Internet Surfing Separation: Effective Security or Draconian Constraint?

JOE CISO on October 25, 2018 | 147

Singapore is famous for many things, from year-round blistering heat to futuristic malls to an incredible airport. Another claim to fame is its status as a “smart nation”. Since obtaining its independence back in 1959, Singapore has become known around the world as an early adopter of everything technology-based.

In what might seem a counter-intuitive move for such a tech-immersed nation, in 2016, Singapore began implementing a policy called ISS, or Internet Surfing Separation, for all government agencies. ISS cut off internet access from all employee computers, with the intention of preventing advanced cyberattacks from infiltrating government networks. While relatively common in extremely high-risk networks, this approach, also called air-gapping, is not generally implemented in government networks because of the following inherent drawbacks:
 

Drawbacks of ISS

  • ISS is an efficiency-killer - Employees cannot access the web-based information they need when they need it, and this impedes workplace efficiency.
  • ISS is very expensive - An air-gapped system needs its own everything - from servers to routers to management tools.
  • ISS isn’t foolproof - Air gapping your networks doesn’t actually make them immune to attacks; an air-gapped network cannot be patched automatically and, of course, it cannot protect against attacks that leverage other vectors.

A whole lot of people are unhappy with the policy — everyone from disgruntled employees, who can no longer use the web to do their work, to security experts, who say the move is excessive. Yet some security experts have backed the initiative — companies in Southeast Asia are 80 times more likely to be attacked than are companies throughout the rest of the world. Thus, despite the seemingly drastic approach, a harsh policy like ISS promised to help Singapore remain secure amid constant threats.
 

The SingHealth Hack

Yet despite Singapore’s caution about web-borne attacks and proactive ISS policy, SingHealth, the country’s public health care provider, announced that its database was breached in July 2018, two years after ISS was first implemented. Singapore’s Ministry of Health revealed that attackers stole the names and addresses of 1.5 million citizens, including those of the Prime Minister, Lee Hsien Loong. And in a special “nod” to government officials, the hackers released a number of ministers’ prescriptions as well.

Public health organizations such as SingHealth were not included in the original ISS implementation. Had SingHealth implemented Internet separation two years prior, along with other government agencies, it “would have disrupted the cyber kill-chain for the hacker and reduced the surface area exposed to the attack,” according to Teo Chee Hean, Singapore’s DPM and Coordinating Minister for National Security. Now, in the aftermath of the attack, all public health center networks have been cut off from the world wide web — and may remain so indefinitely.

Thanks to these new constraints, waiting times to see doctors are now longer, as doctors need to access web-based information using separate computers. According to Singapore’s Health Minister, Gan Kim Yong “We will need to develop longer-term mitigation solutions to overcome operational issues if ISS is to stay.”
 

Remote Browser Isolation: Security + Productivity

Remote Browser Isolation is a more secure and agile solution for isolating networks from the dangers that lurk on the web. By isolating all browsing activity away from the local network, you can prevent web-borne threats like malware, ransomware and even cryptojacking downloaders from accessing your network. All content is rendered in a disposable remote browsing environment that is discarded at the end of each browsing session. Any web-borne threats are fully contained within that isolated environment and thus also discarded, keeping your endpoints and networks threat-free.

There is no loss in efficiency or productivity with this approach — users can continue to browse seamlessly from any workstation, so work continues as normal. It’s also clientless, so it’s cost efficient and simple to manage. As such, it’s one of the alternatives that Singapore’s Ministry of Health is looking into.

So Singapore was right all along; they were, and continue to be, a high risk target. But even high-risk organizations cannot afford to be cut off from the Internet in today’s high-speed workplace. Remote Browser Isolation is the solution your organization needs to remain secure, yet productive.

Author | 17 Blog Posts

Joe CISO

Joe CISO is the information security professional responsible for protecting the organization from all cyber threats, including ransomware, dirve-by donwnloads and zero-day exploits. | Ericom Software

Recommended Articles