The Data Loss Risks that Lie Between Web Apps and the BrowserJuly 12, 2021 No Comments
SaaS has become a way of life. By the end of 2021, research indicates that over 70% of all companies will be using mostly SaaS applications, depending on very few on-premises software solutions. What are the security implications of this shift?
We tend to think that the security of SaaS is mostly the concern of SaaS vendors due to separation of responsibilities. SaaS vendors must maintain the security of their application—keep all elements patched up to date, implement their own security tools, and monitor for intrusion attempts. All the user has to do is make sure that no one steals their credentials.
As it turns out, this is an over-simplification. Stealing credentials is easier than one might think—and the public internet connection between user endpoints and SaaS apps has many potential paths to exploit.
Instead of Breaching SaaS Apps, Attackers Infiltrate Home Networks
In recent months, about 42% of the US workforce has been working from home. Working from home means working from home computers—unless you were lucky enough to purchase and provision enterprise laptops for your users before the shortages struck.
Because SaaS companies manage their own security, the likelihood of data loss from within a SaaS app is relatively low. Unless you have a huge IT staff with a large budget and high levels of experience, however, there’s not going to be much you can do when it comes to securing the computers of your end-users working at home.
Because these users don’t have standardized devices or operating systems, you won’t be able to push uniform security updates and policies. In addition, each home user has a unique home network—how can you monitor and reinforce their consumer-grade routers and modems?
Around 86% of home users have never updated their router’s firmware—and a similar 82% have never changed the default password. This makes it depressingly easy for attackers to penetrate a home network. They won’t even need to trouble themselves with stealing user credentials. Instead, they can use a list of known vulnerabilities and default passwords associated with a router’s model and version number and then effortlessly eavesdrop on all the web traffic between the home, SaaS apps, and the corporate data center.
Mapping the Attack Surface Between Users and SaaS
Even if an attacker begins to target your employees, not all their communications will be immediately useful. The average internet user generates an astonishing amount of data every day, and much of it is irrelevant. To begin attacking your company and your data, an attacker will focus on information from these four sources:
Consumer-Grade Cloud Storage
Apps like Box and Dropbox are commonly deployed as “Shadow IT.” This means that administrators don’t know about them, and therefore they can’t secure them. Although these apps are convenient, they don’t offer robust internal controls—anyone who controls your endpoint can usually look at its attached Dropbox account without entering a password. This makes it all too easy to find confidential information.
- Social Media
Finding a target may be as simple as connecting with them on LinkedIn, friending them on Facebook, or following them on Twitter. Your new best friend may actually be an attacker trying to push your buttons. For example, an attack originating with the Iranian government involved creating a fake social media profile, befriending and engaging with targets in IT and business leadership positions, and then sending them a RAT Trojan designed as an Excel file.
- Browser Caches
The browser is literally a trove of information for attackers. It saves everything—passwords, credit card numbers, phone numbers, addresses, browsing history, and more. The local browser cache in on your employee’s device also likely contains the information in the last web/cloud locations the accessed, like your company’s Salesforce.com or Oracle Financials cloud accounts. Of course, the information that makes it easier for home users to fill out online orders can also make it very easy for attackers to steal credentials for mission-critical applications. What’s more, attackers are adept at accessing browsers using methods that range from phishing emails to drive-by downloads.
They say that a picture is worth a thousand words—and a screenshot can convey much more information than that. Most malware designed to steal information, such as keyloggers, are designed to take a screenshot every few seconds without alerting the user. This is an easy way for attackers to capture screenshots, personal information, and blackmail material without having to go looking for it.
Protecting Your Data and SaaS Apps with Remote Browser Isolation
You may not be able to control your employees’ social media usage, their router, or even the devices that they use—and it may be unreasonable to assume that you’ll be able to exert that level of control in the future. What if you only had to control one aspect of their security, however?
Remote Browser Isolation (RBI) protects your users’ endpoints from the most prevalent threats. RBI lets you prevent theft of data cached in the browser, prevent drive-by downloads and malware-based phishing attacks, and create a secure channel between users and SaaS applications.
RBI solutions create a containerized virtual browser located in the cloud or DMZ. This browser streams fully interactive rendering data back to the endpoint—but no actual website content gets transferred over, preventing malware from taking hold. In addition, no information gets cached in the endpoint browser—instead, the containerized browser along with all data is deleted once the session ends.
Administrators can leverage granular controls built into remote browser isolation solutions, restricting users from printing from their endpoint browsers or taking screengrabs, preventing drag-and-drop file uploads, and designating certain likely-malicious websites as “read-only.” This can prevent users from uploading sensitive material to the cloud, while also preventing attackers from screen-grabbing private information.
With protections against both malware and data exfiltration, security solutions like Remote Browser Isolation represent the most powerful way of increasing user security in a vulnerable area – your users’ interactions with the web and cloud apps. With it, security administrators can significantly decrease the possibility of a successful data breach—without having to control every aspect of their users’ hardware, software, or behavior.
DATA and ANALYTICS , SECURITY