I recently had an opportunity to catch a fascinating talk by Alaina Clark, assistant director for stakeholder engagement for Cybersecurity and Infrastructure Security Agency (CISA). A trusted advisor for security professionals in the federal government, Clark was addressing a group of security professionals in K-12 school districts. Her argument was that people in the audience face many of the same security challenges as federal agencies, and IT teams in school districts can apply many of the same cybersecurity strategies that she recommends for federal agencies.
At first, I was dubious. CISA’s recommendations such as standardizing browser types and using content blocking software won’t fit the education space where diversity and limitless accessibility are core tenets. But what if K-12 security teams could follow the spirit of the guidelines without straying from the organization’s principles? After all, federal cybersecurity teams have long locked horns with highly sophisticated ransomware gangs supported and sponsored by rogue nation-states. And, now that these same gangs are targeting K-12 school districts, surely there are lessons to be learned.
Could web isolation technology be the key to unlocking these guidelines?
Clark and CISA recently published a new capacity enhancement guide for Securing Web Browsers and Defending Against Malvertising for Non-Federal Organizations. While the guide focused specifically on malvertising, it highlights how malicious web content can bypass built-in browser protections to deliver a payload for malicious purposes–including ransomware. These traditional security tools are failing to identify and prevent Highly Evasive Adaptive Threats (HEAT)–allowing malicious actors to gain initial access to networks through the browser, probe the network for more valuable targets and eventually deliver their payload.
According to the CISA enhancement guide, preventing initial access to the browser is key to stopping ransomware attacks. But many of the tactics recommended by CISA won’t work in the education space. As stated above, the culture is too different, too diverse and too decentralized to lock down end devices through control. A more nuanced approach is needed. A non-disruptive approach enabled by web isolation.
Here are the four CISA guidelines and how web isolation can be an enabling technology:
CISA recommends that organizations standardize their web browser infrastructure in an effort to simplify the process for updating and patching systems. Consolidating on a single browser, browser version and browser configuration makes it easy to stay on top of these updates, inherently making them stronger. However, K-12 school districts are hardly homogeneous organizations. Students, teachers and administrators across schools, locations and departments are about as different as any user bases can get, and most education philosophies actually encourage diversity, curiosity and non-conformity. Getting everyone to use the same browser is just not going to happen. But this doesn’t mean that IT’s hands are tied. There are other ways to simplify browser infrastructure management and shrink attack surfaces. Web isolation works by creating a layer in the cloud between the Internet and users’ devices. Essentially acting as a virtual air gap, all content is fetched and executed in a remote browser instead of on the end device’s browser–effectively cutting off access to the user’s device. That way, it doesn’t matter who uses what browser and if it’s patched. It only matters if the remote browser is up to date. And updating one browser is a lot easier than updating thousands.
According to the CISA enhancement guide, “Ad-blocking software prevents advertisements [and other malicious web content] from displaying or removes different types of ads when a user visits a website or uses an application.” The problem with any content blocking technology (URL filtering in addition to ad-blocking) is the danger of false positives. K-12 school districts value access in addition to security, and any protective action that prevents the free flow of information or stifles a student’s research efforts is a disruption to that principle. However, web isolation eliminates the allow or deny decision at the point of click. Instead, all content is assumed to be malicious and is isolated in the remote browser. Bad content is automatically stripped out and only good content is delivered to the browser on the end device. This effectively eliminates false positives, because, in the end, all content is accessible.
CISA recommends that organizations use DNS technologies to block redirects to known malicious domains. While CISA reports that 91% of cyberattacks use DNS to deliver their payload, most URL filtering solutions are ill-equipped to identify every malicious domain. Just because a website is deemed safe one day doesn’t mean it’s safe the next. Malicious actors are notorious for hijacking known domains and inserting malicious content on trusted websites. Even CISA admits that DNS technologies would only prevent a third of these attacks. When all it takes is a single breach, are you fine with those odds? Layered on top of detect-and-respond capabilities such as DNS technologies, Web isolation augments existing approaches by preventing unknown threats. Suddenly, that one-third prevention rate cited by CISA rises to 100%--odds that anyone can live with.
This is a CISA recommendation that we wholeheartedly support and agree with. Layering web isolation on top of existing security stacks is a great way to augment your organization’s detect-and-respond security strategy without disrupting users. Just make sure you use a web isolation solution that preserves the web browsing experience. The web should look and behave the way the end user expects. No custom browser requirements, no pixelated rendering, no lag and no degradation of functionality like copy, paste and print. In fact, users shouldn’t even be aware that the content they are accessing is being executed in a remote browser away from their device. Web browsing should be seamless, fast and secure.
Web browsers are an increasingly critical component of K-12 education. Remote teaching, digital transformation and the rise of Software as a Service (SaaS) platforms for administrative tasks such as HR, payroll and attendance are moving off local infrastructure to the cloud. This makes K-12 school districts a tempting target for ransomware and other attacks while making it harder than ever to secure an expanding threat surface. Fortunately, K-12 security teams can learn best practices from CISA and the federal government where IT teams have been battling these gangs for years. However, legacy tactics need to be tweaked to adhere to a vastly different culture of openness and accessibility. Web isolation holds the key. Layering isolation technology over existing detect-and-respond approaches should enable K-12 school districts to adapt CISA’s federal guidelines on cybersecurity and better protect students, parents, teachers and administrators as well as their private information.