Despite being plagued by vulnerabilities, browsers can still be made secure

Putting browser inside a virtual safe area will keep rest of network protected

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Web browsers con­tin­ue to rep­re­sent, arguably, the most wide-open attack vec­tor at any giv­en company.

This is because Mozil­la Fire­fox, Google Chrome, Microsoft Explor­er and Apple Safari all use a basic archi­tec­ture ide­al­ly suit­ed for a threat actor to manip­u­late. To put it blunt­ly, it’s all too easy for an attack­er to down­load mali­cious code onto an employee’s computer—and then use that infect­ed machine as a foothold to probe deep­er into the breached network.

Relat­ed arti­cle: How ‘soft­ware con­tain­ers’ are improv­ing net­work security

Thus brows­er-focused attacks occur 24−7−365. While there is no direct way to stop attacks aimed at browsers, it is pos­si­ble to con­tain them. I sat down with Lance Cot­trell, chief sci­en­tist at Ntre­pid, sup­pli­er of tech­nol­o­gy that iso­lates brows­er ses­sions inside a vir­tu­al machine, so that any mal­ware that gets down­loaded is trapped inside a vir­tu­al box and can’t attack the rest of the sys­tem. A few takeaways:

Lance Cot­trell, Ntre­pid chief scientist

The vam­pire quo­tient. Browsers give fire­walls a very hard time. There’s very lit­tle con­trol over what’s com­ing in or going out because it’s user-led. Rather than some­one try­ing to break in, it’s like deal­ing with a vam­pire. Every time you click on a link, you invite them into your home. There’s no time or way for the user to scan the con­tent and decide whether it is safe because brows­ing is a real-time activity.

It’s also very hard to dis­crim­i­nate against inten­tion­al and unin­ten­tion­al activ­i­ty. The user may have want­ed to down­load that PDF or the exe­cutable, or it might have hap­pened auto­mat­i­cal­ly. It’s why 90 per­cent of unde­tect­ed attacks come through the web and why secur­ing it, or at least safe­guard­ing it, is going to become a top priority.

Going beyond black­list­ing. IPs known to be the source of attacks are rou­tine­ly black­list­ed. And known good IPs can be whitelist­ed. But that’s not enough. So now there are ways to car­ry out brows­er ses­sions in a vir­tu­al­ized area. No solu­tion is fool­proof. Mod­ern busi­ness net­works are sim­ply too large and too com­plex. The over­ar­ch­ing goal should be to make sure that if and when a brows­er does get com­pro­mised the rest of the net­work is protected.

Hack­ers and spies. It’s not just sneaky cyber crim­i­nals using anonymized IP address­es that com­pa­nies need to be aware of. Law enforce­ment, for instance, also uses anonymized IP address­es to vis­it web­sites while con­duct­ing investigations.

And retail­ers often check the prices of a com­peti­tor using anonymized IPs, as well. This is to avoid faked prices a rival may have at the ready to send to any IP address orig­i­nat­ing at a com­pet­i­tive retail­ers domain. Retail­ers are very active in this kind of spy vs. spy com­peti­tor intel­li­gence. Finan­cial ser­vices com­pa­nies are most active in the fraud area.

For a deep­er dive, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to brows­er security:
Brows­er secu­ri­ty star­tups insu­late users from web-based threats
Though inher­ent­ly unsafe, com­pa­nies can still take steps to secure web browsers
VPNs pre­vent mar­keters, oth­ers from cash­ing in on your brows­er history