Home / Resources / News and Trends / Newsletters / AtIsaca / 2020 / Volume 9 / Just Browsing

Just Browsing

Author: Bruce R Wilkins, CISA, CRISC, CISM, CGEIT, CISSP
Date Published: 29 April 2020

One of the most misunderstood applications we use in the connected environment is the web browser, or simply, the browser. I often hear browsers called by many different names such as Google, the web or “how I get on the line.” More commonly, browsers are referred to as Firefox, Chrome, Edge or Opera. In the end, we are all referencing a complex application that provides a very simple function: the browser.

In a client/server architecture, the browser is usually the client. It allows users to connect to various Internet sites using their IP address or Uniform Resource Locator (URL). These “servers” host applications and services that provide user functionality. This ranges from allowing corporate developers to use the browser as the client or user interface to corporate-user functionality. This is the reason that many people have dropped the word web from web browser and only use the word browser for this application. A typical browser has the following functions: user interface (UI), browser engine, rendering engine, networking, interpreter, UI back end and data persistence (storage). In addition, the browser can be augmented with plug-ins/scripts developed by third parties, the root certificate configuration on your computer and URL filters for hostile sites. Each one of these functions should be recognized as a different attack vector.

Most browsers are built upon open-source software, which is based on open standards. Open standards allow browsers to render all websites that are built on open standards. But vendors are able to lock customers into their products by providing “extensions” to the open standards. These extensions tend to run faster, be proprietary in nature, and are not shared with other browsers and website developers. These extensions are also very good at making browsers (other than their own) incompatible with their websites, causing those sites to render improperly.

The browser can present a wide variety of UIs within the same environment, providing windows, tabs and pull-down command menus. Search engines, bank sites, corporate internal networks and a wide variety of others use browsers as their interface to the user. This is why the browser is often a great attack vector. The following are some ways we can make the browsing experience safer:

  • Browser selection—To be compatible with all websites, both on the Internet and internal corporate sites, you should have at least 2 browsers. One should be vendor-based (usually for your corporate network) and the other should be more open and compatible with a wider audience of URLs. I routinely use 3 browsers, depending on to which URL I am planning to connect.
  • Version control—Version control is critical. Older versions of browsers are unable to render new or robust websites. They fail, which can leave your computer in an unsecure state and cause vulnerabilities to be exposed.
  • Patching—This is another aspect of version control, meant to ensure that the latest security patches are present on the browser. Users often find vulnerabilities; vendors patch those holes.
  • Root certificate management—This is one of the most frequently ignored security configurations of your computer and the browser. Most computers are delivered with a large number of root certificates. This means hostile sites can get their root certificate into your trusted certificate list. Now everything on your computer, including browsers, trusts that site’s connection and the software signed by that site. It is highly recommended that this list of root certificates gets vetted and unnecessary certificates are removed.
  • Plug-ins/scripts—Browser plug-ins/scripts are developed by third parties to provide more functionality to the browser. Review your list of extensions and determine if that plug-in/script is really necessary. I have never needed more than 5 plug-ins/scripts within my browsers, but each requirement is different.
  • Whitelisting/blacklisting—These techniques can be defined within the browser. However, this creates many points to manage, and a URL might be missed. The browser technology should be used to augment the enterprise capability for protecting what URLs a user can and cannot visit.
  • Cookies—Managing cookies is an endless process. Luckily, today we can configure our browsers to accept cookies under specific conditions. Periodically, one should clear all cookies, history and other pertinent data within the browser. This is especially important when websites have been upgraded and the site is not rendering properly.
  • URL address bar—You are the security feature; watch the URL address bar constantly. The URL you are connecting to will be rendered in this area. Look at the construction of the URL. Does the domain name end with a realistic relationship to the site? If you are going to a commercial site, it most likely ends with .com, or.edu for academia, etc. Often, hostile URLs will look a lot like the site they are impersonating by putting the proper domain somewhere in the URL—but not at the end. Identify whether your connection to the URL is encrypted. Even though this does not guarantee security (see hostile root certificates mentioned previously), there should be an “https://” vs. only “http://.”
  • Computer configuration—During the connection process between the website and the browser, data are exchanged. These data tell the website where you came from, the configuration of your computer and other information. So, if your security team has given you a unique security configuration that is the ultimate secure posture, you can bet that your browser is identifiable as being from your organization. If your organization is of interest, this makes you a target. If you are not configured securely, this information exchange provides attack vectors for hostile sites to leverage when they reach back to attack you.

Browsers provide simple user interfaces through a complex application. In an upcoming article, I will address Tor browsers, their relationship to incognito mode on a regular browser and how they are used to do good—or not so good.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.