Q. What is browser safety?
Browser safety refers to a general set of precautions that can be taken to help secure a browsing environment to enforce information assurance.
By not browsing risky sites, users are said to have safe browsing habits. However, merely having safe habits does not guarantee the safety of a browsing environment.
Q. Why do I as an IT leader need to worry about browser safety?
As we enter the new decade, we are seeing browsers behave more like operating systems.
The fact that desktop versions of Chrome have their own task manager is a major indicator of this fact – and every major browser has its own app store are also indicators. As browsers act more like operating systems, the security problems of yesteryear again come into focus – but this time applied to Edge, Chrome, and Firefox rather than Windows or Mac OS X.
If you are taking security seriously on the desktop, you need to take it seriously in the browser, as well. The lines continue to blur.
Q. Aren’t browsers getting safer?
Browser safety is in a perpetual tug of war with new browser features as they get developed. While strides have been made in recent years to make browsing more secure than ever before, so have new APIs and technologies. These new technologies will always drive the need for finding new ways to secure the browser.
As an example, one piece of technology that is seeing greater scrutiny lately is the browser extension. Because browser extensions run in the browser, they can have fairly disastrous side effects given the right permissions. If a user unknowingly installs and gives full rights to a malicious extension, then the impact could be just as great as if the user installed a virus directly to their desktop. Extensions which collect user keystrokes and perform phishing attacks on unknowing users have been spotted in the wild for over five years now.
Q. Why the extra scrutiny now? Haven’t web browsers existed for since the early 90s?
While that is true, in the last several year’s cloud-based application usages have skyrocketed in the enterprise. Many applications typically reserved for desktop apps are being moved into the cloud. It is hard to find a specific type of application which does not have a cloud-based solution ready. As this usage goes up, then the amount of scrutiny paid to the web browser needs to go up with it.
The truth of the matter is that many users are spending 70%, 80%, or upwards of 90% of their time directly interfacing with web applications and not desktop applications. It’s important that the most operating system to the user – the web browser – is safe and secure.
Q. Can most of these problems be mitigated by educating users?
Educating users to have safe browser habits is always a requirement, as it is the first line of defense against introducing such attacks into your environment. However, it is just that – a first line. Just as proper cooking practices don’t allay the need for fire-safe building construction and fire extinguisher deployments, safe browsing habits don’t allay the need for enterprise browser control and antivirus deployments.
Enterprises should nonetheless do everything in their power to educate employees not to browse risky sites or give out compromising information, but they are far from all that needs to be done to ensure safe browsing.
Q. How are the challenges that non-enterprise users face regarding browser safety like what enterprises face? How are they different?
In many ways, regular consumers and large enterprises face the same challenges. Phishing can target both home and business users. Malicious extensions can impact both types of environments.
What sets them apart most of the time is the ability for enterprises to proactively secure their environment.
Q. How does technology like Microsoft’s SmartScreen filter help me to maintain a safe browsing environment? What shortfalls are there?
Microsoft first integrated the SmartScreen filter into Internet Explorer 8 back in 2008. This was done to combat phishing and other malicious sites from targeting end users. It does a good job of helping to block sites that have been identified as unsafe or likely to be unsafe.
However, because SmartScreen and similar technologies rely on having been made aware of the threat before the user encounters the site, it is less useful for newly created unsafe or malicious sites. It is even less useful for phishing sites that have been tailor-made to exploit a particular corporate environment. This is why it is so important for enterprise administrators to have insight into their own users’ browsing habits and to see what sites they are accessing when using corporate resources – because their browsing habits at work are likely to be much different than their habits at home.
Q. How can I tell if my users are browsing unsafe sites? How can I tell if they are using unsafe extensions?
Traditional telemetry gathered using desktop management applications such as SSCM don’t cover browser extensions and they don’t cover web applications. To be able to see what your users are doing in the browser – which, again, are slowly becoming operating systems unto themselves – will require the use of a telemetry tool which is designed for gathering this specific kind of data. It is important that such a telemetry tool lives within and is a first-class citizen of the web browser that it collects data from.
Q. What about Microsoft Enterprise Site Discovery? Can my enterprise use this to gain information about what sites my users are visiting?
Enterprise Site Discovery does collect this information, but for Internet Explorer only.
If you are part of the majority of businesses that use more than one web browser, then activity from other browsers (Chrome, Firefox, Edge, etc.) won’t be gathered. This leaves a critical hole in your browser safety intelligence – especially as new threats emerge in modern browsers.
Q. Can network-level traffic monitors help me with the goal of maintaining a more secure browsing environment for my users?
While detailed in the amount of data gathered, unfortunately, these types of tools don’t give you the kind of information you need to evaluate the safety of your browsing environment. Without a telemetry tool that captures data directly from the web browser, it is difficult to record information about dependent components of the web application. These tools typically won’t tell you, for example, if a site requested a certain permission, required legacy technology such as Java, etc.
Q. What new challenges await enterprises trying to lock down their browsing environment?
As mentioned earlier, the capabilities of modern web browsers are only growing. New APIs and capabilities are planned all the time, and sometimes the availability of such APIs may directly conflict with the security goals of a corporate or enterprise environment.
Let’s take the concept of webcam access, for example – before webcam APIs were made widely available in the browser, it was relatively easy to lock down webcam usage to specific applications. The ability to granularly control access to specific devices has been a feature of endpoint protection suites for over two decades now. But what do we do in the case of the browser?
Because the browser appears as its own application to our endpoint protection suite, locking down individual web applications hosted within that browser becomes difficult without receiving help from specialized tools.
Q. What are per-site settings? How can they help me?
Every modern web browser maintains per-site settings lists that enterprises can use to turn certain browser features on or off on an eponymous per-site basis. However, it can be difficult to determine which sites require such privileges without proper intelligence. These settings can’t be easily synchronized between different browsers without a tool to handle the deployment of these per-site settings. This can cause extra burden on system administrators hoping to lock down browsers on desktop endpoints.
Webcam usage is just one example. Microphone usage, location capabilities, payment handlers, and Flash usage are all areas that are controlled by per-site settings. As more sites use these capabilities, it’s important to lock them down to only being able to use the capabilities they need.
Q. Do per-site settings give me all the tools I need to lock down my browsing environment?
Unfortunately not. While comprehensive, the list of permissions that can be assigned to different web applications is not exhaustive. This may mean that certain web browsers are more suited to certain web applications than others due to differences in policy granularity.
Q. Once I gain actionable intelligence, how can I safely lock down my browsing environment?
As much as gathering the data requires specialized tools, so does acting upon it. Unfortunately, in multi-browser corporate environments, this may mean having to apply the same set of mitigations to multiple browser environments. For such tasks, it is important to pick a tool which allows for cross-browser policy synchronization. This way, you can ensure that the same policies are in place for all browsers and save yourself quite a bit of time implementing said policies, too.