The modern organization can contain hundreds if not thousands of endpoints often decentralized in terms of location. When we think of endpoint security often the first things that come to mind are HIDS (Host Intrusion Prevention Systems), Firewalls and Anti-Virus/Malware software that all make many bold claims when it comes to securing endpoints. The threat landscape and the advanced persistent threats faced by organizations are more sophisticated than ever. Most anti-virus software is using signature based – cloud integrated – machine learning/AI driven and many other great words to lure us into a false sense of security.

It’s commonly accepted that users are the weakest link in an organization’s security posture and a security awareness training program is a vital piece of the puzzle when it comes to reducing the attack surface. Of course users will be users and threat actors will be forever persistent when it comes to getting their hands on valuable data. So if we train the user to be the best sensor we can in the network and we properly implement all the latest and greatest endpoint security how is it that we constantly hear about security breaches in modern, well equipped and staffed organizations? The answer is of course because the systems are online and not sitting in a closet somewhere collecting dust, turned off and completely immune to all types of malware… Users, USE the endpoints and one area that I often see painfully overlooked is browser security. Most operating systems come with one if not more than one browser installed. Microsoft STILL has yet to divest the Windows operating system of Internet Explorer! Of course Microsoft’s security chief Chris Jackson says, “IE is not a web browser, so stop using it as your default.” (citation 1, 2019) Sadly, our users still have the option to browse the web using IE an out of date and insecure browser.

I often hear security professionals talk about security in terms of web browsing and the threat landscape being mitigated by saying, well DNS this and McAfee that, Splunk, FireEye… The list goes on. Rarely do I hear security professionals address the actual portal to the expansive, dark and dangerous internet where our users roam blindly like that poor sap heading into the basement during a horror movie with a flickering flashlight we’re all yelling at STOP!  If all these modern technologies for defense were 100% effective we would never have data breaches and as more technologies emerge our attack surface grows ever wider.

We know a threat actor can find out tons of information on our users they can use to lure them with click bait, drive by downloads, malicious plug-ins, java etc etc. In fact even greater deceptions are commonplace since the very backbone of our browsing habits DNS is being exploited. Although not a new but still a juicy target for threat actors (citation 2, 2019), how could a user possibly know they’re in the wrong place when half the websites on the internet throw certificate warnings in even updated browsers like Chrome.

So, what can we do to help our users help us when it comes to browser security and web surfing? Here’s a few things I humbly suggest as a take away for both users and security professionals:

  1. Follow the principle of least privilege – don’t enable it if you don’t need it! This goes for those all those plug-ins that of course do only what they say they’re going to and nothing else…lock it down with policy so users won’t be tempted. (One way in Firefox it’s still possible to download plugins even though policy blocks it is simply by logging in and using Mozilla’s sync feature.)
  2. Follow published security guidelines for your browser and tailor them to meet your requirements. Including DISA – STIGs, CIS Benchmarks etc. and ensure they’re being implemented and locked in on all your endpoints just like anti-virus.
  3. Employ anti-virus software and HIPS in all your endpoints. This seems like a no-brainer but you’d be surprised how many endpoints are out there using Windows XP. Using a modern anti-virus software with link-checking capability will thwart many common attacks lurking around although it won’t stop zero-days.
  4. Training! As I mentioned before educating users is critical in securing the attack surface. I’ve often found a little demonstration with a wifi-pineapple and a fake facebook login is enough to get the attention of any crowd. Knowing the threats and educating users on how they can help prevent against them will have a greater ROI than any anti-virus software.
  5. Updates! Of course there’s many many more points we could get into and organizations are often on top of patching the latest security vulnerabilities these days but what about the browser? But it breaks this fancy in house web-app we developed to…stop right there. Security by design, continuous integration and monitoring, enough said. Keep it updated and make sure browser updates don’t undo security settings.

That’s all for now on browser security, thanks for reading and remember “surf like nobody’s watching, encrypt like everyone is!”

Author: Jordan Fitzgerald, CISSP

Find me around the web as -|Caesium|- on Reddit, Hak5 Forum etc.

  • Citation 1: https://www.zdnet.com/article/microsoft-security-chief-ie-is-not-a-browser-so-stop-using-it-as-your-default/
  • Citation 2: https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

Additional resources:

  • https://www.us-cert.gov/publications/securing-your-web-browser
  • https://browserleaks.com/
  • https://attack.mitre.org/tactics/TA0001/
Categories: Blog