Over the course of the last 12 months, cyber attacks have plagued companies and organizations worldwide, and this year’s Verizon DBIR report cataloged nearly 80,000 security incidents, including 2,122 confirmed security breaches in 61 countries. With high profile attacks on major U.S. healthcare providers, federal agencies and financial firms, it’s evident that bad guys aren’t discriminating. We are ALL targets.
While the industry continually shifts blame from hardware, to software, to human error, it's become apparent that our the widely used business application for the past 30 years exposes a massive attack surface for businesses and consumers. That application is the browser.
From spear-phishing attacks to malvertising, cyber criminals have developed successful tactics to penetrate the browser. Left unchecked, this trend will continue through 2016. Before we talk about what can be done, let’s take a look at a few examples from 2015:
- IBM reports “Dyre Wolf” that attacked enterprise banks: IBM researchers discovered this attack that used a combination of social engineering and malicious software. Users were lured into clicking a bad link within their browser. Due to human error and sophisticated software, companies were robbed of more than $1 million USD.
- Cisco Puts The Hurt On International Ransomware Campaign: Cisco researchers disrupted the Angler Exploit Kit which helps spread ransomware and other malware around the globe. The sleuthy Cisco team determined that half of all Angler’s proxy servers were located with service provider Limestone Networks. By shutting down access to those servers and taking other measures, experts think that Angler’s ransomware revenue may have been reduced from $60 million to $30 million worldwide.
- Apple iOS and OS X Flaws Mean Serious Risks: A new study revealed Apple’s mobile and computer operating systems had vulnerabilities that expose passwords and personally identifiable information (PII). The study highlighted flaws in the operating systems as well as the App Store approval process – it couldn’t vet apps that contain certain malicious code. Check out our other blog post for deeper insights on the flaws as well as fixes to improve everyone’s risk exposure.
- RC4 Encryption Dumped By Mainstream Browsers: Google, Mozilla and Microsoft announced they will remove the RC4 encryption algorithm from their browsers by 2016. RC4 is a stream cipher introduced in 1987 to encrypt data packets. For years the digital security industry has known that criminals can break the algorithm. But freelance hackers aren’t the only ones who can crack the code. Documents from the Edward Snowden fallout revealed that US and UK intelligence agencies have been willing and able to degrade the RC4 encryption also.
While several of these attacks leveraged new tactics, most criminals succeeded in employing schemes that rely as much on human error as sophisticated hacking. In fact, according to the NTT Com Security 2015 Global Threat Intelligence Report, over 75% of the security vulnerabilities identified in 2015 relied on tactics that have been known to the security community for two or more years.
While the new and improved browsers from major technology companies may use basic security protocols, we will see a rise in attacks affecting the browser in 2016 at the business, federal, and consumer level. We can predict several new threats and trends for the browser in 2016:
- The browser will continue to be the primary delivery vehicle for high growth exploits like ransomware and spear-phishing. Because more businesses rely on cloud-delivered web applications, data loss through the browser will increase dramatically. In the coming year, businesses will realize that controls within the browser must remain consistent with their IT infrastructure.
- Personal browsing activity which seems innocuous will expose company data. With employees spending an average of 75 minutes per day on personal browsing activity in the workplace, the browser will remain one of the easiest entry points into a corporate network. IT’s traditional approach of locking down networks or installing endpoint solutions will not scale any better than they have.
- Passwords will continue to be compromised. Whether password re-use, users being phished, exploits against password managers, or shoddy protection of the password by the web service, the password remains the treasured target of the bad guys. Stealing or breaking credentials opens up a treasure trove of sensitive, regulated and/or personally identifiable information.
- Businesses will struggle to implement policy controls across web apps, including the ability to restrict data transfer. Most businesses currently have no way to control web applications or enforce centralized policies across 3rd party services. By regaining control over data exchange with websites - uploads and downloads, copy-paste operations and printing - security teams can ensure user error is eradicated. But doing so across all devices and services is not feasible with common technologies.
- Data breaches will hit an all-time high. Again. As the technology industry grows, and more people gain access, invariably the cybercriminal world will grow along with it.
It isn’t all doom and gloom, however, and the industry is making strides to protect users and companies. We think virtual browsers will enter the IT mainstream in 2016. Several vendors including Spikes Security and Ntrepid are turning to remote isolation as a technique for keeping web code away from the user’s endpoint. And the major analyst firms are starting to track this segment. As the market develops, IT will expand the use of the virtual browser category to include access management, single sign-on and data policy controls. As a result, data will be managed across third party web applications, regardless of the user’s network or device. This practice will become a way to provide employees with access to personal web resources without risking business devices or data.
So how do we protect ourselves in a multi-device, multi-network, multi-app world? When going online, the answer becomes pretty clear.
As one of our customers recently said to us, running a virtual browser “shifts the attack surface away from (their) network.” We think the virtualized browser is a solid first step in getting back in front of the issues. But without comprehensive controls to manage user’s access to sites, and without data policy controls to prevent leakage to unauthorized end points, the solution only addresses half of the problem - malicious code.
Silo, our virtual browser, combines all of these capabilities into a single, simple to deploy solution. My resolution for 2016 is to get it in the hands of as many organizations as possible. The sooner IT sees the browser as a point of infosec leverage, the better. The sooner Silo is deployed, the better equipped these teams will be to eliminate their exposure to malware and control the flow of data on the web.