Bring the Browser in from the Cold: Old Threat Vectors Demand New Defenses

The browser has become the main productivity tool, making it the most serious threat to businesses. Alon Levin, VP of product management at Seraphic Security, discusses the true threat browser vulnerabilities pose to today’s organizations amid continued hybrid work and ongoing digital transformation, as well as what organizations can do to protect their browsers.

The Jericho Forum first began discussing the implications of network “de-perimeterization” nearly 20 years ago. As prescient as those discussions turned out to be, it is hard to imagine that their members envisioned how dramatically “the cloud” would change how people work. As the cloud evolved, matured and became a viable part of IT infrastructure, business applications were also undergoing their own transformation, moving from conventional thick client software to web apps. 

Ultimately – in what feels like ancient history – these two trends intersected with the notable side effect that web browsers became the dominant client for virtually every business application and employees’ main productivity tool. Today’s workforce relies on a wide range of internal and external web-based applications such as SAP and Salesforce.com, as well as a myriad of general-purpose public sites like Amazon and Google, to conduct company business. 

While many business applications migrated outside the network perimeter, web browsers (and their users) remained safely inside the network, where security infrastructures designed around centralized offices and built up over the years helped protect them from threats. Then, in early 2020, every business suddenly needed to accommodate remote work. Fortunately, the ubiquity of software-as-a-service (SaaS) apps offered a level of flexibility that made such a monumental change possible. Unfortunately, most organizations’ security infrastructure was simply not sufficiently portable to enable the same level of protection for telework that it did for office work. 

As a result, IT and security teams were forced to implement complex and convoluted solutions to maintain security and compliance. Even though the pandemic has ebbed and offices are open once again, the trend toward more remote work shows no signs of reversal: globally, 16% of companiesOpens a new window are fully remote, while about 62% of workers aged 22 to 65 claim to work remotely at least occasionally. Moreover, many employees are allowed to use their preferred browser to access corporate applications and may do so from public internet connections on personal devices. 

Because browsers – with their substantial access to corporate applications, data, and services = are more “out in the open,” they now represent a much larger attack surface and a more attractive target for attackers. Since most browser security and governance solutions were implemented with the implicit understanding that users would be behind some kind of perimeter, they tend to be deficient, inefficient, or both (especially in remote work scenarios). Additionally, since most of these tools are intended to be deployed around—rather than in—the browser, the browser itself winds up being under-protected, and IT and security teams continue to struggle with bridging the gap.  

As browser-focused attacks become a larger threat to enterprise cybersecurity, organizations must consider the role of the browser in common attack vectors and what they should do about it:  

Phishing   

Cisco—emphasizing that the number is not a typo—found that 90% of data breachesOpens a new window were due to phishing. That tally is shockingly high but should be unsurprising insofar as many phishing campaigns against corporate targets attempt to exploit a positive employee trait: the desire to do the right thing and get their jobs done. It should also be unsurprising that phishing continues to increase, reaching a record-setting high of nearly 1.1 million attacks in the second quarter of 2022, according to a recent report from APWGOpens a new window . 

Interestingly, although phishing is most associated with email, the browser is where the damage is often done. Between the fast pace of modern work, the human tendency to overlook minor details, browsers that often display only truncated versions of URLs and increasingly authentic-looking fake landing pages, it is no wonder that even the savviest users are sometimes tricked into handing over their credentials.  

To stem the tide of phishing attacks, browsers must be able to protect users from phishing sites without depending on content filters that rely on potentially outdated feeds of phishing sites, especially considering that the average life of a phishing site is just a little over two days. 

See More: Stop Spending, Start Validating: How to Achieve an “Assume Breach” Mindset

Browser Exploits  

Like all modern software, the complex code that makes up a web browser may contain vulnerabilities. Unlike most software, which usually only interacts with a small number of servers, web browsers interact with a large and ever-changing number of servers. This affords attackers many places and opportunities to attempt to exploit browser vulnerabilities. Google observed nation-state-affiliated attackers doing exactly that earlier this year as extensions of what are believed to be long-running campaigns. 

Once the browser is compromised, threat actors can then use their position to further penetrate corporate networks and compromise additional assets, inflicting damage ranging from data exfiltration to crypto-mining to ransomware. Google has also noted that exploits targeting its Chrome browser are increasing at an unprecedented rate and has already released seven emergency security updates this year. 

Many existing solutions lack visibility into the unique execution environment of the browser, making it difficult for them to detect and prevent exploitation. Organizations must consider new solutions that can provide such protection to make browsers less vulnerable to exploitation and buy time while patches are still being developed and deployed. 

Web Application Vulnerabilities 

Web application vulnerabilities have been around for as long as web applications themselves and may involve server or application misconfigurations, vulnerabilities in the underlying server software, or vulnerabilities in the web app code itself. Attackers may leverage these vulnerabilities to gain unauthorized access to servers and install malware—as they did in a Magecart attack earlier this yearOpens a new window —or they may use the access as a pivot point to gain access to additional corporate assets. Home-grown enterprise web apps or web apps built on top of out-of-date commercial or open-source software usually have greater exposure to these types of vulnerabilities. 

To reduce the risk of browser-based exploitation of web application vulnerabilities, organizations must consider security solutions that enable the browser to be part of the defense of web applications rather than an attack vector. Today’s users should be able to browse every site, performing their work and personal tasks via their preferred browser, without risk to critical corporate data or their personal assets. 

Providing a safe browsing experience both on and off-premises should be a top priority for enterprises, but organizations will need to investigate and implement new solutions in order to protect themselves and their users from browser-based attacks while meeting users where they are to deliver a positive experience. 

How are you protecting yourself against browser attacks? Tell us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON SECURITY THREATS: 

• LOL Attacks Can Now Live off the Cloud: Three Strategies to Reduce LOC Risk
• Mitigating Non-Malicious Insider Threats in a Decentralized Work Environment
• Should Social Media Users Engage in a Tug-of-war with Hackers?

Image Source: Shutterstock