Browser security continues to be an absolutely vital part of providing safety and privacy to end-users and their systems. Browser-based attacks are easily the most common threat on the Internet today. Attacks range from old-style traditional exploits like buffer-overflows to modern, sophisticated attacks like Active-X injection, drive-by downloads of malware and exploitation of cross-site scripting attacks and other web applications issues to steal user credentials or even install arbitrary code. Recent attacks against huge numbers of sites have even made strategies such as only visiting sites “you know and trust” inadequate to ensure security. Today, all sites are targeted and even huge sites with common household names have been exploited and used for illicit activities.
Obviously, our dependence on the web grows with each passing day. Web 2.0 features and capabilities have also made strategies like disallowing all client-side scripts an impossibility for most users – even though this increases safety logarithmically. Users today want those features, bells and whistles that they have become accustomed to, and as usual, they will choose performance and ease of use over safety and privacy. So, that said, we wanted to put together a quick list of some ways for end-users to make their browsers as secure as possible. These are the basics, and some of these steps may interfere with some site operations (especially number 2), but we hope that users will adopt at least some of these suggestions to better protect themselves online.
1. Keep your browser up to date.
This is the easiest of all of the steps. However, it is also the one that removes the easiest of exploits from the attacker’s arsenal. Attackers are very good at exploiting known, public, well documented vulnerabilities – so the more of them your browser is vulnerable to, the easier it is for them to compromise your system. Combatting this is very very easy, simply keep your browser up to date. Browser updates are issued periodically by all of the major browser programmers and they often close a number of known security issues in each release. To help with this, many of the browsers have even begun to build in auto-update capabilities – so if your browser has this, make sure it is turned on. If you are a user of Internet Explorer, the updates are delivered as a part of the regular Windows Update process. This can be configured to automatically execute as well. Modify your current settings using the same Control Panel interface as the firewall configuration.
2. Harden your browser against common attacks.
This is a very powerful process as well. It will make you safer by an exponential amount. However, the side effect will be that some web sites may not work properly. You will have to tune and tweak these settings as needed to create your personal balance between risk and usability. This will obviously vary by your specific lifestyle online and your level of risk tolerance. Generally though, there is a fantastic guide to making these configuration changes here. It was created by CERT and walks users through browser hardening, step by step. Follow their instructions and you will get a much safer browsing experience.
3. Be aware of social engineering tactics.
Even if you do follow the other two steps, social engineering will still be a possibility. Attackers use social engineering to trick users into doing things that they should not do, like opening a file, divulging their passwords, etc. You should always remain aware of social engineering tactics and strategies. Many of them are covered in the definition page linked above. Another good place to keep current on emerging social engineering attacks he the SANS incident center. They routinely cover emerging threats against both corporate and end-user systems.
So, there you have it. Three tips, that once enacted and followed, make browser security a much more attainable process. Of course, like with most security undertakings, you have to periodically update them, ensure your settings remain as you desire and keep aware of new changes – but these three steps make it much easier for even basic users to be a bit safer online.