29 June 2018

How to protect your organization against 5 common browser security threats


Regardless of your choice of web browser, there are both engineered and unintentional threats which can put you at risk when using it. I wrote this past April about five common browser security threats, and how to handle them. Unfortunately, there are well more than five threats which can target the web browser and it remains critical for organizations to implement effective protection from these hard-to-detect attacks. I spoke to Dr. Christopher Kruegel, the co-founder and CEO of malware protection provider Lastline to collaborate on the topic, and we discussed the concept of browser security.


"Of all the software in use, browsers are the most exposed," Kruegel told me. "They are constantly connecting to the outside world, and frequently interacting with web sites and applications that cybercriminals have infected with malware. Browsers are powerful, data-rich tools that if compromised, can provide an attacker with a vast amount of data about you, including confidential information such as your address, phone number, credit card data, emails, IDs, passwords, browsing history, bookmarks etc."

With that in mind, here are some common browser-based threats Kruegel and I discussed and how to defend against them.
1. Plugins and extensions

Browsers often have third-party plugins or extensions installed for various tasks, such as JavaScript or Flash for displaying or working with content. These two are from known quality vendors, but there are other plugins and extensions out there from less reputable sources, and may not even offer business-related functionality.

Regardless of the origin, plugins and extensions often come with security flaws which attackers can leverage to gain access to your systems or data. These vulnerabilities allow attackers to wreak havoc by, for example, installing ransomware, exfiltrating data, and stealing intellectual property.

Recommendations: Only allow business-related plugins and extensions as part of an official business policy such as for Internet and Email Usage. Depending on the browser(s) in use in your organization, research ways to block undesired plug-ins or whitelist appropriate plugins so only these can be installed. Ensure plugins are configured to auto-update or deploy new versions via centralized mechanisms (such as Active Directory Group Policy or System Center Configuration Manager). Note: browsers now are adept at detecting problematic plugins and displaying warnings so instruct your users to read and heed all warnings accordingly.

2. Java

Java, not to be confused with JavaScript, is utilized by many systems both Windows and Linux for running code (known as applets) related to browser activity.

As the installer itself will tell you, Java is very widely used and by design applets often run in a separate "sandbox" environment to prevent them from accessing other applications or operating system components. However, some vulnerabilities can allow applets to bypass the sandbox and cause harm. In my opinion, Java seems to contain an inordinate number of vulnerabilities, and some examples are here. Therefore, it's important to stay informed and vigilante.

Recommendations: Determine a standard Java security configuration which works for your workstations and servers then deploy this via centralized means such as Group Policy.

Stay on top of Java updates as well. You can configure Java to auto-update but this can cause issues if necessary features are turned off deliberately. For example, Dell Remote Access Consoles require Java, but access is blocked in some versions which can cause massive frustration for system administrators who need this access to work. Turn off auto-update, test the effects of new versions then deploy these via centralized mechanisms such as System Center Configuration Manager (SCCM), Puppet or Ansible. Keep prior versions handy in case you need to roll back to them.
3. Malicious pop-up ads

Pop-up ads are a known cancer and malicious ones can be especially confusing and difficult to work with. They often present false notifications such as claiming your computer has a virus and urging you to install their antivirus product to remove it. Naturally, malware is what actually ends up installed. These pop-ups are tricky to close because often there is no "X" button to do so.

Recommendations: The best option is to close the browser entirely, or use the Task Manager in Windows/the kill command in Linux to close the application. Do not return to the site in question which triggered the ad, and run an anti-malware scan to determine whether your system is clean, since popup ads can often be spawned by malware.

You can configure browsers to block pop-up ads (research the steps and methods involved for each browser as these can change across differing versions) but keep in mind some legitimate sites may then not function properly. Banking sites, for instance, may utilize popups to provide information or prompt whether you want to continue to stay logged in. If you disable popup ads for your users make sure they understand how they can display them at will, such as by pressing the Ctrl key.

4. Decentralized administrative/security controls

You may have noticed I've recommended centralized controls several times in this article. This is because you should always rely on a single point of management for the collective settings you want to establish in your organization. You also need to be able to monitor these controls to ensure they remain in place. A company with an array of systems with willy-nilly web browser settings is not a secure organization.

Active Directory Group Policies can be used for many such settings and there are third-party options available as well. You don't want to allow users to turn off important settings for the sake of convenience (or worse), nor do you want to have to send out instructions for them for setting various options - you'll never get to 100% compliance and you're staking your organization's security on the honor system, so to speak.

Research the options which work best for your environment based on your web browsing needs (CERT has a handy guide on that) and back these up with a policy such as for Internet and Email Usage or Information Security

5. Insufficient threat protection products

"Cybercriminals are constantly working to find new and more effective ways to infiltrate our computers, devices, and networks. The recent evolution in browser-based cyberthreats is a poignant example of malicious new techniques that are both difficult to detect and effective," Kruegel stated. Standard anti-malware products are overwhelmed by the range of possible threats. As a result, organizations should utilize multi-layered security approach of different products such as malware to detect malicious programs, email scanning software to detect phishing attempts, web proxy filtering to block access to undesirable sites, etc. Kruegel recommends that businesses upgrade threat prevention tools as soon as possible to combat the latest evolutions in malware. "One way of doing that is to implement a filtered approach that evaluates all code in real-time, and tests suspicious code with full dynamic analysis," he remarked.

Krueger concluded by telling me that most malware detection and prevention technologies work by examining files such as downloads or attachments. However, browser-based threats don't necessarily use files, so conventional security controls have nothing to analyze. "Unless organizations implement advanced tools that don't rely on analyzing files, browser-based attacks will likely go undetected," he cautioned.

No comments: