Loaded on nearly every desktop in the enterprise, browsers are a prime vector for attack, but remedies are on hand, reports Alan Earls.
Lee Urbina, chief financial officer for US Infrastructure Holdings, a Texas-based energy company, had a problem. The core of the company's business is finding and locking in key assets at a favorable price. How that is done and at what cost is of great interest to competitors. So, among other concerns, Urbina began to think of the browser software deployed across the company as yet another inviting window through which unauthorized people could gain access to key data.
“The information our company handles is very confidential, and we know people are always trying to get into our servers,” he says. Because of his concerns, Urbina recently deployed Protect On Q (POQ), a web-based product from Austin, Texas-based Quarri, that “locks down browsers” to not only ward off malware, but to prevent unauthorized use and replication of sensitive data. Urbina says POQ has not solved all his organization's security issues, but has clearly helped. “Our IT department was spending all its time dealing with these things before, but now that POQ is in place, the workload is much lower,” he says.
Although browsers are but one element in maintaining IT security, their ubiquity makes them important, both as possible unwitting accomplices in a cyber attack and, conversely, as potential allies in efforts to boost security.
Browser security is, in fact, an important element in keeping malware attacks at bay, says Ryan Naraine, security evangelist at Kaspersky Lab. “Most modern browsers include features to block or limit phishing and other web-based attacks, but security vulnerabilities in browsers and other desktop applications also can be exploited to infect computers with malware,” he says. Fortunately, browser makers are constantly adding new security features to keep hackers at bay, he says. For instance, Google Chrome contains a “sandbox” to limit the damage from successful hacker attacks, while Microsoft Internet Explorer and Mozilla Firefox contain many new anti-exploit mechanisms. But, as with all aspects of the fight against cyber crime, it continues to be a cat-and-mouse game.
Bill Morrow (left), Quarri's CEO, says browsers remain the “biggest new attack vector.” In his view, most major breaches could be prevented with a complete strategy for securing data that is delivered through browsers. For example, he says, the leak of sensitive U.S. diplomatic cables to WikiLeaks was accomplished through a browser, with information ultimately being transported offsite on a flash drive. Likewise, he says, banks often lose clients because they blame the institution for security breaches that actually come from malware on the user's machine, again originating through the browser. Further, Morrow adds, “There are drug companies doing trials that need to close the security hole of the browser in order to prevent potential loss of data.”
While the browser may be more secure than in the past, there is still a lot of room for improvement. According to John Pescatore, vice president and distinguished analyst at Gartner, the fundamental issue is that in a quest for ever more functionality, browsers have grown enormously in their capabilities. “It is like an operating system on top of an operating system,” he says. That development has opened up many more potential avenues for attackers via ActiveX, Java and now even HTML5.
Pescatore says there are two main defensive approaches that can help reduce risk and exposure. The first one is to simply employ the newest and best browsers across the organization – and keep up with patches. The browser vendors, he says, have worked hard to enhance their products and have made great strides in improving their security characteristics.
A more complex option is to adopt additional technology, POQ being just an example. “Special purpose, lock-down packages, such as those from Quarri and Invincea, definitely provide more security, but getting them on every platform is challenging and expensive,” he says.
Still, Quarri's Morrow says his company's “hardened” browser technology is worth the investment because it gives the owner of information the ability to control its replication and movement, offering protection not only from external threats, but from internal ones as well. Quarri's solution generates a new, “clean” browser within seconds, and, he says, “we don't focus on trying to protect all data, just the most sensitive data.” Thus, Quarri implementations, like that at US Infrastructure Holdings, focus on key applications and data sources, such as a CRM system, says Morrow.
Another effort to reduce browser vulnerability, Pescatore says, comes through a “virtual” browser provided as part of a group of offerings from Invincea. It is software that grew out of a DARPA-funded research effort at George Mason University's Center for Secure Information Systems (CSIS). Anup Ghosh (right), founder and CEO at Invincea and chief scientist at CSIS, says his company's approach recognizes that browsers will inevitably become compromised and, therefore, offers a means to separate any untrusted content from the operating system.
“Our approach is to change the equation,” he says. Specifically, by virtualizing browsers and other applications, a strong, impermeable wall is created between the user and the rest of the digital world. And, says Ghosh, within that virtual environment, it is possible to not only isolate, but to study attacks and begin to gather intelligence on the nature and source of those incursions.
Which approach security pros choose should be based on thinking about their risks, the type of industry (and vulnerabilities) they face, and an analysis of the potential benefits of the choices, says Pescatore. What it comes down to is: If one is in an industry where they can dictate the choice of browser for their users and customers, the secure browser approach has advantages, but for organizations that need to be more open, the more traditional approach of simply staying up to date on browser fixes may be sufficient, he says.