Cybersecurity

Browsing at public authorities fully encapsulated

Why public authorities and municipalities are using R&S®Browser in the Box for protection against professional cybercriminals

Malware causes damage in the billions. One of the main gateways is the web browser. Conventional antivirus software is almost no match for the methods of professional data thieves, spies and saboteurs. Public authorities and municipalities, such as Dresden, the capital of Saxony, are therefore using the virtual browser from Rohde & Schwarz Cybersecurity to fulfill their strict cybersecurity requirements.

Main malware target: Windows

In an 80-page document, the Federal Office for Information Security (BSI) portrays the IT security situation in Germany in 2019. Put simply, it is serious. The number of attacks is rising sharply, and they are becoming more and more sophisticated. According to the BSI, 114 new malware variants were registered within one year, of which 65 million targeted the Windows operating system. On average, the BSI identified 6100 attacks per month that could not be detected or blocked by installed commercial protection products.

Gangs are using innovative technologies

In Germany alone, the damage is around EUR 100 billion per year according to recent calculations by the industry association Bitkom. In the report "Economic Impact of Cybercrime – No Slowing Down" published by the Center for Strategic and International Studies (CSIS), a US think tank, the worldwide damage is estimated at nearly USD 600 billion, which is USD 155 billion more than in 2014. The report attributes the accelerated increase to the use of new technologies by cybergangs and continual expansion of the "cybercrime as a service" business model.

No firewall can stop Emotet

BSI experts cite a new malware product called Emotet as a prominent example of the growing expertise of today's cybercriminals. This malware has been known for years, but in November 2018 it suddenly spread massively due to malicious Office documents. The evolution of Emotet can be seen in particular in new features such as Outlook harvesting, which enables it to send spam emails that look astonishingly real.

The malware reads contact details and, since recently, email messages in the mailboxes of infected systems. The criminals use this information to increase the proliferation of the malware in subsequent spam campaigns. This means that recipients receive fake emails from senders they were recently in contact with. The BSI expects a further increase in this sort of automated social engineering attacks, which recipients are scarcely able to identify as such. In the case of "spear phishing" attacks, the message content is tailored to especially valuable targets. Emails containing this malware are therefore among the most frequently detected attacks, for example attacks on German federal government agencies.

Firewalls and antivirus software – the traditional solutions – are no match for modern Trojan horses, worms and other malware, because the usual blacklisting approach only blocks known dangers. The security measures of operating system vendors also do not provide adequate protection. Some public authorities still secure themselves by completely isolating the computers they use for browsing from their own operating system and their intranet. The inevitable consequence is that transactions with the digital outside world are massively restricted.

"The world's most secure browser"

Clemens Schulz, Director of Desktop Security at Rohde & Schwarz Cybersecurity, was a key player in the development of software that totally encapsulates the user's own browser from its surroundings without restricting user access to the digital outside world: R&S®Browser in the Box. Schulz says, "The gateway is still the person." This is why it is so important to not just rely on educating users in the company, but also using the best technology to prevent the accidental and unintentional import of malware. Instead of reacting to malware, the entry of malware should be proactively prevented. Nowadays simply opening a website is enough to activate a drive-by download, for example via banners.

The development of R&S®Browser in the Box represents a paradigm shift, similar to what happened in the automotive industry. As early as the 1950s, the effects of accidents on vehicle occupants could be reduced by airbags. Many years later, the introduction of electronic stability control (ESC) made a significant contribution to avoiding accidents. Like ESC in a vehicle, R&S®Browser in the Box prevents malware infections. This is called security by design. Telemetry services are also unable to seize the browser's data, and downloading malware from file attachments is equally impossible. The industry magazine Chip has named R&S®Browser in the Box the "world's most secure browser".

The initiative for the development of this type of software for total security of public authorities came from the BSI. Virtually all the offices of the police force of Baden-Württemberg, Germany, were among the first users. Long before the introduction of the General Data Protection Regulation (GDPR), municipal public authorities in Germany were obliged to protect the data of citizens on their data storage media. And long before the implementation of the EU GDPR, the city of Dresden upgraded its equipment to secure its computers with R&S®Browser in the Box.

When the health department does research ...

One example is the health department. Kay Hirschfeld, an administrator in Dresden's municipal government who is responsible for cybersecurity, identifies sensitive areas where the employees must be able to do research securely. For example, they must be able to contact sex workers to carry out information campaigns. They must be able to access forums for same-sex partners, for example to draw attention to the possibility of free and anonymous AIDS tests. In all cases, personal data must be encrypted and pseudonymized, and data protection and deletion deadlines must be complied with. In particular, online research activities must be separated from the internal system so that nobody can use the browser to access the operating system on which personal data is processed.

The situation with weapon registration is similar. Until recently, the weapon offices (around 550 in total) used a wide variety of systems to maintain their data, in some cases on index cards instead of digital. When, due to the associated EU directive, the data of all the offices had to be consolidated, which means harmonized and stored in a central system, the risk increased. As Hirschfeld explains, "Then, from a single gateway, hackers could access data of an entirely different quality and perhaps even an entirely different quantity of data." An important aspect for the IT security expert is that despite the encapsulation of their own operating system, transactions with the internet run almost just as fast as with a normally protected system. With the right configuration, it even loads unobtrusively when Windows starts up.

Multilayer security is the key

The operating system and the intranet remain completely separated from the web browser while the application is running. Telemetry data is no longer sent to the producer. This is metadata about the document, the client concerned and its usage. Along with this information, confidential data could also be grabbed without being noticed. The browser runs on a completely virtualized platform with no noticeable impact on users, because their browser behaves as expected. The "Docs in the Box" feature also allows email attachments, which could contain viruses, to be viewed safely in the preview window of a virtualized environment.

The key to this is a hardened Linux system. Schulz explains: "The open source operating system is stripped down so that only the browser can run on it." In addition, data traffic is encrypted end-to-end by a VPN tunnel using the R&S®Trusted VPN gateway. As Schulz points out, no other vendor in the world offers this sort of complete network and browser encapsulation with retention of full functionality.

The human factor

With R&S®Browser in the Box, individual authorized users are freed from the responsibility of personally checking each single site. Nevertheless, Kay Hirschfeld from Dresden warns, "The biggest danger is not hackers, but careless, perhaps even disgruntled, employees with appropriate access rights." Technical solutions are powerless against spies who smuggle data out of the company, but without a technical solution you have lost before you even get started.