The Definitive Browser Security Checklist

Jan 25, 2023

Security stakeholders have come to realize that the prominent
role the browser has in the modern corporate environment requires a
re-evaluation of how it is managed and protected. While not
long-ago web-borne risks were still addressed by a patchwork of
endpoint, network, and cloud solutions, it is now clear that the
partial protection these solutions provided is no longer
sufficient. Therefore, more and more security teams are now turning
to the emerging category of purpose-built Browser Security
Platform as the answer to the browser’s security
challenges.

However, as this security solution category is still relatively
new, there is not yet an established set of browser security best
practices, nor common evaluation criteria. LayerX, the User-First
Browser Security Platform, is addressing security teams’ need with
the downable Browser Security Checklist ^[1], that
guides its readers through the essentials of choosing the best
solution and provides them with an actionable checklist to use
during the evaluation process.

The Browser is The Most Important Work Interface and the Most
Targeted Attack Surface

The browser has become the core workspace in the modern
enterprise. On top of being the gateway to sanctioned SaaS apps and
other non-corporate web destinations, the browser is the
intersection point between cloud\web environments and physical or
virtual endpoints. This makes the browser both a target for
multiple types of attacks, as well as a potential source of
unintentional data leakage.

Some of these attacks have been around for more than a decade,
exploitation of browser vulnerabilities or drive-by download of
malicious files, for example. Others have gained recent momentum
alongside the steep rise in SaaS adoption, like social engineering
users with phishing webpages. Yet others leverage the evolution in
web page technology to launch sophisticated and hard-to-detect
modifications and abuse of browser features to capture and
exfiltrate sensitive data.

Browser Security 101 – What is It That We Need to Protect?

Browser security can be divided into two different groups:
preventing unintended data exposure and protection against various
types of malicious activity.

From the data protection aspect, such a
platform enforces policies that ensure sensitive corporate data is
not shared or downloaded in an insecure manner from sanctioned
apps, nor uploaded from managed devices to non-corporate web
destinations.

From the threat protection aspect, such a
platform detects and prevents three types of attacks:

Attacks that target the browser itself, with the purpose of
compromising the host device or the data that resides within the
browser application itself, such as cookies, passwords, and
others.
Attacks that utilize the browser via compromised credentials to
access corporate data that resides in both sanctioned and
unsanctioned SaaS applications.
Attacks that leverage the modern web page as an attack vector
to target user’s passwords, via a wide range of phishing methods or
through malicious modification of browser features.

How to Choose the Right Solution

What should you focus on when choosing the browser security
solution for your environment? What are the practical implications
of the differences between the various offerings? How should
deployment methods, the solution’s architecture, or user privacy be
weighed in the overall consideration? How should threats and risks
be prioritized?

As we’ve said before – unlike with other security solutions, you
can’t just ping one of your peers and ask what he or she is doing.
Browser security is new, and the wisdom of the crowd is yet to be
formed. In fact, there’s an excellent chance that your peers are
now struggling with the very same questions you are.

The Definitive Browser Security Platform Checklist – What it is
and How to Use It

The checklist (download it here ^[2]) breaks down the
high-level ‘browser security’ headline to small and digestible
chunks of the concrete needs that need to be solved. These are
brought to the reader in five pillars – deployment, user
experience, security functionalities and user
privacy. For each pillar there is a short description of
its browser context and a more detailed explanation of its
capabilities.

The most significant pillar, in terms of scope, is of course,
the security functionalities one, which is divided into five
sub-sections. Since, in most cases, this pillar would be the
initial driver to pursuing browser security platform in the first
place it’s worth going over them in more detail:

Browser Security Deep Dive

The need for browser security platform typically arises from one
of the following:

— Attack Surface Management: Proactive
reduction of the browser’s exposure to various types of threats,
eliminating adversaries’ ability to carry them out.

— Zero Trust Access: Hardening the
authentication requirements to ensure that the username and
password were indeed provided by the legitimate user and were not
compromised.

— SaaS Monitoring and Protection: 360°
visibility into all users’ activity and data usage within
sanctioned and unsanctioned apps, as well as other non-corporate
web destinations, while safeguarding corporate data from compromise
or loss.

— Protection Against Malicious Web
Pages: Real-time detection and prevention of all the
malicious tactics adversaries embed in the modern web page,
including credential phishing, downloading of malicious files and
data theft.

— Secure 3rd Party Access and BYOD:
Enablement of secure access to corporate web resources from
unmanaged devices of both the internal workforce as well as
external contractors and service providers.

This list enables anyone to easily identify the objective for
their browser security platform search and find out the required
capabilities for fulfilling it.

The Checklist – A Straightforward Evaluation Shortcut

The most important and actionable part in the guide is the
concluding checklist, which provides, for the first time, a concise
summary of all the essential capabilities a browser security
platform should provide. This checklist makes the evaluation
process easier than ever. All you have to do now is test the
solutions you’ve shortlisted against it and see which one scores
the highest. Once you have all of them lined up, you can make an
informed decision based on the needs of your environment, as you
understand them.

Download the checklist here ^[3].

Found this article interesting? Follow us on Twitter ^[4]
and LinkedIn ^[5]
to read more exclusive content we post.

References

^{^}
Browser
Security Checklist (go.layerxsecurity.com)
^{^}
download
it here (go.layerxsecurity.com)
^{^}
here
(go.layerxsecurity.com)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)

The Hacker News Headlines

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

Aug 18, 2023

The Hacker News Headlines

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

Aug 18, 2023

The Hacker News Headlines

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

Aug 18, 2023

OWASP TOP !0

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

The Definitive Browser Security Checklist

The Browser is The Most Important Work Interface and the Most
Targeted Attack Surface

Browser Security 101 – What is It That We Need to Protect?

How to Choose the Right Solution

The Definitive Browser Security Platform Checklist – What it is
and How to Use It

Browser Security Deep Dive

The Checklist – A Straightforward Evaluation Shortcut

References

Related Post

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

You missed

Protected: Rotary VI EAST

Protected: BetterCyberCareer Group

Protected: Benin Club 1931 – Official

Protected: Whatsapp AI Automation Group

The Browser is The Most Important Work Interface and the Most Targeted Attack Surface

Browser Security 101 – What is It That We Need to Protect?

How to Choose the Right Solution

The Definitive Browser Security Platform Checklist – What it is and How to Use It

Browser Security Deep Dive

The Checklist – A Straightforward Evaluation Shortcut

References

Related Post

You missed

The Browser is The Most Important Work Interface and the Most
Targeted Attack Surface

The Definitive Browser Security Platform Checklist – What it is
and How to Use It