For organisations trying to balance web browser security with end user functionality, the cyber security issues affecting browsers are well known.
Nearly three-quarters of the top cyber attacks in 2016 targeted web browsers in drive-by download attacks where a user is tricked into clicking on a malicious pop-up, making browsers one of the biggest sources of security incidents and data breaches in organisations.
While email remains a component of many attacks, it is most often used to deliver URLs which lead to malicious or compromised websites, making the browsers themselves the primary attack vector.
Shift from email to web
As far back as 2013, threat researchers and security vendors noticed primary malware delivery methods were shifting from email-based to web-based. There are two primary reasons for this shift: the time difference between delivery and execution, and differing user experience expectations.
When delivered by email, a malicious attachment may not be opened for minutes, hours, days or longer. This time interval increases the chances of detection.
Conversely, web browsing is time-sensitive. Users do not tolerate delays when accessing online content, for example when downloading and reading a PDF. Since the exploit is often hosted, the attacker is also able to rapidly modify the exploit to evade detection, and can even go so far as to automate such modifications.
Third-party plugins
Third-party browser plugins only make securing browsers more complicated. A well-known example is Adobe Flash Player, which is still widely used for viewing multimedia and streaming video and audio in browsers despite its buggy nature: Flash provided six of the top 10 vulnerabilities used by exploit kits in 2016, according to a study by Recorded Future.
Functionality is always the primary goal of web browser designers and developers of browser plugins. Security, more often than not, is an afterthought.
Browser diversity
Gone are the days of a standard browser with a standard configuration on a standard enterprise-managed version of Windows. Not only are there multiple browser types, operating systems and plugins, but old versions of browsers are still required for compatibility in some cases, with Internet Explorer 7 persisting in many enterprises.
Asking one browser configuration to support all use cases and security requirements is a losing battle that compromises user experience, support and security.
The browser at the endpoint must be secure enough to protect the user, endpoint, enterprise and sensitive data. But at the same time, the reality is that the approach has to be flexible enough to support the competing demands of user experience and security control.
With 90% of undetected malware being delivered via web browsing, it is clear that attackers will continue to be relentless in their attempts to compromise organisations by targeting end user systems according to a whitepaper from Citrix.
Whether the attack is delivered by email or hosted on a website, ultimately the goal is to exploit a vulnerability in an application to gain a foothold on the target system. Leveraging vulnerabilities in web browsers and plugins is increasingly the favoured attack vector, and organisations should be aware of the options available to fully secure browsers.
