In-depth

Three reasons why browsers are so difficult to secure

Over 70% of cyber attacks target web browsers. Here's why they're so difficult to secure

For organisations trying to balance web browser security with end user functionality, the cyber security issues affecting browsers are well known.

Nearly three-quarters of the top cyber attacks in 2016 targeted web browsers in drive-by download attacks where a user is tricked into clicking on a malicious pop-up, making browsers one of the biggest sources of security incidents and data breaches in organisations.

While email remains a component of many attacks, it is most often used to deliver URLs which lead to malicious or compromised websites, making the browsers themselves the primary attack vector.

Shift from email to web

As far back as 2013, threat researchers and security vendors noticed primary malware delivery methods were shifting from email-based to web-based. There are two primary reasons for this shift: the time difference between delivery and execution, and differing user experience expectations.

Advertisement
Advertisement - Article continues below

When delivered by email, a malicious attachment may not be opened for minutes, hours, days or longer. This time interval increases the chances of detection.

Conversely, web browsing is time-sensitive. Users do not tolerate delays when accessing online content, for example when downloading and reading a PDF. Since the exploit is often hosted, the attacker is also able to rapidly modify the exploit to evade detection, and can even go so far as to automate such modifications.

Third-party plugins

Third-party browser plugins only make securing browsers more complicated. A well-known example is Adobe Flash Player, which is still widely used for viewing multimedia and streaming video and audio in browsers despite its buggy nature: Flash provided six of the top 10 vulnerabilities used by exploit kits in 2016, according to a study by Recorded Future.

Functionality is always the primary goal of web browser designers and developers of browser plugins. Security, more often than not, is an afterthought.

Browser diversity

Gone are the days of a standard browser with a standard configuration on a standard enterprise-managed version of Windows. Not only are there multiple browser types, operating systems and plugins, but old versions of browsers are still required for compatibility in some cases, with Internet Explorer 7 persisting in many enterprises.

Asking one browser configuration to support all use cases and security requirements is a losing battle that compromises user experience, support and security.

The browser at the endpoint must be secure enough to protect the user, endpoint, enterprise and sensitive data. But at the same time, the reality is that the approach has to be flexible enough to support the competing demands of user experience and security control.

With 90% of undetected malware being delivered via web browsing, it is clear that attackers will continue to be relentless in their attempts to compromise organisations by targeting end user systems according to a whitepaper from Citrix.

Whether the attack is delivered by email or hosted on a website, ultimately the goal is to exploit a vulnerability in an application to gain a foothold on the target system. Leveraging vulnerabilities in web browsers and plugins is increasingly the favoured attack vector, and organisations should be aware of the options available to fully secure browsers.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019