`For years, we groused about bug-ridden browsers while initiatives to harden them largely fell flat. Then one day, IT woke up to find that the browser is the new OS. Web 2.0 applications use browsers and the public Internet to create interactive interfaces and enable asynchronous collaboration, inside and outside the firewall. Google Chrome is promising to push Web-based operating systems forward, which could let businesses cut costs and infrastructure.
All types of companies are moving toward software as a service at a steady clip--55% of the strategic IT managers responding to our June InformationWeek Analytics Cloud Computing & IT Staffing Survey of 828 IT professionals are using SaaS or plan to. What all that means is, the browser is now your employees' gateway out--and an attacker's gateway in. IT must focus on protecting the browser from compromise without hindering functionality and derailing business initiatives in the process.
If you read "protect the business" as "patch servers, add rules to the firewall, and apply system configurations," you're asking to be breached. Browser-based attacks are a significant challenge, for a few reasons. They're unpredictable. IT doesn't always know where a user will need to go on the Internet, what services need to be accessed, and when. This makes defense by tightly limiting where employees may surf very difficult. User errors are often factors in successful exploits. And attackers are smart and resourceful and frequently compromise seemingly innocuous sites. All the monitoring and training in the world may not make a whit of difference.
What does matter: Putting in place a comprehensive protective strategy that's both proactive and reactive.
What's that? You're having trouble getting funding for the security initiatives already in place, never mind a new program? Then some education is in order, because browser-based attacks are at your doorstep. We've seen real-world examples: The New York Times last September was found to be serving malware through a third-party online advertisement network. The attack against Google in China, nicknamed Operation Aurora, is believed to have utilized a zero-day, or previously unknown, flaw targeting Internet Explorer.
Attacks against, or via, the browser vary in type and sophistication. The most basic simply ask the user to download a malicious file disguised as something legitimate. As users become more savvy, they fall for these attacks less and less. More sophisticated attacks involve directing people to malicious sites through links placed in the comment or advertisement sections of legitimate sites. Once the user visits the malicious site, code is loaded automatically that attempts to exploit security holes in the browser, or a browser plug-in, such as Flash Player. These attacks are called "drive-by downloads," and even wary end users can be fooled.
To read the rest of the article, download a free PDF