Evidence is everywhere that cyber criminals exist, and they’re able to make a substantial living from their illegal activities. While it is true that many are focusing their efforts on individuals, others have their sights set much higher.
They are targeting enterprises to steal their highly prized intellectual property, log-in credentials, financial data and other sensitive information that resides within the once safe confines of the corporate network or in web applications. Numerous articles have written on why you need to protect this data. So, instead we’re going to focus on the business at hand – the ‘Man in the Browser’. How is he getting into enterprise networks and applications and, more importantly, how you can stop him?
The browser has emerged as the weakest link in an enterprise’s security infrastructure. It is being successfully exploited by malware authors and criminals who use this method to steal logon credentials and inject Trojans that crack IT systems wide open, often undetected. With these browser sessions often containing the logon details for email systems, VPN’s, cloud services – such as cloud CRM, it is a critical area to secure and lock down without impacting performance.
However, the growing demand for mobility makes this easier said than done. Once upon a time, remote access to enterprise resources was the privilege of a chosen few employees, who used standard computers owned and managed by the enterprise, making security a big, yet ultimately manageable, task. Today such access capabilities have exploded to allow virtually any employee, contractor and partner to gain entry.
The problem is further compounded as these ‘trusted users’ are allowed to choose their laptop and smartphone, as well as utilise their home PC for work purposes and generally control their own IT environment. With more resources for them to access, and in the majority of cases not contained within a protected server farm – they’re literally out there in the wild.
It is this adoption of unmanaged home-and-work laptops and personal PCs that has lead, in many cases, to malware infestations.
It’s not safe out there
With more than 57,000 new malicious sites created each week, most of which mimic prominent web sites , it’s hard not to stumble upon a spoof site and get infected. As users innocently browse these ‘respectable’ sites, they could inadvertently fall victim to drive-by-infections. However these attacks aren’t just on spoof/phishing sites they also reside on legitimate websites that have been infected with malware, and the criminals use search engine optimisation (SEO) techniques to raise them to top of search engines to maximise the number of people infected.
In fact, increasingly engineered attacks, such as the recent LinkedIn email phishing campaign, and SEO techniques are being used to ambush individuals and install sophisticated malware such as Zeus, Bugat, and Clampi (to name just a few) on unmanaged computers that operate outside corporate networks.
This modern malware is designed to slip under the radar of traditional anti-virus solutions and to bypass strong authentication technologies like tokens or Network Access Control (NAC) systems. When an infected unmanaged computer accesses enterprise resources via VPN connections and web portals, the malware is able to elude perimeter security mechanisms.
The malware captures all data processed by that browser – including logon credentials and large quantities of sensitive corporate information, and transmits it back to the criminals. All this can be achieved without infecting a single computer within the physical boundaries of the enterprise or setting off alarms.
As attack opportunities continue to multiply, so does malware sophistication. An example of such ingenuity was witnessed in early 2010. The Aurora attack – targeting Google, Adobe and another 32 companies, demonstrated unprecedented malware sophistication.
It used multiple coordinated malware packages, several layers of encryption and various browser and Operating System vulnerabilities demonstrating the power of today’s malware. The fact that the entire attack went completely under the victims’ radar makes this even more serious. Advanced Persistent Threats, coordinated long-term attack activity targeted at specific enterprises, is not uncommon in today’s IT environment.
Proof of such attacks already targeting the enterprise is already being seen. We recently decrypted an attack on the popular Citrix Access Gateway where Zeus was instructed to take a screenshot every time the mouse is left clicked while the URL includes the term “/citrix/”.
This attack defeats Citrix’ virtual keyboard solution which was created to bypass keyloggers by replacing keystrokes with mouse clicks. It proves that the criminals, such as those behind Zeus, are specifically targeting remote access connections into secure networks and going after intellectual property and other sensitive data contained within company IT networks and applications.
With modern malware efficiently written by professionals and designed to be robust, organisations need to think outside the box if they’re to stand a chance of shielding their assets.
Don’t trust the device, trust the session
Enterprises need to acknowledge and counteract the point of attack – the browser – if they’re to stand a chance of protecting confidential enterprise data. A solution that can effectively secure access to enterprise networks from potentially insecure endpoint devices is needed.
Such a solution would comprise of technology that creates a virtual firewall of sorts inside the user’s computer. Intuitively activated when the user connects to enterprise networks and applications, this potential technology would separate enterprise related sessions from any others taking place on the machine.
Malware and exploitable vulnerabilities would be prevented from bypassing this virtual firewall and influencing protected web sessions with the enterprise. When a malware infected machine tries to communicate with the enterprise, it should be identified and the malware should automatically be removed before authenticating the device to all the enterprise systems.
Such technology should include keystroke encryption to evade keyloggers, communication protection to guard against unauthorised modifications, browser process and add-on protection as well as API blockage to prevent unauthorised access.
The enterprise is increasingly becoming a target of sophisticated, stealthy new malware that uses the enterprise’s own employees, partners and contractors as weapons. With five percent of endpoint devices estimated to be infected by botnets and other sophisticated malware, can you afford to leave the door to the enterprise unguarded? The Man in the browser is out there, waiting to be invited in so make sure you slam the door in his face.
We’re limited for space in this article but, if you’re interested, we’ve developed a whitepaper that examines this issue in greater detail. You can download this, and a wealth of supporting material on this and other threat vectors, for free by visiting www.trusteer.com/solutions/enterprise.