RSA 2020 in San Francisco is imminent. Walking the streets of San Francisco as I approach Moscone Center reminds me of classic detective movies like The Maltese Falcon and Dirty Harry. While Sam Spade always solves the case, in cybersecurity there are some attack vectors that have proven almost insurmountable.
How do you ensure your users do not broadcast important information like login credentials to the wrong people? Credential theft has a long history and comes in many forms, from keyboard loggers to voice phishing to searching for passwords written on scraps of paper left under keyboards to hacking ATMs. The motive is timeless encouraging cybercriminals to create new credential theft attacks against online users.
While hackers will continue to innovate, there are two primary methods for credential phishing: imitate a legitimate website login page or take over the login page for an authentic website. We will focus on the first approach because it involves the human element and is most frequently attempted.
A well-known and straight forward attack uses a lookalike URL in a phishing email. When the user clicks the link, a bogus login page appears. This attack seems simple to avoid but small changes, say the letter L to number one in a URL, fools most of the people part of the time. And only takes one victim. Premera Blue Cross lost the records of 11 million customers from an attack starting with emails to customers of a subsidiary of theirs Wellpoint linked to www.We11point.com. [i]
There are other letters and numbers that are difficult to distinguish. I or l? Capital letter “eye” or a lower case “L”. Ever try to distinguish between a zero and the capital letter O in a password? O or O? Since we’re not going to solve the problem of humans mistaking lookalike characters in phishing emails or compromised websites, there’s an opportunity to prevent these attacks through technology.
Isolation prevents web-based attacks including ransomware but by itself does not prevent all credential theft. Whether a bogus login page is presented to the user locally or in a remote isolated browser, the user can still enter their credentials. There are ways to determine if a login page is authentic. Computers have no problem distinguishing between mixed case characters, including “L” and zero. Computers also excel at calculating reputation and maintaining threat lists gathered from worldwide networks – they’ve seen a thing or two! Using these approaches, login pages that are suspicious can be put into read-only mode.
Zero Trust security, implemented as remote browser isolation with additional features, can make credential theft through the web browser a thing of the past. It doesn’t depend on user training. When a user clicks on a link that’s present a suspicious login page, if their organization has deployed isolation, the credential theft attack will fail.
Cyberinc makes corporate and government cybersecurity more reliable, scalable, and productive by securing the largest point of vulnerability, web access, by preventing attacks before they become breaches.
To learn more, download the Remote Browser Isolation white paper.