At a recent DHS summit, the department’s director of software and supply chain assurance, Joe Jarzombek, presented a critical assessment of public and private organizations’ security measures. According to Jarzombek, organization’s have done a solid job fixing software defects and managing their adverse effects. However, when it comes to protecting organizations from hackers and thieves, Homeland Security isn’t handing out any gold stars.
The Department of Homeland Security (DHS) is handing out failing grades for network security. How do you measure up?
Much of the problem comes from third-party code. Did you know that code in your business applications and browser plug-ins comes from open source and reused components? Some of that code has known vulnerabilities. Usually, the bad code in a work-related app is added unwittingly. A bleary-eyed coder in search of a shortcut drops in the script, not realizing he’s poked a hole in your network.
But sometimes, code is created with malicious intent. Your innocent employees may install a plug-in to make it easier to block ads or take a screenshot, but they’ve actually just opened the door to some crafty hacker in a dumpy garage, eight time zones away.
For example, the “Theola” malware appears as a “default plug-in” for Google Chrome. To the untrained user, that “default” status makes it look like a browser extension that Chrome requires to function properly. In reality, Theola makes password input fields visible, tracks web activity, and sends bank login credentials to hackers.
Another threat, the “Rotbrow” malware, pretends to be a security-enhancing extension to your browser. In reality, it helps download various criminal code, including ransomware that encrypts a user’s machine and demands payment to unlock the device.
Still other malicious browser add-ons block access to anti-virus sites, remove a browser’s built-in security options, and prevent users from opening the window to look for dangerous plug-ins. Everyone, from the Department of Defense down to your local bank is vulnerable to these types of infections and vulnerabilities. After all, we all use work applications and we all rely on our local browsers (filled with insecure plug-ins) to access them.
To attack this problem, Homeland Security’s Jarzombek recommends agencies and companies focus more on testing and lifecycle support. He also encourages organizatons to use sites like the free online community dictionary to stay up-to-date on the latest vulnerabilites and malware.
We agree, with one important, additional recommendation: Get rid of your systemic risk by moving your employees’ browser sessions off your network. Instead, move sessions to a secure, cloud-based browser. This change eliminates the vulnerable or malicious plug-in code sitting on your staff’s hard drives. It also ensures that any risky code in your web-based work programs won’t leave you vulnerable to outside intruders.
Additionally, a cloud-based browser lets you customize each user’s permissions to the network, plug-ins, and business apps (like Salesforce.com or QuickBooks). Maybe some staff members should be able to download, while others should not. Maybe you want a department to have unfettered data access and approved plug-ins on their work machines during business hours, but only restricted access when they work on personal machines from home. With Silo, the network admin can limit the who, what, when, where and how much for each person in your organization.
If you have customizable permissions and cloud-based Web sessions taking place off your network, you’re protected from incoming attacks and accidental vulnerabilities created by your employees. Nothing bad can come in on its own and no foolish mistakes will accidentally invite the enemy inside. These two aspects of defense comprise a cloud-based browser’s “perfect layer of insulation.”
Sometimes when we promote cloud-based browsing, people counter that a virtual desktop provides the same level of protection. They’re wrong. Virtual desktop browsing doesn’t necessarily stop a defective browser plug-in from leaving your server vulnerable. It also doesn’t stop a sneaky malware attachment in an email from infecting a browser session and worming its way into everything you store on your server or in the cloud. (You can read about a current Silo customer who found out the hard way that his old, Virtual Desktop setup didn’t cut the mustard.)
We agree with DHS that testing and staying vigilant are important steps to protect you and your organization. But they’re not enough. You have to safeguard your business by moving browsing off your network, and by managing each user’s access to apps and plug-ins. Changing to a browser in the cloud is your key to achieving these goals, and earning top marks in network security.