Can’t Stop Businesses From Browsing

Web browsers are used every day at work to conduct business, communicate with each other, share and store data, and even complete business transactions. As an IT security professional, you probably picture your employees’ using their favorite cloud applications to access services such as email, calendar, customer relationship management, file storage, file sharing, video streaming, social networking, and more.

All of these tools are necessary for the business – even accessing them via the web seems to be non-negotiable as most apps are delivered via the web these days. According to Skyhigh Networks, the average financial services firm uses 1,004 distinct cloud services. This number grew 19% over the previous 4 quarters.

"The average financial services firm uploads 5.9 TB to the cloud each month," said Cameron Coles, Sr. Product Marketing Manager at Skyhigh Networks. "The average financial services employee uses 31 distinct cloud services to complete their work," Coles added. Some of these services include:

  • 5 file sharing services (e.g. Dropbox, Google Drive, etc.) 
  • 8 collaboration services (e.g. Gmail, Office 365, Evernote, etc.)
  • 3 content sharing services (e.g. YouTube, LiveLeak, etc.)
  • 3 social media services (e.g. Facebook, LinkedIn, etc.) 

So, what’s the point? The point is that the browser is not only a must-have application, it remains one of the most insecure endpoint apps we use on our network every day to access a majority of our business services. It also happens to be one of the most targeted applications in network attacks.

Source: McAfee Labs Threat Reports, 2105 (page 45)

Source: McAfee Labs Threat Reports, 2105 (page 45)

Simply put, any time you click on a link, it could be malicious, and the browser has little to no capabilities in place to truly protect the endpoint from compromise. This is a serious issue since this “untrustworthy” application is not just the gateway to web services and information on the Internet; it’s also running on the same systems used to access other business systems where administrative credentials can easily be sniffed or hijacked.

Spikes Security, a company based in San Francisco, CA, has just launched a new solution designed to put the browser on its own island outside your network so users inside your network can enjoy a safe web experience without fear of web malware attacks.

Their product, named Isla after the Spanish word for island, is, as the company describes it, the first enterprise-class security solution that effectively isolates and eliminates all browser-borne malware.

What does this new offering mean for Credit Unions and other financial services organizations? Isla’s main objective is to keep malware off every banking computer – especially those with administrative privileges that could be used to cause further damage.

Simply blocking browser access on some critical business systems and browser traffic on some business networks worked well in the past. These days, however, it’s less of an option in the financial environment where browser access on a credit union banking terminal may be necessary to provide the customer service that CU members have come to expect.

The problem lies in that these same systems likely have access to other banking systems with sensitive data on them and/or critical system capabilities running on them.

Consider a recent breach in February of over 100 banks where an admin PC downloaded a piece of malware via a web link which then leveraged elevated access rights – rights possessed by a branch manager or an IT administrator with a legitimate business reason to login to that terminal. The leveraged rights could be used to install additional malicious software designed to monitor and sniff consumer credentials or even engage in fraudulent money transfers. In this particular case, at least $300M dollars was lost or stolen, some of it literally spitting cash out of the banks’ ATMs – and it all started with a malicious web link.

Top 15 Cloud Apps Used By Financial Services Firms

The truth is, any link presented to a user could be malicious. Even Yahoo!, a site most people would trust, spread malware last year via malicious ads.

Banking cyber security professionals have been trying to solve this browser-based malware problem for decades. There are a number of different ways to do it, but “the majority of the solutions require endpoint-based technologies that are ineffective, add enormous complexity, or introduce hair-pulling incompatibilities,” said Branden Spikes, Founder, CEO and CTO of Spikes Security.

As one example, “JP Morgan Chase had 1,000 employees focused on security with $250M being spent on their security infrastructure,” said Franklyn Jones, CMO at Spikes Security. “All it took was one employee to click on a malicious link which infected the endpoint. That employee then used the infected endpoint to access an internal server that didn’t require 2FA, and BINGO – the attacker was in,” Jones added.

Isla approaches the problem in a different way by moving the browsing technology to a centralized point on the network that routes all endpoint-browsing sessions through a series of security checks and risk assessments before letting the traffic in/out of the network. All web browser traffic that passes through Isla becomes secure. “We remove the threat from the network by taking the browser off the PC completely,” said Spikes. “This make connections seamless, convenient, and lightweight,” he added.

The value of this solution is being noticed. “It’s hard to believe I can finally cross web malware off the list of stuff that keeps me up at night.,” says Anthony Lopez, Chief Information Officer, Legend3D. “Even better, I won’t have to touch anyone’s desktop since the process is completely transparent.”

Image Source: SecurityIntelligence.com (http://securityintelligence.com/dyre-wolf/)

Image Source: SecurityIntelligence.com (http://securityintelligence.com/dyre-wolf/)

With an increase in attacks and a growing list of malware (Zbot/Zeus/SpyEye, Dyre Wolf – and most recently Rerdom, Geodo and Vawtrak) targeting credit unions, banks, and other financial institutions, it’s clear that a solution such as Isla can make a huge positive impact to an organization’s risk profile.

To learn more about Isla, you can watch the introduction video or simply contact Spikes Security.

Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with independent articles published globally covering security, cloud, mobile, networking, virtualization, risk, governance, and compliancewith a focus on specialized industries such as government, finance, healthcare, law, and the supply chain.