By Henry Harrison, co-founder and chief scientist at Garrison
Last year, a new set of cyber security regulations came into play. Although the new security framework is focused on the telco sector, it could be valuable for financial services to take note since it is predicted that in the long run, similar rules – designed to strengthen and protect core infrastructure against cyber-attacks – may also be introduced to other regulated sectors.
It is not outside the realms of possibility, therefore, that financial services could find itself following in the footsteps of the telecoms industry. This could mean that the industry has less power to propose its own security measures to the regulator and that it could possibly find itself legally bound to a robust set of security standards set by the UK government.
Rather than being seen as a cause for concern, instead the telecoms framework can be viewed as a helpful opportunity to observe the regulatory changes impacting another industry, and to get ahead of the game. So what could the Telecommunications Security Framework mean for financial services?
Tackling the problem of privileged access users
A key area of focus for the telecoms regulations was the complicated issue of privileged access users. As in the telco industry, enterprises across the financial sector tend to restrict access to sensitive functions within their organisation, ensuring that only those few employees – like systems administration – who need to carry out privileged tasks, have the permissions to do so.
While this has the benefit of restricting access to sensitive systems and data, the risk has not been eliminated – if a privileged user’s machine was to be compromised, attackers would still be able to gain full access to enterprise data and networks.
A legitimate concern that the telco regulations are attempting to address is: what happens if an attacker uses malware to take control over a privileged user’s machine? Successful attacks that use techniques like man-in-the-browser or session hijacking mean that anything the legitimate user can do, the attacker can do too.
The risk privileged users pose to critical infrastructure is evident.
But all too often enterprise security measures are not set up to fully protect against these kinds of attacks. Traditionally, enterprises tended to focus on identification and blocking of malicious URLs, on-the-fly identification of malicious content and OS-level endpoint protection. While these succeed to a certain extent, they are by no means fool-proof.
Privileged access workstations
To counter this threat, the telco regulations stipulate that users with privileged access use Privileged Access Workstations (PAWs) – these are machines that can only be used for privileged access tasks, and can’t be connected to anything that could potentially be dangerous – including the internet.
PAWs can be remote machines connecting over a VPN, but that VPN must not allow the machine to access anything except for the environment where privileged access tasks are carried out. Above all, wherever the PAW is and however it’s connected, it must be impossible to connect it to potentially risky internet-based resources.
Are ‘Virtual Privileged Access Workstations’ the answer?
The obvious problem with the PAW approach will be crystal clear to many – sysadmins rely on Google to locate the information needed to fix most systems problems.
Unsurprisingly therefore, the telecoms industry wasn’t particularly enamoured with the idea of PAWs when they were first proposed during the consultation period. So much so, that a consortium of telcos put forward an alternative approach using ‘virtual privileged access workstations’ that could be used from a regular machine. However, the government responded strongly and clearly to this: ‘The solution proposed by respondents does not achieve [the required] security outcomes, primarily because it would not prevent PAWs from being compromised by attackers over the internet.’
Without access to internet-based forums and knowledge-sharing sites, the job of the sysadmin is nigh-on impossible. So does the PAW model mean every privileged access user will have to have two physical endpoints – one that can access the internet, and one PAW that can’t?
Introducing Browser Isolation
The good news is that there is an alternative way to maintain the security standards mandated by the UK government, while still being able to go online. The government has said that a PAW can access risky internet-based resources, but only using what the government calls ‘Browse Down’ – a security model which allows endpoints to access risky content without actually connecting to it.
The most efficient way that Browse Down can be achieved is through Browser Isolation. At its core, a Browser Isolation solution is a Zero-Trust web security model that assumes all internet content is malicious, unless there is good reason to believe otherwise and the user’s endpoint never comes into contact with internet code.
The gold standard of security is to deliver Browser Isolation via a technique known as ‘Pixel Pushing’, which converts the browsed web page into an interactive, live video stream, meaning that the device is now completely ‘isolated’ from the risky internet. This completely removes all risk of web-based malware attacks, regardless of the sophistication or frequency of such threats. Instead of going online and potentially coming into contact with malicious, business-threatening code, privileged users are instead presented with a completely safe video representation of the web.
Change is on its way
While the PAW model does not yet have wide acceptance in the commercial world, the financial sector can take learnings from the more sensitive ends of government where the use of PAWs is widespread – for example, among users who have privileges to view and interact with classified systems and information.
As the response of telcos has shown, the use of PAWs and the introduction of the Browse Down model will require a significant shift in how enterprises think about their cyber security operations. There’s a good chance that there will be increasing pressure from Government in this area, so it’s a good time for the industry to get ahead by understanding what these regulations could mean.