Network segregation is not enough to keep out malware

Image credit: Christos Georghiou /

A recent breach at Singapore’s MINDEF network highlights the limitations of network segregation. What’s needed is better malware defenses.

In February this year MINDEF, the Singapore Ministry of Defence, announced that the personal data of 850 national servicemen and employees had been stolen. The breach affected the I-net system used by national servicemen and MINDEF employees to access the Internet via dedicated terminals in ministry premises and Singapore Armed Forces (SAF) camps, and the stolen data included NRIC numbers, telephone numbers and dates of birth used for account management, tracking usage and surfing behavior.

The good news was that no classified military data was stolen in the attack – because such information is stored on a separate system featuring more stringent security and not connected to the Internet. This is a great example of the value of network segregation, whereby a network carrying the most critical and sensitive data is simply kept separate from all Internet connections. It forms an impregnable bunker hidden from the public network and so all its data is totally protected. At least, that is the theory.

In practice, however, the sort of attack described above can be used to undermine that security. Although no actual password credentials were reported lost in the I-net attack, such personal data can be exploited for future phishing and social hacks. Maybe enough personal information has been gleaned to fool an administrator into thinking they are receiving instructions from a superior, rather than a hacker – instructions that lead to data being transferred to or from the segregated network. The only limit now lies in the determination and ingenuity of the hacker.

So, does this mean that all government networks should be forever separated from the public Internet? Absolutely not. Governing from a sealed bunker is only possible in extreme emergencies for a short time – in all normal circumstances government relies on communication, both to and from the public and outside world. Following the breach, MINDEF said it will not cut off Internet access for national servicemen and employees, but will continue to strengthen its cyber defenses.

Network segregation plays an important role, but we also need ways to isolate government networks from the Internet, ways that allow freedom for enquiry and response, but no passage for malware that leads to data theft. That is the challenge now being addressed by the IT security sector.

Not the first, not the last

Although this was the first cybersecurity breach recorded by MINDEF, it was not the first one to hit the Singapore government, previous attacks include the breach of the Foreign Affairs Ministry’s IT system in 2014, and the hacking of the Istana and Prime Minister’s Office websites in 2013. According to MINDEF’s deputy secretary for technology, David Koh, who also leads the Government’s Cyber Security Agency (CSA): “It’s no secret that Government agencies, including MINDEF, are prime targets, and we are under constant cyberattack.” He points out that this particular attack was not from within, but originated online: “The attacks were targeted and well-planned. Based on our investigations, they are not the work of casual hackers or criminal gangs.”

We have all seen enough action movies to know that the best way for the master criminal to avoid being caught is not to roar away in a red Ferrari, but simply to merge into the crowd. And the Internet represents a mighty big crowd to get lost in. According to a Google Webmaster blog post in March: “We’ve seen an increase in the number of hacked sites by approximately 32% in 2016 compared to 2015. We don’t expect this trend to slow down. As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites.”

Corrupted websites take many forms. Some are completely filled with gibberish keywords designed simply to show up on search engines and direct the searcher to some porn site, others look as if they belong to a valid site where familiar elements cloak malicious content. And then there are valid pages carrying infected advertisements.

Amongst all those merely tiresome and time-wasting forms of malware, there may also be some highly targeted attacks capable of penetrating a network and causing serious damage.

Here’s another way to think about it: how safe do you feel when reading this article?

If you are reading it on a website, remember the above quote from Google: there might be any amount of malware lurking on this page. But perhaps you downloaded the article as a PDF? Then you should know that PDF downloads are a very popular malware vector.

The problem is that the Internet pleases its users by providing a rich, responsive multimedia experience – a far cry from the static pages of 20 years earlier. All that responsiveness is possible because of the hidden “active content” that lies behind surface appearance – the Flash and Java and other interactive elements. Even a PDF or Word document is a lot more complicated than it looks on the surface – all these features form the crowd that malware can hide in.

However, if you are reading this article on paper, a printed copy, then you are laughing, because there is absolutely nothing but the visible words to carry infection.

This points the way to a solution: is it possible to isolate the browser so that it appears to you as a clean image without any good or bad software seething beneath the surface?

Browser isolation

The first solution is inspired by the printed page: look at the browser screen as a simple array of pixels and reproduce those pixels on a “safe” screen without any of the hidden software elements – that would be as safe as reading a printed page.

This “pixel mirroring” approach has been successfully deployed up to a certain point, but has serious limitations for the average user. It is a “one-size-fits-all” approach that makes no allowance for the actual content – whether text, image or video – whereas the hidden active content is specifically designed to improve the user experience by adapting the rendering to suit the content. So, pixel mirroring tends to slow down page loading, reduce responsiveness and makes common operations, such as printing and copy-paste, more cumbersome. Some pixel mirroring solutions try to get around these problems by using specialized browsers, plugins and additional software at the end point. This can work for certain business environments, but it adds levels of complexity that go against the whole quick access benefits of Internet connectivity.

A newer approach uses the “Document Object Model” (DOM) to allow for the actual content type and the dynamic manner it is represented in the browser. “DOM Mirroring” means that the isolating process actively monitors the currently loaded page tab for changes, translates those changes into DOM commands (without the underlying active content) and sends those commands to the end user’s device, so the user’s “safe” page automatically updates in sync with the original. For example: instead of sending a Flash video to the end point, the same movie will be sent as crisp, suitable quality HTML5, while non-active safe elements are simply transmitted as they are. All the natively available fonts can be reproduced at the end point, so the whole page looks, feels and behaves just as it should. When it comes to printing, this DOM Mirroring approach allows the document to reflow to suit the local printer – unlike the pixel mirroring approach that freezes the page as a rigid array of pixels.

As a service, isolation takes place in the cloud within a virtual container – so there is no need to install any special hardware, browsers or other software on the users’ devices – and the resulting clean page images are solidly encrypted and transmitted via a secure web proxy. Bearing in mind the hackers’ skill at finding ways to work around even the most sophisticated defense structures, the content in the isolation process is constantly being rendered safely, before any infection can spread. As one user put it: “it’s like being given a brand new laptop every time you log in.”

Out of the bunker

This DOM mirroring isolation platform was developed in collaboration with a large national bank, JPMorgan to meet the very demanding security needs of the financial services sector. And it is proving its value, according to their Chief Information Security Officer, Rohan Amin, who says that the platform was deployed “with zero impact to users, providing a seamless user experience for our employees”.

In just two years the same technology has been successfully adopted by other critical sectors, including government, technology, healthcare, oil and gas, and it is already supported by teams in the United States, UK, Germany, Japan, Singapore and Australia to meet the growing demand.

Government in particular cannot operate from the depths of a bunker. It needs constant communication with the people and the outside world, and that must include easy, quick and reliable Internet access. Phishing attacks are constantly evolving and require extreme vigilance, but browser isolation is proving to be the surest way to protect against that flow of hidden malware. The user response is overwhelmingly positive, and both morale and productivity benefit from a clean Internet experience.

Stephanie Boo, managing director of Asia Pacific at Menlo SecurityWritten by Stephanie Boo, managing director of Asia Pacific at Menlo Security

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.