Most people within your organisation use at least one web browser. Yet they are amongst the most insecure apps your organisation will use. Find out more:
Yet web browsers are amongst the most insecure apps your organisation will use.
The US Cybersecurity and Infrastructure Security Agency (CISA) warns that, often, the web browser that comes with an operating system isn’t set up in a secure default configuration. Usually, it will be optimised for performance. And performance and security don’t always go hand in hand.
CISA highlights a number of reasons why securing your network from the vulnerabilities of web browsers is so difficult:
• Many users have a tendency to click on links without considering the risks of their actions.
• Web page addresses can be disguised or take you to an unexpected site.
• Many web browsers are configured to provide increased functionality at the cost of decreased security.
• New security vulnerabilities are often discovered after the software is configured and packaged by the manufacturer.
• Computer systems and software packages may be bundled with additional software, which increases the number of vulnerabilities that may be attacked.
• Third-party software may not have a mechanism for receiving security updates.
• Many websites require that users enable certain features or install more software, putting the computer at additional risk.
• Many users do not know how to configure their web browsers securely.
• Many users are unwilling to enable or disable functionality as required to secure their web browser.
As a result, CISA warns, exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computer systems.
While the standard configurations might not prioritise security, it is relatively simple to harden your web browser security.
The following seven steps are simple to action and will deliver an improved level of protection against attack.
Browser protection should be included within your anti-virus product. The top anti-virus products should prevent a malicious page from loading.
Make sure you have a suitable anti-virus product installed on all machines and keep it up to date.
Cookies aren’t necessarily all bad. Some websites need cookies to be downloaded to your local device in order to function correctly.
However, cookies do present a risk. Even if the cookies are legitimate, malware can steal the information they contain. And how do you determine which cookies are legitimate and which are malware?
For these reasons, it makes sense to reduce the number of cookies stored on your computer. Websites now need your permission to store cookies. Make it your standard practice not to give this permission.
You can also opt to block cookies in your browser settings. In Microsoft Edge, go to Settings > Site Permissions. Select “off” for “Allow sites to save and read cookie data” and turn on “Block third-party cookies”. You also have the option to delete certain cookies or block specific sites.
From time to time, you might also delete all cookies stored on your computer. Deletion makes sense here because the fewer cookies installed, the lower the risk.
Extensions can be exploited by malware. To reduce risk, you can turn off extensions. In Microsoft Edge, click on the “…” icon at the top right of the browser window to open the Settings and More menu. From here, you can select the extensions you wish to remove.
If you have concerns about any extension that you have previously downloaded, report it to Microsoft and the NCSC.
To also help tackle this potential threat, Google is bringing in a new feature which will warn users if an extension they have installed was removed from the Chrome Web Store.
While the autofill of information on forms and passwords is incredibly useful and timesaving, it clearly presents a security risk. Having this information stored in your browser isn’t secure, so it makes sense to turn off these features.
In Microsoft Edge, go to the Settings and more menu > Settings > Passwords & autofill. Then turn off “Save passwords”, turn off “Save form data” and turn off “Save cards”.
If users need help with passwords, offer them an approved encrypted password vault solution to use instead.
We’ve spoken about the importance of following the principle of least privilege many times on this blog.
The core principle of a least privilege approach is to deny users and applications access to files, folders, systems, applications and areas of the network unless they need to access them for their job.
For those users with high-privilege user accounts, we recommend that you set them up with a primary account without high-level access rights which they use for their everyday tasks and web browsing. This way, you keep their activities on the Internet separate from their high-privilege network access.
This is important because many vulnerability exploits (such as viruses and Trojan exploits) are executed with the privileges of the user that executes them.
Another extension to the least privilege approach is to use a sandbox for applications, so they run only in the sandbox and cannot access the hard disk. The application is wiped from the memory as soon as the sandbox is closed. In this way, you can block malicious disk writes.
Windows Sandbox is included in Windows 10 Pro and Enterprise licencing bundles and can be enabled in the Control Panel.
Where possible, use Mobile Device Management (MDM) to enforce these policies.
If you’d like further advice about any of these seven steps – or details about other ways to protect your network, devices, people and organisation – please get in touch with the Grant McGregor team.
You can contact us on: 0808 164 4142.
Our guide to taking a zero trust approach: what it is and should you do it?
More on the principle of least privilege: could it work for your organisation?
And our quick guide to information security management and ISO 27001.