Interest in zero-trust security has been rising in a pandemic-stricken world, but Henry Harrison is having none of it.

The co-founder of U.K.-based Garrison Technology Ltd. believes cyberattackers will never be fully shut down as long as endpoints such as personal computers and smart devices can be compromised. “The fundamental problem is that if the endpoint can’t be trusted, then the attacker can do anything you can do,” he said.

Zero-trust is an increasingly popular approach to security that is based on the idea that no one and nothing can be trusted. Rather than giving users inside the network relatively free rein to go where they want, a zero-trust approach locks down sensitive data and requires additional levels of authentication, such as onetime access codes and hardware devices.

But even multifactor authentication is vulnerable to attacks such as “man in the browser.” That’s when the attacker hijacks a browsing session and inserts itself between the browser session and the back-end server, in some cases manipulating what the user sees while secretly sniffing or modifying transaction data.

“You think you’re approving a $20 transfer but you’re actually transferring $20,000,” Harrison said. “By the same token, you enter your multifactor authentication credentials, but the attacker hijacks them and uses them for something else.”

The only way to guarantee security is with hardware protection, Harrison believes. He has good reason for saying that. His company has raised $50 million to develop a hardware appliance that inserts itself between a browsing session and the website the user is interacting with.

Virtual browsing

Garrison’s SAVI Isolation Appliance is based upon a security architecture called hardsec that uses field-programmable gate array chipsto intercept browsing sessions and pass only the screen pixels – but not the underlying code – to the user. “You’re seeing a video of something browsing for you,” Harrison said. “It will get malware but you won’t.”

Garrison is targeting browsers because the web has become a primary vulnerability for attacks like ransomware, which spreads predominantly through phishing emails that entice users to click on links that open malicious web pages that deposit malware on their computers.

F5 Networks Inc. reported that phishing was the root cause of 48% of breach cases the company investigated. Proofpoint Inc. said phishing triggers 92% of malware infections and nearly all ransomware attacks. Gartner Inc. has said that “organizations that isolate high-risk internet browsing and access to URLs in email will experience a 70% reduction in attacks that compromise end-user systems.”

Garrison’s approach doesn’t prevent malware but isolates it on the appliance. “We assume that the browser in our appliance is going to be compromised, but the attacker is not going to be able to use that as jumping off point to compromise the endpoint,” Harrison said. “At the end of the browsing session we clean down to the hardware level.” Garrison is targeting organizations with extreme security needs such as financial institutions and government agencies.

Zero-trust security is fine for users who don’t need access to critical information, Harrison said, but it’s hardly a magic bullet. “Zero trust is being pitched as a massive solution and I think it’s at best a partial patch,” he said. “But it’s hardly the first thing in security industry to be oversold.”

Image: Pixabay