Web browsing in a zero-trust world
- By David Canellos
- Jul 24, 2019
The drumbeat of daily cyberattacks on state, municipal and local government agencies is enough to strike fear into public-sector employees and the citizens who depend on the services they provide.
Within the first six months of this year, more than 22 governments have reported ransomware attacks, including Albany, N.Y., Riviera Beach, Fla., Augusta, Maine and the state of Utah. There was also the high-profile ransomware attack on Baltimore, an attack on Georgia's Judicial Council and Administrative Office of the Courts and a successful business email compromise attack on the Virgin Islands Police Department.
By the time this article goes live, the list will have, without doubt, grown longer. Government systems are attractive targets because they manage large troves of information that can be sold on the darknet. Additionally, tight budgets may mean that agency information security teams are understaffed and behind on the latest approaches, such as threat modeling and zero-trust security. Whatever the cyberattack endgame, it’s critical for government offices to recognize the risk of cyberattacks and put policies and procedures in place to mitigate (if not eliminate) them.
So what should agencies do if they are compromised? And more important, how can they avoid becoming the next victim of a cyberattack?
Agencies often receive conflicting advice on cyberattack response. Law enforcement officials insist that ransoms generally shouldn’t be paid, while security consultants, charged with helping clients reclaim control of their systems and data, often advise payment as the fastest, least expensive way to get up and running.
Unfortunately, ransom payments don’t always come with guarantees, and recovery is rarely complete. Some malware, like NotPetya, claimed to be ransomware but actually wiped systems clean of all their data, for a lose-lose scenario. In cases when the hackers do (so to speak) act in good faith and hand over the key, systems must be rebuilt to ensure that all ransomware is removed. So even when organizations pay ransom, they still bear costs for re-creating or remediating their systems.
How to avoid becoming a cyberattack victim
To combat the threat of cyberattacks, government information security departments must identify and remediate cybersecurity weaknesses. They can strengthen defenses to prevent breaches, data theft and extortion with the following approaches:
Invest in IT staff and defensive technologies. It’s a given that government entities are hard-pressed to fund all the services they must provide. As a result, IT departments tend to be underfunded, underequipped and understaffed -- a big reason why hackers love government agencies. However, compared to the sums agencies may spend on ransoms and attack recovery -- Baltimore's tab is up to $18 million -- additional staff and up-to-date solutions are wise investments.
Conduct training and testing. By educating staff to identify and carefully examine suspicious emails and links before clicking, government entities can limit, if not entirely eliminate, successful phishing and business email compromise attacks.
Practice asset management. Significant personal data is housed in government systems, which makes accurately inventorying all assets and data a critical first step toward protecting data. Limiting access to the full library of assets to a few carefully chosen employees is also important.
Adopt cybersecurity best practices. Data breaches often result from mistakes that are all too obvious in retrospect. By following best practices such as internet isolation, agencies can protect sensitive systems and data while empowering employees to freely browse the sites that they need to get their work done.
Zero-trust security for government cyber protection
Organizations that lack sufficient resources for optimal IT staffing and a full, state-of-the-art security stack should implement the cybersecurity best practices that effectively address the most pressing threats, within budgetary limitations. Applying zero-trust precepts to the challenge is one way agencies can work toward ensuring that users, networks and data are secure and protected.
The zero-trust concept -- trust no one and verify everything -- revolutionizes cybersecurity. Agencies can avoid many cyberattacks if they assume that no element -- whether internal or external -- can be automatically trusted as secure without verification. Web browsing, however, creates a zero-trust conundrum because the internet clearly cannot be trusted, but it cannot be verified either.
Zero-trust proponents have suggested whitelisting trusted sites while blocking access to all other sites. While (usually) safe, limiting access to all but known-to-be-needed sites decreases productivity and often frustrates employees. It creates hurdles for users and is burdensome for IT staff. Users must request access and wait while IT staff members shift their attention from more important tasks to consider, examine and respond to user requests.
Zero-trust web browsing
Implementing a secure browsing solution is a highly cost-effective way to prevent attacks via today’s most virulent and widely used threat vectors. Remote browser isolation (RBI) operates under the assumption that nothing on the web is to be trusted. Every website, content item and download is suspect.
With RBI, all browsing takes place remotely on a virtual browser in a disposable container located in the cloud. Users interact naturally with all websites and applications in real time via a safe media stream that is sent from the remote browser to the endpoint browser of their choice. When the user is finished browsing, the container and all its contents are destroyed. No content touches the user device. Users interact naturally with the sites they need, and the help desk doesn’t have to respond to access requests.
Today, the internet is increasingly the prime channel for delivering and accessing government services, making maintaining IT vigilance “priority one.” Staying ahead of the next wave of cyberattacks requires rethinking cybersecurity best practices, technologies and approaches for today’s cloud-based, perimeter-free age.
David Canellos is president and CEO at Ericom Software.