Why your organization's biggest risk might come from your browsers [Q&A]
Last year saw zero day vulnerabilities being actively exploited in the wild across many of the major web browsers.
For businesses that allow their users to choose which browser they use this is a problem due to the frequency of vulnerabilities. We spoke to Ofer Ben-Noon, co-founder and CEO at Talon Cyber Security and former member of the Israeli intelligence community, to find out more about the current threat landscape and how firms can secure their browsers.
BN: How do web browsers contribute to the threat landscape organizations need to protect against?
OBN: Looking at headlines, it seems like there's a patch for a new critical vulnerability issued every week by the major software companies. These aren't just for your computer and smartphone's operating systems.
The browser is the most vulnerable application in the world, and the second most vulnerable piece of software over the course of internet history. In fact, there was a new critical vulnerability in Chrome disclosed every 28 hours in 2021, and about a quarter of zero-day vulnerabilities in the wild are related to Chrome. This is incredibly significant when you consider how much time we spend in the browser, both at work and in our personal lives.
Attackers can exploit things like zero-days and unpatched browsers to do anything from steal data or remotely execute malicious code. There's also the risk that attack groups abuse functionality of the browser to get what they want, such as stealing data, launching social engineering attacks and more.
To add to this, convenience is king today, so employees install browser extensions to make their work lives easier and be more productive. This has led to a sharp rise in rogue and malicious extensions that can do things like spy on individuals, steal data and inject malicious code into a device.
The bottom line? There are several ways that web browsers expand the attack surface for organizations, and all of them create incredibly significant risk that needs to be addressed by IT and security teams.
BN: Have browsers created a blind spot in enterprise security? Why is this?
OBN: Organizations that allow consumer-grade browsers in their environments are at a disadvantage from a security perspective, as they are missing a key protection point and overall visibility into such a heavily-used work application.
Today, organizations rely more and more on SaaS and web applications that are accessed through the browser. The way we work has fundamentally changed -- folks not only access SaaS and web applications on their corporate devices, but on their personal ones as well.
In a typical organization, you use business applications for your core tasks and are told what you should be using for your specific job function. Despite this, most don't require you to use a specific browser -- you simply download one you are familiar with and are on your way.
With the browser disconnected from the business, security and IT teams lose valuable insight through a lack of visibility into web activity and the SaaS and web-based applications being used within them. This creates serious business risk and an impactful blind spot that hackers consistently look to capitalize on.
BN: Why is the browser such a popular target that attackers look to exploit?
OBN: The browser is the front door of the enterprise, where the majority of work is done and business is conducted. Due to how heavily the browser is used in enterprise settings, it contains a trove of sensitive information that attackers consistently target, including credentials, cookies, history, autofill information (such as credit cards), download history, search history and more.
All of these factors make the browser an incredibly appealing target for attackers. As mentioned, it is one of the most vulnerable pieces of software used across any organization, giving attack groups plenty of opportunities to launch advanced campaigns if correct security measures aren't in place.
BN: What operational challenges do organizations face in trying to secure browsers?
OBN: The challenge in securing the browser itself comes down to visibility. Do IT and security teams know the different types of browsers in use across their entire environment? Are they all up to date to be patched against the latest critical vulnerabilities? Being able to answer these simple questions with 'yes' is pivotal, but patch deployment at such a large scale is a challenge for most organizations to execute in a timely manner.
While securing the browser itself is undoubtedly important for any security program, it's more pivotal that organizations understand the risk of the browser being a historically unmanaged, vulnerable access point to your SaaS and web-based applications. If you are not providing a way for employees to securely access these apps, it puts the company’s data and intellectual property at risk every single day.
In environments where employees are able to pick their own web browser for enterprise use, security and IT teams have a difficult time ensuring that work done in the browser is defended properly. In today's work from anywhere reality, this is becoming a mounting challenge that CISOs recognize must be solved. Historically, 'secure browsers' required employees to change how they worked, as there was no consistent user experience. However, with the standardization of Chromium -- the most popular browser infrastructure -- the path to truly secure enterprise browsers that deliver native experiences has finally been realized.
BN: What advice do you have for organizations looking to better secure their workforces and protect their data?
OBN: My number one piece of advice for security and business leaders is to evolve their security programs for the new era of work. The future of work is where employees work from anywhere, so it's on CISOs and business leaders to ensure they build scalable security programs that protect employees no matter where they choose to get their jobs done.
This requires organizations to find the right mix of people, processes and technologies to power their programs. A key first step for this is to eliminate antiquated legacy technologies in favor of innovative solutions that simplify things for IT and security teams. Business is primarily conducted on modern applications that can't be adequately protected by legacy solutions.
Whether CISOs have adapted their security programs to this reality or not, the future of work is now. So, business leaders need to ask themselves what they are doing to evolve their security programs for this new era of work. If they don't, they are accepting significant, impactful risks to their business day-in and day-out.
Image credit: Gurudev / Shutterstock