Anyone involved in securing corporate networks would agree that we are continually facing a clear and present danger of advanced malware attacks capable of penetrating defenses, infecting endpoint devices, and causing significant business disruption. No debate there. But there is ongoing debate on how best to protect the business from these attacks – most of which are delivered to endpoints through browser-borne malware.
In recent weeks, we've been working with several customers in high security network environments across different market segments. This particular group of customers is somewhat unique because they have independently come to the same conclusion: the best way to protect endpoints against browser-borne malware attacks is to create an "air gapped" network architecture where each employee has two PCs on their desktop. One PC is connected only to the business-critical production network, which contains all required business files and applications; the other PC is connected only to the Internet and contains no business files or sensitive content.
The result is a true "air gap" between the two systems. So if malware infects the Web-connected PC, it has no ability to spread and access corporate network resources or sensitive data. Sure, it's insanely expensive to create a separate, isolated network architecture, but it seems like it would solve the problem, right?
Well, maybe not. Remember, there's always the human factor to deal with. Employees are not thrilled about having to deal with two separate, air-gapped systems. It's annoying and disruptive to their productivity. So inevitably, these employees will find a way to bridge the gap between these two systems. Most often, they'll simply use a USB flash drive to copy content or files from one system to another as needed.
But using USB drives to bridge air-gapped systems just got a whole lot more dangerous than it used to be. A recently published article highlights new research from SR Labs in Germany, which demonstrated that the firmware in USB drives can be re-programmed to contain undetectable malware. If such a drive is used in the air-gapped environment described here, both systems could be seriously infected. Even worse, the infection can run so deep that it could modify the computer's BIOS and the PC would never be safe to use again.
The bottom line is that, while the concept of physically air-gapped systems sounds good on paper, the additional costs, disruptions to productivity, and human-driven security risks make this option less than desirable. Instead, consider the AirGap solution from Spikes Security. It unifies the network infrastructure but still securely isolates all Web content so that employees stay productive on one system and never have to reach in their pocket for a potentially dangerous flash drive.