Why giving users two separate systems won't improve security

Red/green systems, which give users one system for work and another for other tasks, no longer makes sense from a security and cost perspective. There are alternatives.

secured network of computers with locks displayed on screens
Thinkstock

A common security question I’m asked is whether it makes sense to have two systems: one locked down and used only for work, and a second for anything else. The idea is that people can do their work on the locked down system and not create excessive risk to their company while still being able to do whatever they normally do on the other system.

The idea is not new. It’s been around for nearly as long as computers have been. I’ve talked about these sorts of “red/green systems” for decades. Red/green systems make even less sense now.

Using two separate systems completely separated from each other would probably decrease cybersecurity risk, perhaps tremendously in some circumstances. But it’s a very expensive way to do computer security. You’re talking doubling hardware, software licenses, support costs, and even support headaches. The cost alone usually kills the idea of two physically separate systems, although it is used in high-security places and a few financial companies.

It’s easy for an IT security person to say, “Hey, buying and supporting two systems is cheaper than paying for one ransomware attack.” I think we can all agree, but asking management to nearly double support costs against a hypothetical situation…well, that’s a tough sell.

Hackers will target the business system

The bigger reason why red/green scenarios don’t work is that today’s attacks often don’t care about the separation. Increasingly, the attacks are coming directly at the business systems, intentionally toward business people. Whatever security benefit red/green systems provide is eroding over time.

Business email compromise (BEC) phishing scams are a great example. Someone sends a business person a request for money or invoice pretending to be someone else that they trust, and the victim pays them out of the business account. The victims aren’t approached on their personal email account or social media. It’s all business.

I’m hearing about more examples every day of BEC scams executed using the compromised email accounts of someone the victim trusts. The bad guy breaks into a business partner whom you have trusted for years. The email arrives using the format you expect to see asking about something that you are used to seeing, but perhaps only a small change, such as to where you mail future invoices to. The scammers are even smart enough to send any change along with a relatively small invoice request, say for something less than $100, so the victim drops their guard and just makes the change without questioning it.

The scammer will create an email rule on the third party’s system to delete any legitimate requests to the victim’s machine, so both the legitimate third party and the victim are unaware of the ongoing scam. Then the scammer asks the victim to send a much larger sum of money, and no one is the wiser until the legitimate third party complains about non-payment weeks to months later.

BEC scams are getting so good that it’s hard to figure how to detect and stop them, outside of telling everyone to verbally confirm any financial change of any kind before committing it. That’s my advice. Red/green systems aren’t going to save you from BEC scams.

Virtualization, Qubes are cheaper alternatives

The value of red/green systems is protection from the threat of infecting a system by visiting a malicious website. This is still a risk, of course, but there are alteratives to having separate systems.

Instead of separate systems, it’s cheaper to use a single system that isolates all internet and email from the rest of the corporate network. Myriad commercial and free systems and software do this for a device or computer.  Many software products, including long-time, popular and free Sandboxie, which virtualizes or protects browsers, email clients and entire OSs from malicious modification. The products that only do partial virtualization cannot as thoroughly protect as something that virtualizes the entire OS, but they do offer significant protection, especially against the most common attacks.

Many defenders run their employee’s internet browsing and email clients through virtualization software or use something like Citrix, where all the user does is click on a desktop icon, and instead of just running the regular program, it runs a controlled, reversible instance of the same program.

Increasingly, OS vendors themselves are offering more sandbox-ness. Microsoft Windows has been evolving to more of a sandboxed model, including Microsoft’s new Windows Sandbox feature for Windows 10. Microsoft is really moving to the model where every Windows application can be virtualized or sandboxed and the user is unaware of the red/green separation.

The best of the best, concerning OS and application isolation, is the free Qubes OS. Created by computer security innovator Joanna Rutkowska, Qubes is where all the OS vendors who are serious about security isolation are trying to get. Qubes was designed from the ground up for security isolation. Each app and part of the OS can be isolated into one or more isolated environments, protected physically by the hypervisor layer. It can even run applications needing different operating systems.

Rutkowska was thoughtful in her approach, figuring out what things, like networking, had to be isolated to protect the rest of the applications and systems. Each virtually separated application simply looks like an icon on your desktop. The user is not aware (or doesn’t have to be aware) of what is going on behind the scenes. They just click on an icon and do their work without the fear of malicious corruption shooting between apps and impacting their entire company’s network. What a beautiful concept! If you are really serious about computer security, then there is no other OS to consider.

If you can't do best, do better

With that said, not everyone is ready to move to Linux, which Qubes runs on. Linux is great, but most of the world still runs on Microsoft Windows (and now, Apple), with Linux and ChromeOS coming in very distant third and fourth places (as far as user desktops go).

Linux is a big deal in the server space, but the application-layer separation isn’t as needed on a server. Most of the world just wants their popular OSs, Windows and Apple, to be as secure as possible. Make sure they are patched and don’t let users be socially engineered and you’ll get rid of 99% of the risk. Of course, making sure those two things are appropriately handled is why we are in the big security mess we are in already. It ain’t easy. If it were, we would have done it a long time ago.

If the world all moved to red/green computing, the hackers would just change their tactics. Ransomware would be sent to more business addresses running on the “safe” systems, as would every other attack. Red/green systems can help decrease security risk, but only so far. If physical separation becomes a popular defense, hackers will evolve and change tactics to what works better in red/green environments.

Copyright © 2019 IDG Communications, Inc.

What is security's role in digital transformation?