One of the biggest cyber threats agencies face comes from the internet browser. As the on-ramp to the public internet, every phishing attack and every suspicious link an employee clicks usually begins in the browser.
While browser providers have made some progress in securing the user’s experience, there’s a move in the Defense Department to remove the browser as a threat vector.
Steve Wallace, a systems innovation scientist in the Emerging Technology Directorate at the Defense Information Systems Agency, said a new browser isolation effort could better protect DoD data and networks.
“We look at the modern browser and the amount of code that’s executed just going to a regular web page, the number of other domains that that page is forcing your browser to talk to and looking at the threat it creates, we wanted to try to figure out a different way to go about the problem,” Wallace said in an interview after he spoke on an AFCEA Washington, D.C. chapter luncheon. “About two years ago, we started down this road looking at what the technologies were. The idea of taking a browser off of the end point and moving it outside of the network, and giving you a video feed effectively of that browser session. That way if anything goes wrong or if anything happens, it occurs out there and it doesn’t affect the inside of the network.”
Wallace said the amount of code in web applications and sites is getting “almost untenable” for DISA or any organization to guard against potential attacks.
Cybersecurity firm Tenable found in its 2018 vulnerability intelligence report that web browser attacks remained high on the list of hackers, mainly due to the use of legacy technologies like Microsoft IE. The firm found 675 out of 1,063, or 63 percent, of web browser common vulnerabilities and exposures were considered high severity with Mozilla’s Firefox accounting for 53 percent of them.
“Between hardened perimeters and the growing adoption of cloud technologies, attacking the user is often the most effective entry point into an enterprise,” Tenable writes. “[V]ulnerabilities in these browsers have not followed the same decline, with unsupported and legacy versions in considerable numbers extant in enterprises. The age of many of these vulnerabilities is interesting because threat actors, especially exploit kit developers, are still actively targeting them.”
Identity and user behavior
To combat these challenges, Wallace said DISA did a study with its own employees about a year ago and the released a request for information last summer.
DISA, then, issued a call for white papers through an other transaction agreement (OTA) approach. He said the agency currently is reviewing those white papers ahead of planned prototype that would last about six months with 100,000 users.
“A lot of this wraps around security, but we also see potential for bandwidth savings. It’s a little different model the way users are interacting, but with some of our testing we saw upwards 50 percent bandwidth savings, which depends on the page and some other things,” Wallace said on Ask the CIO. “A lot of our testing actually showed better, more effective bandwidth utilization, and a better experience overall.”
Wallace said the prototype will help DISA better understand how more users will impact network latency and other potential bandwidth issues.
DISA released a request for information in June seeking vendor input on this type of browser isolation effort. In the RFI, the agency detailed what it would like the technology to do:
Shall isolate all Internet code execution in the cloud
Shall isolate each session in the cloud
Shall support role-based access control (RBAC) and grant system administrators access to configure as required by the user role
Shall support data encryption and encrypt the connection between the user endpoint and system host
Shall support XSF stripping
Shall provide the ability to downgrade video and audio quality for streaming Internet media (configurable QOS)
Shall provide compression to limit bandwidth utilized in delivering rendering of isolated cloud session back to the client workstation
Related to protecting DISA at the browser level, Wallace said his office also working on assured identity where he wants to build on the previous work around user behavior analysis to ensure the user is the same person.
“We are working with chip-set manufacturers to integrate into some commercially available technology in the not too distant future,” he said. “Right now we are in the process of our test phase and that should be wrapping up in the not too distant future, leveraging at the chip-set level. We have a very interesting prototype right now, 50 devices are being tested. That is where we see the continuous multi-factor authentication playing in. We also did a pilot about a year ago with behavior authentication and how that interacts. We are very interested in pursuing something like that in the not-to-distant future.”
Wallace said DISA also is working with the DoD CIO’s office as they build out their strategy on identity and access management and how DISA’s research can influence the future direction of this effort.
“To be very clear, we are not killing the common access card. But the CAC has been around for 15 years and served us quite well. The reality is the CAC is a point in time type of deal. I stick my CAC into a machine, I punch in a PIN and I’m authenticated at that point in time. That is what I eluded to before with continuous behavioral authentication. We need to leverage some of those things that are occurring in the background that the user may not be aware of. How do we leverage that data to continuously authenticate that user rather than it just be a point in time?” he said. “We are not walking away from the CAC and the crypto that’s behind the CAC, but we are looking for what comes next.”
Additionally, Wallace said DISA will test out the concept of giving employees only a mobile device to replaces a laptop or desktop PC. He said the user would plug the device, a smartphone or tablet, into a docking station and it would act just like a laptop or desktop PC.