Browser security continues to be an absolutely vital part of providing safety and privacy to end-users and their systems. Browser-based attacks are easily the most common threat on the Internet today. Attacks range from old-style traditional exploits like buffer-overflows to modern, sophisticated attacks like Active-X injection, drive-by downloads of malware and exploitation of cross-site scripting attacks and other web applications issues to steal user credentials or even install arbitrary code. Users want Web 2.0 features and often choose performance and user-friendly functionality over safety and privacy.
Here are a few tips for end-users to make their browsers as secure as possible.
1. Keep your browser up to date.
This is the easiest of all the steps. It is also the one that removes the easiest of exploits from the attacker’s arsenal. Keep your browser up to date. They are issued periodically by all the major browser programmers and often close a number of known security issues. Many of the browsers have built auto-update capabilities, so if your browser has this, make sure it is turned on. If you are a user of Internet Explorer, the updates are delivered as a part of the regular Windows Update process. This can be configured to automatically execute as well. Modify your current settings using the same Control Panel interface as the firewall configuration.
2. Harden your browser against common attacks.
This is a very powerful process as well. It will make you safer by an exponential amount. However, the side effect will be that some web sites may not work properly. Generally though, there is a fantastic guide to making these configuration changes here. It was created by CERT and walks users through browser hardening, step by step. Follow their instructions and you will get a much safer browsing experience.
3. Be aware of social engineering tactics.
Even if you do follow the other two steps, social engineering will still be a possibility. Attackers use social engineering to trick users into doing things that they should not do, like opening a file, divulging their passwords, etc. You should always remain aware of social engineering tactics and strategies. Many of them are covered in the definition page linked above. Another good place to keep current on emerging social engineering attacks he the SANS incident center. They routinely cover emerging threats against both corporate and end-user systems.
So, there you have it. Three tips, that once enacted and followed, will make browser security a much more attainable process.
This month, we decided to share with you resources that can help you better prepare your organization for the H1N1 Virus. They are:
Protecting Your Business in a Pandemic: Plans, Tools, and Advice for Maintaining Business Continuity by Geary W. Sikich.
Pandemic Influenza Planning: A Step-by-Step Guide For Businesses and Local GovernmentsP by Vernon Dorisson
Tamiflu® Office Preparation for Influenza Season
Tamiflu® Flu Tracker
Centers for Disease Control and Prevention: 2009 H1N1 Flu
CDC: Novel H1N1 Flu (Swine Flu) and You
Association of American Family Physicians: Preparing Your Office for an Infectious Disease Epidemic
HR Issues and Answers: Preparing Your Workplace for an Influenza Pandemic
Most of these articles emphasize the same thing: create a plan for employees who will be absent due to illness, avoid getting sick by using caution and appropriate measures, if infected, stay home and avoid contact with others.
If you have a supervisory role, you may want to review your staff’s responsibilities individually, especially those who are the only ones who know how to complete a task, such as rebooting the server or opening a locked area. A little cross-training could save you any confusion down the road.
Having just read this article, and participated in several discussions around Pandemic Planning, I am of the belief that folks might want to consider mandatory 10 day sick times/work from home times for H1N1 infected employees.
Research shows that infected folks may be contagious for up to 10 days from the onset of their symptoms, even after they “feel better”. The problem with this is that as they “feel better” they may return to work or school, thus exposing others to the virus, albeit, inadvertently. Many people simply think that if they “feel better”, then they must be over the infection and not contagious anymore.
So, as you consider your pandemic plans, please think about the idea of a 10 day work from home program or the like for folks that are symptomatic. Explanation and education of folks carrying the virus can only help, so take the time to explain this cycle to your team.
Thanks for reading and please let us know if you have any questions about pandemic planning or remote working issues. My team and I have been doing quite a bit of consulting lately reviewing pandemic plans and helping organizations make sure that they are prepared and that their remote access systems are robust enough to handle the load and secure enough to be trusted. If we can be of any help to your organization along these lines, please do not hesitate to call or drop us a line!
[IN]SECURE Magazine, the fresh and innovative online magazine from Help Net Security (HNS), features a great article from Brent Huston, “How ‘Fake Stuff’ Can Make You More Secure.” Brent presents a compelling reason why organizations would benefit from utilizing honeypot techniques to protect their data.
You may download the article here.
Help Net Security is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. For the entire September issue of [IN]SECURE Magazine, you can download it here. Great reading!