Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

5 Security Flubs Users Make When Browsing the Web

From haphazardly installing Active X controls, to ignoring security warnings, a look at five common ways users get off the security track online and ways to set them straight

By , Senior Editor

April 20, 2009CSO

You can install the best firewalls, patch religiously, and make sure your anti-virus software is always up-to-date, but there is one online risk factor you can never control: the user. Whether they are downloading dangerous content or falling prey to phishing scams, the end user continues to be the toughest security risk to mitigate in most organizations.

"From our perspective, this is one of the most difficult things to protect end users against, because you are trying to protect them against themselves," said Matt Watchinski, head of the vulnerability research team at Sourcefire, a Maryland-based security products provider.

Web surfing, which is done by many users these days in the workplace and on work-issued devices, is just another portal for trouble.

"This is kind of the crux of security," said Watchinski. "The security guys are responsible for making sure you can't do things that you can hurt yourself with, but the end user wants not to have any problems and just do their job. When you start locking stuff down and turning off specific pieces of functionality on networks, like not being able to read Adobe files on Internet Explorer, people can't do what they need to do."

With that constant struggle in mind, giving users education about what they are doing and why it is dangerous is the more effective strategy. Watchinski walked us through some of the more common security missteps users take when they are browsing around the World Wide Web and gives advice on how to head them in the right direction (You can also check out 10 IE Browser Settings for Safer Surfing).

Blindly installing Active X controls
When browsing with Internet Explorer, users are often asked to use Active X in order to view certain information.

"You get pop-up that says install to view," said Watchinski. "People will just do that. They don't really think about what the consequences might be. They just want to get to that data."

But Active X controls, noted Watchinski, are really just code that runs. So a bad guy can make an Active X control, ask you to install it to view content, and then it might later do something malicious. The typical way users are attacked by Active X is through another vulnerable Web site after downloading a bad Active X earlier (See Also Why Microsoft Active X Attacks Will Intensify).

"You go to some big site that uses Active X controls and there is nothing malicious in the site, but it has a vulnerability," said Watchinski. "You've installed this Active X control before and sometime later you come to that vulnerable Web page that uses that Active X control and (the earlier download) will do something bad with it."

RESOURCE CENTER