Hacking has long been thought of as a sort of black magic whose incantations are made using keyboards. That is, until 2016, when the John Podesta email hack made big enough news that hackers’ dirty secret got out: many breaches have less to do with coding skills and much more to do with classic trickery, albeit in digital form. Web users simply get duped into entering their username and passwords onto fake websites. With that information, it doesn’t take any special cleverness to hack a system. The attacker has the keys.
The chief tool hackers use to lure unsuspecting people to these phony websites is email. When the victim works at a company of some kind, those credentials might provide cyber-criminals with access to more than just email. The same credentials might also provide access to intranets, servers and sensitive data. Executives are looking hard for ways to protect their operations today without cramping employee productivity.
One method many might be looking at is virtual machines, workspaces that run software on the cloud but looks to the user just like a normal desktop. As counter-measures go, muckraking news outlet The Intercept has sung its praises. As it happens, Amazon Web Services announced a new offer on its blog Thursday—40 hours of virtual machinery free to users and companies that might want to try it out. Windows 7 and Windows 10 experiences are available.
Working inside a window into the cloud protects physical devices from evil code a user might get tricked into initializing. Called WorkSpaces, it can give staff access to all of a company’s data and tools from anywhere.
If an employee is working from home and gets hit by ransomware, it encrypts everything on the hard drive and demands payment in bitcoin to set data free. If the ransomware got run on the employee’s actual machine, all the music, photos and personal documents stored there would be locked up too. On a virtual machine, though, only the virtual device gets hit. All that personal data stays safe.
To see how it works, ZD Net actually spun up a virtual machine to pretend to be duped by a Microsoft Tech Support scam in order to observe, step-by-step, exactly what scammers do.
So could WorkSpaces protect a company from its own gullible staff? Amazon did not respond to a request for comment for this story, but several security firms told the Observer that it can help, but it won’t protect against every attack.
“On one side, IT teams have tighter controls and oversight over the desktop images they are managing. On the other side, they are no longer managing the hardware the employee is logging in from,” Aaron Higbee, CTO of PhishMe, wrote the Observer, via a spokesperson. His company provides software that provides ongoing training that teaches employees how to spot cons over email, as we previously reported.
So, for example, an employee might use their virtual desktop on the road, using someone else’s workstation, which could be infected with software that logs a users’ key strokes or takes snapshots of their workspace.
And no one benefits if staff just ignore phishing attempts. “Virtualized or not, in order to defend against the phishing threat, the human operator will need to be conditioned to recognize and report suspicious messages and the organization will need to have a tried and true procedure in place to quickly act on those reports,” Higbee wrote.
The chief scientist at another anti-phishing firm, Agari, concurred. “Virtualization provides an effective form of endpoint protection against malware, ransomware and malvertising, but it is important to realize that not all email-based attacks seek to compromise the endpoint. The bigger issue with email-based attacks—including phishing—is identity deception, which can take many forms,” Markus Jakobsson wrote the Observer in an email. Agari spots malicious emails with machine learning that watches for the tell-tale sign of the latest tricks as messages enter inboxes.
If a user clicks on a link in a malicious email and accepts a prompt to enter their user name and password on a phony website, there is nothing about a virtual machine that will prevent that information from getting lost. That’s why it’s good for companies to have more robust sign-ons, such as using two-factor authentication.
More sophisticated hackers might try to get specific credentials for high level employees in order to impersonate them digitally. For example, an attacker could send an email from an executive’s email address, Jakobsson explained, directing bookkeepers to wire money to a specific account for phony services, Jakobsson explained. The FBI has estimated that such scams have cost companies $5 billion over the last few years.
A virtual machine can’t prevent that trick.
Carbon Black delivers security services over the crowd, spotting attacks and detecting intruders. “The majority of leading cybersecurity researchers are not yet ready to give all the power to the machines just yet,” Rick McElroy, a security strategist there wrote the Observer, via a spokesperson. “User awareness and education continue to major best practices when it comes to defending against phishing attacks. Computers will help, but not yet replace, human decision making.”
Desktop-as-a-service systems like WorkSpaces can turn clunky computers into lean, mean, totally updated machines. They might even be digital Sir Lancelot’s, protecting companies’ IT castles well, but one knight won’t be enough—firms will still need a full roundtable.