A few weeks ago, a good friend of mine fell victim to the CryptoLocker exploit. Or more specifically, one of his employees caused his business to fall victim to CryptoLocker. Cryptolocker is nasty, and if you haven’t heard about this type of ransomware, it is worth taking a look.
I’ll tell you a bit more about this scenario and how this company still fell victim through a simple web exploit... even though they thought they were doing everything right.
The very good news is that this company performs daily backups. They were able to complete a full restore with zero customer data lost and no payout to the hackers. They’re probably the only ones in the world who are that diligent about backup, and this time it paid off. If you don’t read any further in this post, stop with this: BACK UP YOUR DATA.
An elegant solution for a complex environment
This company is a professional services firm that has both internal and work-from-home employees. They deal in very sensitive data for their clients, and since the early days of the cloud, they have been balancing the utility of cloud serves against the lack of management and control.
In order to manage the compute environment for local and work from home employees, they’ve retained an outsourcer to deploy virtual desktops for each user. The outsourcer they selected has a great reputation in the professional services vertical. The marketing materials pitch both the leverage their customers get from the hosted environment as well as the security built in to the platform. The materials all make sense, customer testimonials are compelling, and you can’t blame a prospect for accepting the vendor’s assertions.
This outsourcer configured full VDI instances, where each employee has their own desktop in the cloud, and each is able to access email, web, and all their productivity apps in the virtual environment. They can get to their virtual desktop from work machines, home machines, or wherever. It has been a good productivity boost for my friend, and it has eliminated a bunch of the desktop/helpdesk support issues they had faced in the past.
The challenge of supporting web apps
Like every other business, my friend’s firm uses a combination of native and web-based apps. Users launch native apps from the virtual desktop and can store files local to that virtual environment. They also have share volumes attached to the VDI environment - to the user, it feels just like the regular computer on the company network.
To access web-based apps, users have Internet Explorer and Firefox available in the virtual desktop, but the installed browsers are the plain-vanilla download - no plug-ins, security extensions, or pre-set parameters. You’d think that a hosting company providing a secure virtual environment for a professional services firm would be concerned about securing the browser, but that isn’t the case. And it was a bit of a shock to my friend.
They do implement an HTTP proxy, which blocks access to non-work related sites. But as we all know, blacklists don’t scale, and even the most current list of blocked sites doesn’t help when a user stumbles across malicious code embedded in a legit website, which is exactly what appears to have happened here.
Users use the browser for both personal and business purposes. A company’s finance data is no more than a tab away from whatever dating site, daily meme, or social network running in the same session. Emails from friends and family land in the same inbox as the benefits report. Co-mingling data in the browser is profoundly dangerous; and as is always the case with these breaches, user behavior plays a key role. An email was read, a link was clicked, the browser rendered the page and downloaded the payload, and the exploit did its damage.
Doing the right thing isn't enough
My friend did everything he could to implement a complete and secure environment. He brought in a well-regarded firm to create the solution for his users. He made sure that users’ productivity needs were met so they wouldn’t reject the solution. He purchased the supplemental web content filtering, and he even published a “no browsing” policy for his users. But just because he did everything right doesn’t mean his vendor did. Nor his users.
He isn’t an IT guy and shouldn’t have to deal with this. But the nature of his business means he is responsible for the integrity of customer data. He’s come to the realization that doing the right thing isn’t enough. He needs to take away a user’s ability to do the wrong thing.
Now, instead of a plain-vanilla build of a browser, he’s running Silo in his virtual environment, and that Silo instance is locked down to just the web apps that his users need. Anything malicious that a user encounters stays in the Silo secure environment where it can’t affect his other apps or his customers' data.
This stuff is hard. In a world where users blur the line between business and personal, the browser has become the vector for exploit. Kaspersky Labs says that more than 90 percent of web exploits come via malformed URLs.
We think the only rational approach is to separate business browsing from personal.