In my last blog post, I discussed the accelerating web-based threat to government, critical infrastructure, and supplier networks, and made the rather audacious proposal that simply using AI to supercharge the same fundamental cybersecurity approach was insufficient to the task. Today, I’ll be digging into one of the biggest potential vulnerabilities in any enterprise software stack, and one that’s almost impossible to effectively secure – the web browser.
Along with almost every organization in the world, the US federal government and its suppliers use web browsers as their windows to the Internet – a wealth of resources and a bounty of risk. Browsers have become the critical access points for most employees’ personnel records, pay statements, travel arrangements, and applications for further internal career opportunities. It is also federal employees’ connection to the outside world, whether for business-related purposes such as procurement research, urgent notifications such as school closures and weather alerts, or limited personal uses such as banking during lunch hour or researching the next happy hour location. With limited exceptions for extremely secure environments, many employees today consider both official and personal uses of the Internet to be a “table stakes” part of daily professional life.
From a technology perspective, the modern web browser is both a marvel of flexibility and a nightmare of vulnerabilities. The Chromium stack, which serves as the foundation for two out of three of the world’s most popular browsers – Chrome and Edge – is far from a monolithic piece of software. Instead, it is a conglomeration of more than 100 open-source libraries maintained by a community of developers under a common banner. Using these various libraries – all of which require a significant degree of privilege on users’ endpoints –user can watch movies, write documents, check email, and conduct research all in a program. But the aggregation of so much code, all of it visible to anyone who cares to look, creates opportunities for attackers to easily identify and weaponize vulnerabilities. As a result of both Chromium’s inherently insecure development model and its omnipresence as part of almost every major browser, adversaries see it as a major target; in 2023 alone, Google issued eight zero-day patches for Chrome vulnerabilities, many of which provided attackers with remote code execution privileges that could be used to install ransomware or other malware on the endpoint.
Despite the known vulnerabilities of web browsers, network security professionals in the federal government and elsewhere have relatively few tools to protect their networks from the risks inherent in using them. Most commonly, they use secure web gateways and proxies to make a binary decision: either block employees from accessing a given website and all the information it contains or allow them to access it and accept the risks associated with whatever code it’s running today. Proxy vendors have created tools, such as content categorization, that help administrators to determine whether or not to allow groups of sites based on the type of content they contain, but their security value is marginal at best as sites hosting seemingly benign or even beneficial content make the best vectors for hackers attempting to deploy malicious code. At the end of the day, then, federal network security professionals are forced to give sites that they haven’t reviewed in any depth the exact same privileges as they give a trusted site like USAJobs, Office 365 Government, or Defense Travel Service, at the risk of blocking access to the resources employees need to do their job and remain connected to their personal lives.
At Garrison, we provide security professionals with a third option that allows employees to interact seamlessly with Internet resources like an interesting startup’s website, research papers from a foreign university, or their children’s school schedules without giving those unreviewed, risky sites the access to federal endpoints and data that is critical for Office 365 and similar business applications. This technology is secured using the same robust, hardware-enforced techniques that underpin our work enabling the most secure government organizations in the world in the cross-domain space. My next article will talk about how our robust hardware-enforced web isolation can enable your workforce while protecting your network – but if you’d like to learn more before then, contact us!