All you need to know about App Protection, an add-on to Citrix Virtual Apps & Desktops

May 5, 2020

When end users are accessing your corporate resources through personal or unmanaged devices, a holistic security strategy should include protecting against keylogging and screenshot malware. With App Protection, an add-on to Citrix Virtual Apps and Desktops, organisations can add a critical layer of defense to their apps and data to help prevent data breaches.

Increase in cyber-attacks as a result of COVID-19

More employees than ever are working from home right now, many accessing popular enterprise apps from their personal devices. They’re also likely using those same devices to access personal apps and a browser to use email, games, news, social media, and banking resources. Employees are often choosing whichever endpoint can give them the quickest access to the resources they need. This means they’re turning to a personal laptop, a tablet, or their phone. They get easy access, but they also increase the attack surface for malware that can ravage through an organisation’s systems, causing millions of dollars in data loss and creating liability for regulatory and compliance lapses. A compromised endpoint can be used to harvest information such as keystrokes or session contents displayed on the user’s screen.

With the COVID-19 pandemic, attackers have seen an opportunity to steal user credentials from these personal devices, which are now being used for work and likely won’t have the same security protections as corporate devices. Malware on an employee device could collect sensitive information like a company’s intellectual property or personal data like passwords, credit card info, or personally identifiable information (PII), without the user knowing.

Hackers have launched coronavirus-themed cyberattacks in 241 countries and territories, according to new research from Microsoft. They have established that every country in the world has seen at least one COVID-19 themed attack. Of the millions of messages sent each day, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs.

An Garda Síochána has issued a warning that the pandemic will likely lead to a general rise in cyber-attacks, as seen in the US and in the UK. Such scams include COVID-19 themed “phishing” emails designed to trick users to click a link or download an attachment. Once compromised, it is possible for cybercriminals to extract usernames and passwords for email accounts and bank accounts and to infect devices with malware. The World Health Organisation (WHO) issued a statement recently warning against suspicious phishing email messages attempting to take advantage of the COVID-19 emergency.  In this example, email messages appearing to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO, deployed the “Agent Tesla” keylogger malware.

With many organisations implementing remote work in response to the COVID-19 pandemic, employees are often choosing whichever endpoint can give them the quickest access to the resources they need. This means they’re turning to a personal laptop, a tablet, or their phone. They get easy access, but they also increase the attack surface for malware that can ravage through an organisation’s systems, causing millions of dollars in data loss and creating liability for regulatory and compliance lapses. A compromised endpoint can be used to harvest information such as keystrokes or session contents displayed on the user’s screen.

“Keyloggers can remain on an infected machine without doing any noticeable damage.”

A keylogger is one of the most popular tools amongst hackers for data exfiltration and is one of the top 3 malware varieties that are present in security breaches. NordVPN has a helpful video explaining keyloggers here. It can remain on an infected machine without doing any noticeable damage. All the keystrokes entered by the user are harvested, including user name/password combinations, credit card numbers, and confidential data. The harvested data is then silently exfiltrated later on.

With the use of virtual apps and desktops, the attack surface of endpoints has been greatly reduced – data is stored centrally in a data center and it is much harder for the attacker to steal it. The virtual session is not running on the endpoint and users generally do not have permission to install apps within the virtual session. The data within the session is secure in the data center or cloud resource location. However, a compromised endpoint can capture session keystrokes and information displayed on the endpoint.

Citrix provides administrators the ability to prevent these attack vectors, using an add-on feature called App protection. The feature enables Citrix Virtual Apps and Desktops (CVAD) administrators to enforce policies specifically on one or more delivery groups. When users connect to sessions from these delivery groups, the user’s endpoint has either anti screen capture or anti-keylogging or both enforced on the endpoints.

App protection policies work by controlling access to specific API calls of the underlying OS required to capture screens or keyboard presses. These policies can protect against even the most customized and purpose-built hacker tools. It helps to secure any virtual or web application that employees use within Citrix Workspace, as well as authentication dialog boxes (preventing password leaks) and the Citrix StoreFront UI within Workspace.

Protect Against Key Logging

The App Protection feature makes the text entered by the user indecipherable by encrypting it before the keylogging tool can access it. A keylogger installed on the client endpoint reading the data would capture gibberish characters instead of the keystrokes the user is typing.

Protect Against Screen Capture

More remote workers mean more remote meetings and web conferencing through a variety of applications. These meetings usually require employees to share their screens, which opens the possibility of exposing sensitive data by mistake. The App Protection feature protects against screenshot malware and web conference screen capturing by returning a blank screenshot instead of the information on a user’s screen. This also applies to the most common snipping tools, print-screen tools, screen capture and recording tools.

How can we help?

App Protection delivers invisible and continuous security to users without affecting productivity, protecting the user by protecting the workspace on BYO/unmanaged devices, and supporting secure business continuity processes. Learn more about protecting your business from security risks such as malware attacks by contacting us today on info@enterprise-solutions.ie

Recent posts