10 ways to secure browsing in the enterprise
Make users' browsing safe (or safer) by thinking holistically about Web security, from browser settings to policies and education
By Joseph Guarino
November 01, 2011 — CSO —
It goes without saying that the Internet isn't a safe place—it's a veritable jungle. In the world of browsers, we, the users, are seen as a delicious and commonly exploited target by many adversaries. Much like in the real jungle, we most often fall prey to lurking predators that bring us down using spear phishing, drive-by downloads and all manner of malware.
[Also read Guarino's 7 Firefox plug-ins that improve online privacy]
Every technology has a downside that will be exploited. As a result, the browser, often called the universal client, is an ever-growing conduit of malware into the modern enterprise. Truth is, malware and its risks are ever evolving with the demands of cybercriminals and black hats, and browsers just happen to be a particularly soft and tantalizing target. Unfortunately, history has shown us that the trend is only accelerating. Despite the more recent evolution of additional security features, the browser remains a good soft target when care isn't taken to lock it down in your enterprise.
It's possible to improve your browser security stance by making some changes to people, procedures and technology. We don't have to be lunch for the piranhas or a quick snack for the tiger; we can defend ourselves in the Internet jungle. Here are my top 10 recommendations for improving the security of your browsing environment.
1. Holistic Patch ManagementPatch management is nothing new, but it's rarely done in a holistic, all-encompassing way. Most organizations do a great job of patching core operating systems but sometimes neglect associated core Web technologies such as Adobe Flash and Reader, Apple Quicktime, and Java. Holistic patch management addresses the entire desktop of native and third-party applications, including the browser and all its associated plug-ins, in a comprehensive way.
As if the complexity of the desktop isn't enough, consumerization (the effort of many users to bring their own device into the enterprise) introduces new perils in both patch management and security. Whether it's the executive who wants to use a shiny new tablet with known unpatched vulnerabilities or the user who wants to use a smartphone running an ancient and exploitable browser, patches must be kept up to date. A coherent, holistic effort to patch is helpful in defending against a multitude of known vulnerabilities. Obviously it isn't a panacea—nothing is—and you can't fix zero-day vulnerabilities, but by addressing what you can, you'll reduce your risks and costs.
2. Browser LockdownAlthough I'm a user of open-source software such as Mozilla Firefox and Google Chrome, I'm going to address browser security with a focus on the browser with the most market share in the enterprise: Microsoft Internet Explorer. All current browser usage statistics put Explorer at the top of the heap, and because Microsoft dominates the corporate desktop space, its penetration there is even greater.
Microsoft has made many strides in beefing up Internet Explorer's security, and many of those are available in the Active Directory through Group Policy. The Active Directory is not only a centralized directory service offering authentication and authorization for your Windows domain, but it also can control security policies throughout your Windows environment. Group Policy allows administrators to centrally control the configuration of Internet Explorer and thus efficiently lock down an entire enterprise's browsers.
Internet Explorer versions 8 and 9 offer nearly 1,500 configurable settings, so you would be hard-pressed to say it's not flexible enough to meet your security requirements. Of particular use to the enterprise is the ability to control the user interface by disabling certain menus or configuration options—
- tweaking security zones (which allow you to set the level of trust that the client or browser should have)
- setting up smart screen filters (which help protect from malicious phishing or malware sites)
- using Active X control and filtering (which provide the ability to control add-ons)
- managing and blocking downloads, and more.
Books have been written on this subject, but suffice it to say you might want to explore these features to further lock down your enterprise browsers.