on some key considerations to enable comparison between different providers.
Terms and conditions
http://www.icthubknowledgebase.org.uk/choosingisp
Always check! Areas to look out for include – length of contract (do you have to stay for a given amount of time), switching providers (what will you have to pay to terminate contract) and connection or any other hidden charges.
Support
Hopefully you will not need to call on support from your ISP. If you do clarify what support is offered – 24 hours a day? 7 days a week? Is this done through a premium rate phone number? When thinking about support also consider the skills and knowledge you have within your organisation.
Length of contract
Many ISPs ask you to sign up for a specific time – usually a year or eighteen months. They may offer a discounted price to customers who do this. If you are not given the choice, make sure that you can get out of the contract if the ISP does not deliver the service they agreed to.
Free services
Nothing in life is truly free. All ISPs have to make money on service somehow. “Free” services may do this through advertising when you connect or more likely an expensive technical support line.
Connection Speed
Although broadband is considered a fast Internet connection there are still differences in speed. This can vary from 512Kb to 8Mb connections. Exactly how important speed is depends on intended use of the connection. Generally speaking, 512Kbps should be more than adequate for 90% of Internet tasks (website browsing/updating, e-mails). However this will be affected by factors like the number of computers sharing the Internet connection within your organisation, the type and amount of content you need to download, and contention (see below).
If you’re likely to need to download larger quantities of data (e.g. large documents, audio and video content, or to use your connection to make cheaper Phone calls over the Internet?) then 2Mbps or greater should be the aim. 2Mbps is essentially four times the speed of a 512Kbps connection and is generally adequate for most online content and downloads.
Uptime/Service levels/contention issues
As with purchasing any service you want to know about what level you are going to get.
Uptime
This is the percentage of time the Internet service provider's (ISP's) service is running properly. Establish what uptime figure the ISP claims for its services. Will it guarantee this uptime and discount your account if it fails?
Contention
Each ISP will have a contention ratio; this means the number of connections sharing an exchange. A ration of 50:1 means that the exchange could be shared between 50 different users, the level of this ratio may affect how much of full broadband speed is achieved.
Service levels
When considering a service level agreement, it is particularly important to bear in mind two things. First, that allowance should be made for any planned downtime for maintenance of the server which should be excluded from the calculation of the time during which the server is unavailable. Second, it is not possible for anyone to guarantee a 100% connection success rate
Download caps or Fair Usage Policy
Although broadband is an always available service some providers limit the amount of information you can download in a given time period (this is usually monthly). If you use your connection for browsing the Internet and sending/receiving emails then a service capped at 5Gb will usually be adequate. If you are downloading a large number of files this could be an issue but there are packages allowing up to 30Gb per month. Some ISPs will allow you to go over this download limit but will charge for doing so, for example a charge will be levied per Gb over, as well as and administration charge.
Some providers who do not issue a specific download limit often use the term “Fair Usage Policy”. It is essential that you check the small print to determine what this level is. The problem is that most Fair Usage Policies fail to identify a specific level of consumption, so you can be left with no real practical basis with which to asses their expected usage against the ISP’s limitations.