Monday, 21 August 2023

Simple tips for managing web browser security

Most people within your organisation use at least one web browser. Yet they are amongst the most insecure apps your organisation will use. Find out more:

Most people within your organisation will use at least one web browser. They are ubiquitous. Some will use them to access essential business apps. Some will be using them to access webmail accounts. Others will use them simply to browse the Internet.

Yet web browsers are amongst the most insecure apps your organisation will use.

The problems of securing web browsers

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that, often, the web browser that comes with an operating system isn’t set up in a secure default configuration. Usually, it will be optimised for performance. And performance and security don’t always go hand in hand.

 

CISA highlights a number of reasons why securing your network from the vulnerabilities of web browsers is so difficult:

 

• Many users have a tendency to click on links without considering the risks of their actions.

 

• Web page addresses can be disguised or take you to an unexpected site.

 

• Many web browsers are configured to provide increased functionality at the cost of decreased security.

 

• New security vulnerabilities are often discovered after the software is configured and packaged by the manufacturer.

 

• Computer systems and software packages may be bundled with additional software, which increases the number of vulnerabilities that may be attacked.

 

• Third-party software may not have a mechanism for receiving security updates.

 

• Many websites require that users enable certain features or install more software, putting the computer at additional risk.

 

• Many users do not know how to configure their web browsers securely.

 

• Many users are unwilling to enable or disable functionality as required to secure their web browser.

 

As a result, CISA warns, exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computer systems.

 

Seven simple ways to improve web browser security

While the standard configurations might not prioritise security, it is relatively simple to harden your web browser security.

 

The following seven steps are simple to action and will deliver an improved level of protection against attack.

 

#1. Use a strong anti-virus software

Browser protection should be included within your anti-virus product. The top anti-virus products should prevent a malicious page from loading.

 

Make sure you have a suitable anti-virus product installed on all machines and keep it up to date.

 

#2. Actively manage cookies

Cookies aren’t necessarily all bad. Some websites need cookies to be downloaded to your local device in order to function correctly.

 

However, cookies do present a risk. Even if the cookies are legitimate, malware can steal the information they contain. And how do you determine which cookies are legitimate and which are malware?

 

For these reasons, it makes sense to reduce the number of cookies stored on your computer. Websites now need your permission to store cookies. Make it your standard practice not to give this permission.

 

You can also opt to block cookies in your browser settings. In Microsoft Edge, go to Settings > Site Permissions. Select “off” for “Allow sites to save and read cookie data” and turn on “Block third-party cookies”. You also have the option to delete certain cookies or block specific sites.

 

From time to time, you might also delete all cookies stored on your computer. Deletion makes sense here because the fewer cookies installed, the lower the risk.

 

#3. Remove extensions

Extensions can be exploited by malware. To reduce risk, you can turn off extensions. In Microsoft Edge, click on the “…” icon at the top right of the browser window to open the Settings and More menu. From here, you can select the extensions you wish to remove.

 

If you have concerns about any extension that you have previously downloaded, report it to Microsoft and the NCSC.

 

To also help tackle this potential threat, Google is bringing in a new feature which will warn users if an extension they have installed was removed from the Chrome Web Store. 

 

#4. Turn off save passwords and autofill

While the autofill of information on forms and passwords is incredibly useful and timesaving, it clearly presents a security risk. Having this information stored in your browser isn’t secure, so it makes sense to turn off these features.

 

In Microsoft Edge, go to the Settings and more menu > Settings > Passwords & autofill. Then turn off “Save passwords”, turn off “Save form data” and turn off “Save cards”.

 

If users need help with passwords, offer them an approved encrypted password vault solution to use instead.

 

#5. Follow principle of least privilege

We’ve spoken about the importance of following the principle of least privilege many times on this blog.

 

The core principle of a least privilege approach is to deny users and applications access to files, folders, systems, applications and areas of the network unless they need to access them for their job.

 

For those users with high-privilege user accounts, we recommend that you set them up with a primary account without high-level access rights which they use for their everyday tasks and web browsing. This way, you keep their activities on the Internet separate from their high-privilege network access.

 

This is important because many vulnerability exploits (such as viruses and Trojan exploits) are executed with the privileges of the user that executes them.

 

#6. Use a sandbox

Another extension to the least privilege approach is to use a sandbox for applications, so they run only in the sandbox and cannot access the hard disk. The application is wiped from the memory as soon as the sandbox is closed. In this way, you can block malicious disk writes.

 

Windows Sandbox is included in Windows 10 Pro and Enterprise licencing bundles and can be enabled in the Control Panel.

 

#7. Enforce these policies centrally

Where possible, use Mobile Device Management (MDM) to enforce these policies.

 

What next?

If you’d like further advice about any of these seven steps – or details about other ways to protect your network, devices, people and organisation – please get in touch with the Grant McGregor team.

 

You can contact us on: 0808 164 4142.

 

Further reading:

Our guide to taking a zero trust approach: what it is and should you do it?

More on the principle of least privilege: could it work for your organisation?

New changes to Cyber Essentials for 2023.

And our quick guide to information security management and ISO 27001.