One wrong click, and hacker is in

A whole network can be infected if a curious individual falls for a hacker's bait; a firewall can filter, at best, half of all malware


It costs a hacker close to nothing to embed malware in a Web link or an e-mail attachment to bait unsuspecting victims. All it takes is one click by a curious individual to put an entire network in the hands of the hacker.

This is why the Singapore Government does not want to take any chances and decided to delink Web surfing from the work terminals of public servants from next May, explained security experts.

Around 100,000 government computers will be affected and public servants will instead connect to the Web using dedicated Internet machines or their personal mobile devices. The aim is to create an "air gap" between the Web and the Government's internal systems.

Check Point Software Technologies chief strategist Tony Jarvis said: "All an attacker needs to do is to trick an employee into clicking on a document or opening a file, and the malware is then able to infect the machine."

The infected machine could spread the infection across a network, compromising the confidentiality of all data. Over the past year, 16 attacks against the Singapore Government's networks made it past firewall systems. The malware was eventually detected and extracted with no data loss, said Singapore's Cyber Security Agency (CSA).

A firewall is typically the first line of defence for most systems. But CSA chief executive David Koh said that a firewall can filter, at best, half of all malware. This is because the tool only works well on known malware, and is less effective against new ones.

Most networks are also designed to have other basic protections such as antivirus, and intrusion detection and prevention systems, which work like firewalls. These tools are also unable to pick out fresh malware.

This is because hackers know how to disguise malicious programs as benign-looking installer apps, for instance, to escape detection. Hackers also frequently change a malware's distribution location. Sometimes, hackers also design malware to stop snooping temporarily when antivirus software is scanning a computer.

"This extends the life of the malware in its undetected state," said Mr Vitaly Kamluk, global research and analysis director at Kaspersky Lab Asia-Pacific.

The second line of defence is "sandboxing", which lets programs from untrusted websites or senders run only in a restricted zone in the computer so it has no ability to read data from the rest of the computer. The program will be blocked if it is determined to be malicious.

More advanced protection involves using antibot technologies, which identify malware by examining its actions. For instance, the tool catches malware when it tries to communicate with the hacker's command and control servers.

The latest sandboxing and antibot technologies are able to identify unknown malware.

The decision to use these advanced tools or to combine it with the "air gap" approach is simply a design choice. The latter is typically more common in military or banking operations, said Mr Jarvis.

But just as no approach is foolproof, air-gapped defences can also be defeated. "These computers still need software updates over the Internet from time to time," said Mr Kamluk.

One often overlooked security gap is the USB port in the computer. "All it takes is just one person to charm his or her way into an office and insert a USB drive into computers to introduce malware into the network," said Mr Gil Rapaport, security specialist at CyberArk.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Sunday Times on June 12, 2016, with the headline One wrong click, and hacker is in. Subscribe