The risk of trusted websites from a federal perspective

This post first appeared on Federal News Network. Read the original article.

With nearly 50% of the government’s roughly two million civilian employees teleworking, the federal government continues to embrace digital transformation. And, just like organizations in the private sector, web browsers have emerged as essential tools for how government employees and contractors do their daily work. The shift to hybrid work models, spurred by the COVID-19 pandemic, has firmly cemented the browser’s pivotal role, yet this reliance comes with risks as cybercriminals increasingly exploit the trust placed in browsers by federal employees and American workers at large.   

Fortunately, browser security solutions exist and will be key to helping organizations and individuals prevent attacks and ensure the safety of their data and networks. To learn how, it’s important to understand how we got here.  

Browsers are the window to the web

Inside and outside government offices, browsers have become the primary tool for employees to do their work. Client-side apps, like Microsoft Office, are still common but have diminished in importance, having been replaced by browser-based versions that are hosted online. This shift provides employees with enhanced device flexibility, a feature welcomed by workers and appreciated by IT professionals for its streamlined endpoint management. However, with increased reliance comes increased risk.  

Cybercriminals are adept at exploiting the trust placed in browsers. Although most federal employees possess a fundamental understanding of browser security, they often rely on agency security filters for comprehensive protection. Unfortunately, most enterprise security tools were not designed to effectively detect the modern threats targeting browser platforms today.  

Upon connecting to a domain or IP address, these tools predominantly rely on blacklists to flag established criminal destinations. Security filters further assess websites, weighing factors – such as domain age, reputation and popularity – to categorize them as trusted or untrusted. Additionally, they meticulously inspect JavaScript and file attachments using hashes to pinpoint potential malicious code. This complex landscape underscores the need for vigilant cybersecurity measures, especially in the federal sector.  

Tactics cybercriminals use to exploit trust in web domains

Attackers are growing increasingly sophisticated in their quest to circumvent existing security measures, in part due to the financial gains they have made from online criminal activities such as successful ransomware attacks. With more financial resources, attackers can ruminate and execute on highly evasive attacks, which are designed to bypass or circumvent traditional security assets that the public sector already has in place. These assets include both the technologies in their security stack, but also the users within their departments, which are traditionally the weakest link in a security program.  

Highly evasive threats often originate from domains that have already been vetted and used many times before. These tactics can come from various angles, from hosting malicious files on reputable cloud services to infecting sites through vulnerabilities in themes and plug-ins. Their efforts have become pervasive; our research shows over two-thirds of cyberattacks employ such methods.  

Some attackers strategically create new domains and leave them dormant for extended periods to garner favorable ratings from web categorization engines. They then circle back to employ illicit search engine optimization (SEO) techniques to elevate their visibility in search results, subsequently introducing malware once traffic surges to what is now considered a “credible” site.   

To further heighten trust in their domains, cybercriminals implement Captchas as an additional layer of security. These dynamic gatekeepers only grant access upon successful completion of a visual test, effectively thwarting security software scans. This not only deters automated analysis but also fosters an illusion of heightened security and legitimacy for human visitors.  

So what’s to be done?  

The next era of browser security

In recent years, some endpoint detection and response (EDR) vendors have updated their tools with next-generation versions in a bid to reassure customers and restore trust. However, these updates are still ineffective at fighting highly evasive threats because they don’t have visibility into the underlying browser behavior. That’s because traditional cyber offerings adhere to outdated practices, leading to ongoing struggles for agencies in thwarting cyberattacks despite significant investments in protection. And secondly, the problem requires a transformative approach that transcends conventional methods. This necessitates a shift from mere detection to the integration of proactive, preventative measures. Enter: cloud-based browser security.  

Cloud-based browser security fundamentally shifts the threat landscape by entirely segregating external web traffic from an agency’s infrastructure. Users can do their work in their existing browsers with web traffic routed through a cloud browser that prevents any malicious content from infiltrating the network. Again, users are a security program’s weakest link, and cloud-based browser security technology takes away the threat of a user infecting a network simply by accessing a malicious site or link. Think of cloud-based browser security as a protective barrier around activity that is conducted in the browser. Websites are still shown, work can still be conducted, content can be downloaded securely after having been scanned for threats, but the risk of harmful attacks is eliminated.   

What cloud-based browser security means for the federal government

Cloud-based browser security offers a host of advantages tailored for federal agencies. Operating as a seamless service rather than a cumbersome installed product, it eliminates integration hurdles. It’s also agentless and can support all devices, including mobile endpoints outside the office environment, all while keeping IT management overhead at a minimum.  

Cloud-based browser security is a crucial component for agencies that are striving to reach the “optimal” level of zero trust in the device pillar, as defined by the Cybersecurity and Infrastructure Security Agency. By segregating potentially harmful web content from the device itself, cloud-based browser security naturally embodies the zero trust mantra of “never trust, always verify.” This approach not only minimizes the device’s vulnerability to threats, but also enhances real-time risk assessments.  

And let’s not forget that while cloud-based browser security stands as a formidable solution in its own right, it also streamlines the ever-growing cybersecurity tech stack. By removing redundant layers that may be underperforming, it ensures that only the most effective measures remain in the cybersecurity portfolio. This approach harmoniously blends simplicity with a comprehensive defense strategy, leveraging existing resources while adding an extra layer of trusted protection.  

As the federal government – and most American workers – rely on browsers for critical operations, the threat of cyberattacks that are evolving daily looms large. Traditional security measures struggle to keep up with increasingly sophisticated tactics. However, isolation technology is a game-changer that creates a protective barrier, preventing dangerous threats from accessing networks and data. And it is undoubtedly the next frontier in federal browser security, promising to further safeguard government operations in our digital era.  

Darrin Curtis is the vice president of public sector at Menlo Security. 

Leave a Reply

Your email address will not be published. Required fields are marked *