You get an SMS or email with a Web link to authenticate yourself to check account balances or team sales reports. Do you click on the link?
This question confronts every Internet user today amid rising scams. In January, for instance, an SMS phishing attack led 790 OCBC Bank customers to lose S$13.7mil.
What if there is a piece of technology that is able to isolate or “air-gap” your Web activities to prevent data leaks and malware infection even if the link is malicious? This will be similar to patient isolation in a pandemic.
Isolation or air-gapping is among the highest forms of cyber-security protection to contain Web activities that pose scam and data leak risks.
In 2017, the Singapore Government became the first in the world to air-gap its protected systems by cutting off browser access from the computers of all 143,000 public servants who had to use separate, dedicated Internet terminals or devices to surf.
The physical separation between the Web and work computers was meant to stop malware from worming into critical systems. This came as Singapore had seen very determined cyber attacks.
While air-gapping is common in highly secure environments, such as the military and energy and water plants, it was unprecedented in the public sector when The Straits Times reported in 2016 on the Government’s plan to do so.
The modern air-gap
Air-gapping has come a long way since. Today, the same protection is offered by a new type of software, called browser isolation, which does not require a physical barrier that inconveniences the Internet user.
Browser-isolation technologies host users’ browsing sessions on a platform isolated from their computers, so malware infection and data exfiltration can be stopped in their tracks.
In 2020, the Government rolled out such technologies and put an end to its public servants’ Internet surfing woes.
Browser isolation comes from the assumption that every Web interaction is bad, a concept known as “zero trust”.
Poornima DeBolle, co-founder and chief product officer of cybersecurity software firm Menlo Security, explained: “If everything over the Internet is assumed to be bad, you isolate all Internet interactions.”
It is based on this principle that DeBolle and Menlo chief executive officer Amir Ben-Efraim co-founded the company based in Mountain View, California, and pioneered the development of browser isolation in 2013.
The company’s cloud-based solution, dubbed Menlo Security Isolation Platform, is used by millions of users around the world, including the United States Department of Defence.
Other key customers include those in the financial and healthcare sectors, but DeBolle declined to name them. She also would not confirm if the Singapore Government is a customer.
Menlo is among the top five vendors in this space, also dominated by US-based firms Zscaler, Apozy and Authentic8 as well as Israeli firm Cigloo.
Traditional security approaches taken by antivirus software and Web gateways use filters that rely on what is known to be bad. They are not able to detect threats or malware that are unknown, although such threats are commonly exploited by state-sponsored hackers.
Menlo’s zero-trust approach, however, treats all websites and Web activities that have not been explicitly sanctioned as unsafe. Unknown threats are thus isolated from users’ computers at the onset, said DeBolle, likening this approach to isolating “patient zero” to prevent an infectious disease outbreak.
Similar to how isolation is done in infectious diseases centres, every Web session in the isolated environment is further isolated to prevent possible cross infection.
What users see on their computers is a visual representation of the browser in the isolated environment. Even though users do not interact with the Web page directly, they still surf as they normally would: images do not suffer a loss of resolution, and all the left and right mouse functions still work.
“We spent a lot of time to make sure we deliver security while preserving good user experience. Some of our competitors break the user experience,” she said, referring to the loss of retina display resolution and mouse functions, among other compromises.
While users are surfing, an artificial intelligence (AI) algorithm is working behind the scene to analyse browsing activities in the isolated platform, looking for suspicious behaviours or patterns. For instance, a spoofed website may not carry the brand logo in the same resolution as the one on the authentic website.
When such inconsistencies or unusual patterns are detected, Menlo’s software automatically deactivates the keyboard function so that confidential information has no chance of being entered on the spoofed website. Malicious content is also detonated in the isolated environment.
In short, the zero-trust approach takes the thinking away from the user and puts it in the hands of AI, which is unemotional, logical and evidence-based.
“No matter how much you educate the user, there will always be a group of happy clickers,” said DeBolle.
These are people who click on links embedded in SMSes or emails. Clicking on the links brings users to websites which can be easily faked to trick them to transfer funds or enter sensitive information.
Users are not entirely to blame. Due to the Covid-19 pandemic, many have gone online in the past three years to work, transact and socialise. They have become increasingly accustomed to clicking on links and using the Web browser to transfer funds and access work-related applications, including those for communications, workflow and sales management.
“Let’s say a hacker sends you an email saying: ‘Here’s your Salesforce report this week’. Do you go to the bookmark you saved on your browser to access Salesforce? Or do you click on the link?” asked DeBolle, rhetorically.
Indeed, criminal groups are capitalising on the trend.
The rise in scams is staggering. In 2021, there were 2,237 reported cases of banking-related phishing scams – 897 more than in 2020, said the Singapore Police Force. The victims of these scams lost S$19.4mil (RM62.80mil) – S$14.1mil (RM45.63mil) more than in 2020 – as scammers prey on the rising number of people who transact online.
A separate study done by the Cyber Security Agency of Singapore (CSA) in August reported that 55,000 phishing links to spoofed Singapore websites were detected in 2021. This is an increase from 47,000 links in 2020.
The most commonly spoofed brands in 2021 were WhatsApp, Facebook, Lloyds Bank, Chase Bank and Microsoft, said the CSA’s sixth annual Singapore Cyber Landscape 2021 study.
If air-gapping is so good, why aren’t more organisations using it? The decision boils down to cost and awareness.
The good news is the cost of using browser-isolation software has dropped significantly since 2017, with the price falling by about 30%, according to industry experts.
Today, browser-isolation technologies are typically priced at upwards of US$3 (RM13.20) per user per month for a business implementation involving fewer than 1,000 users. With economies of scale, such as when implementing for one million users or more, the monthly cost per user could go down to around US$1 (RM4.40).
This means that telcos could use the technology to shield their millions of customers from SMS, WhatsApp and e-mail scams without breaking the bank. Even if the cost is passed on to consumers, the fee is affordable.
It is a timely consideration given that a debate is brewing on how and whether banks, telcos and Internet users are to share losses and responsibility due to scams or fraud.
The debate stems from a move by the Monetary Authority of Singapore to introduce an equitable loss-sharing framework for financial scams, after the SMS phishing attack on OCBC Bank customers that started in December 2021. The proposed framework was meant to be announced by May 2022 for public consultation. It has since been delayed.
Perhaps the conversation could shift to what banks and telcos can do to protect their happy-clicking customers from harm. The technology is available. The only obstacle is cost. – The Straits Times (Singapore)/Asia News Network