Closed Captioning Closed captioning available on our YouTube channel

How to harden web browsers against cyberattacks

CSO Online | Nov 7, 2019

Use these techniques to limit attackers’ ability to compromise systems and websites.

Similar
So how old are you? Do you remember Netscape Navigator?
Do you remember what a dial up modem sounds like?
It honestly hasn't been that long ago that Netscape Navigator was the only browser that we knew and AltaVista was the only search engine we all used. Now, more than ever, we have multiple browsers we have to worry about and we have to look to the future where the browser will be more important than the operating system. Just last week, the Chrome browser came out with patches to fix security issues that were issued in a zero day warning. As Kaspersky noted in their blog, the attack leveraged a waterhole style injection on a Korean language news portal, a malicious JavaScript code was inserted in the main page, which in turn loaded a javascript from the remote site. The attack actually determined what browser version and also looked at what operating system the victim was running. It looked for a user agent string and wanted to make sure it was persistent in the operating system by adding a task in the Windows task scheduler. By placing malware into the Windows Task scheduler, they could stay behind and do nefarious things later on. Now, for highly sensitive machines, you may want to take drastic actions and lock down the browser, both Chrome and the new browser that Microsoft is working on based on Edge, which uses the Chrome engine, will suffer from increasing attacks and zero days in a targeted manner as we go forward. You'll need to look at your user base and determine if their roles and actions will put them in the crosshairs of an increased risk. Currently, we see Asia as a key target. So you want to act accordingly based on your user population.

In Chrome, you want to select menu on the far right hand side, the three dots. Then click on Advanced. Then click on privacy and security and then look at the site settings. You want to go down to JavaScript? You want to toggle that section in there where it says allowed or you'll want to toggle it off if you want it blocked. Now, in a enterprise setting, you probably want to go down here to add sites and give exceptions. Click on add and add the site that you want to whitelist and allow to have JavaScript working on. You can even block partial sections of what Web sites if you need to.

If you're an environment that is standardizing on Windows Defender, you may want to consider adding the Windows Defender browser protection plugin provided by Microsoft to your Chrome environment. This browser extension adds the smart screen technology to Chrome to allow sites to be pre scanned before a person goes to the Web site.

Once the plug in is in place, you can test the extensions protection. You can use the demo page in order to test to see if the plugin is working. For example. Clicking here, you should get the smart screen blocking site. Since Chrome 77 released on October 22nd.Chrome now supports site isolation. It's imperative that you keep any and all browsers installed on any device. Device phones and tablets up to date and patched not only to to ensure that you have all the security fixes you need, but also you're on the receiving end of these new protection technologies. And more and more are coming everyday. This week, in fact, Microsoft is announcing that Edge is ready for testing for business evaluation and urging administrators to download and tested, They've come out with a brand new logo and they're recommending that you go to their download page.

Try it out. Review the policy files and group policy set up from Microsoft. Edge based on the chromium engine and give it a shot. The group policy that they're exposing includes allowing you to enable or disable Google, cast content settings, search providers, extensions, authentication, messaging, password managers, the ability to print or not print, proxy servers, smart screen settings, startup home page and new tabs and additional settings. You'll be also able to control the ability to update edge independent of the operating system. Currently, Edge offers three different channels, a beta channel, a development channel, as well as a more stable channel. We'll see what channels they provide in the future as they announce more. Bottom line, if your firm still relies on Internet Explorer enterprise mode to handle internal corporate Web sites, it's time to take a look at the New Edge browser based on Chrome. If you're in the middle of migrating from Windows 7 to Windows 10, also jump on this and look at it instead of the default edge that you might be looking at already. I'll also recommend that you go over to Microsoft Ignite site where they're having their tech conference this week and download and look at the videos. Watch keynotes and take a look at the security videos that they'll be posting up next week. They will have lots and lots of content on their security topics. Look for compliance, information, security, identity information and how to see your organization and many more releases of information coming out. As always, don't forget to go over to the tech talk news over on the YouTube channel for the tech news of the day. This is Susan Bradley for CSO Online. Thank you again. And see you next week.
Featured videos from IDG.tv