Best Practices for Managing Browser Extensions in a Corporate Environment

 

In a world where efficiency is king, browser extensions have become the unsung heroes of productivity in corporate landscapes. These small software programs tailor browsing experiences to specific workflow needs, often becoming indispensable tools for employees. But this seemingly innocuous convenience can come with a hidden price: security.

In the delicate balance of utility and safety, IT departments are tasked with the crucial role of gatekeeping. They must rigorously vet and manage these extensions to avoid transforming productivity boosters into security liabilities. The challenge lies in crafting policies that protect without stifling innovation.

This article serves as a compass to navigate the complex terrain of browser extensions in a corporate environment. From understanding their significance to implementing stringent security protocols, identifying the risks of harmful add-ons, and ensuring continuous updates—every aspect converges on fortifying a company’s digital defenses while maintaining operational dexterity.

Why Browser Extensions are Important in a Corporate Environment

In today’s digital age, the importance of browser extensions in a corporate environment cannot be understated. With the increasing sophistication of cyber threats, organizations face various potential risks, including malware propagation, data leaks, and exploitation of security flaws. By managing browser extensions meticulously, enterprises can ensure that only trusted and vetted extensions are deployed within their networks, significantly reducing the hazard of security lapses.

Effective browser extension management tools are indispensable for enterprises aiming to govern the proliferation of these add-ons. Such tools grant the capability to restrict the distribution of non-compliant extensions and hinder the installation of those that may be outdated or malicious. Additionally, in bolstering the enterprise’s security posture, well-chosen and governed extensions can also play a pivotal role in augmenting productivity and improving workplace efficiency.

Indisputably, implementing a robust browser extension management strategy is a critical step towards safeguarding sensitive information, barricading unauthorized access attempts, and preserving a secure browsing experience for all users within the organizational framework.

Enhancing productivity and functionality

Browser extensions are not only pivotal for maintaining a strong security framework but are also instrumental in elevating productivity and functionality in the workplace. Take, for example, extensions like Gorgias that can significantly expedite the process of email communication. By facilitating the creation of templates and keyboard shortcuts for common responses, employees can drastically cut down on response times, thereby enhancing overall efficiency.

Moreover, the ability to customize keyboard shortcuts enables users to summon frequently employed phrases and templates at the press of a button, making repetitive tasks less time-consuming. Employing enterprise-grade browsers that offer enhanced control over unauthorized installs can further amplify security, consequently affording an environment where productivity tools are leveraged to their full potential without compromise.

To ensure the utmost safety and functionality, a thorough inspection of these extensions with specialized tools is essential. As such, only extensions that withstand rigorous safety checks become part of the workspace, cleanly integrating into the overall workflow without introducing security concerns.

Addressing specific business needs

Browser extension management transcends routine workflow optimization—it is a cornerstone for upholding stringent security and compliance standards within the enterprise. Leveraging a dedicated browser extension management tool is the linchpin in mitigating the risk presented by treacherous extensions that could threaten the organizational network’s integrity.

Products like Browser Security Plus empower IT administrators to orchestrate the dispersion of secure extensions while blocking those classified as malevolent. This ensures the network’s defenses remain impenetrable. Moreover, enterprise browsers, tailor-made for corporate demands, come with reinforced security features and sophisticated management abilities, thus, striking the perfect balance between functionality and security.

Centralized management of enterprise browsers via platforms such as Chrome Browser Cloud Management or Unified Endpoint Management systems allow IT teams to enforce security policies, gain visibility into security events, and robustly monitor browsing activities. This proactive stance on management ensures that the enterprise’s browsing ecosystem remains in lockstep with its larger security framework, all while adapting to the specific needs of the business.

Security Policies for Browser Extensions

In the contemporary digital workspace, enterprises need to be vigilant against security threats that continuously evolve in sophistication. One integral layer of defense comes from implementing rigorous security policies for browser extensions. These policies serve as a bulwark against malware, phishing attacks, and potential data loss, enabling an enterprise to maintain a secure browsing environment.

Security browser extensions proactively manage risks by offering a suite of features including content and URL filtering, secure browsing habits, and protection from inbound malicious threats. Furthermore, by enabling governance capabilities with varied policy settings, organizations can fine-tune control over the browsing experience, thereby tailoring security measures to the enterprise’s needs.

Having clear delineations of permissible actions, authentication requirements for particular operations, and rigorous control over sensitive data access are critical facets of enforcing these security policies. Such measures ultimately prevent unauthorized behavior, thus protecting the systems and data of an organization from the myriad of threats lurking within the digital realm.

Developing and enforcing strict security policies

The development and enforcement of stringent security policies revolve around detailed rule-making that governs browser extension use. By establishing policies, organizations can block access to certain websites, regulate the installation of plugins, and define user permissions. Such governance aligns security determinations with organizational requirements, paving the way to create a harmonized and secure browsing infrastructure.

These policies can be fine-grained to cater to an enterprise’s specific security and compliance mandates, ranging from mandatory extensions to those that are strictly forbidden. Executing these policies calls for a blend of restrictive measures, vigilant computer monitoring, real-time administrative controls, and robust agent-based web filters to enforce website blacklists and ensure compliance.

To bolster security efforts, these policies must be supplemented with malware and phishing protections, deploying AI for automatic threats detection. This technology provides real-time threat analysis and guides users away from potential risks, ensuring workplace browsing is a safe and regulated activity.

Defining acceptable and prohibited extensions

When it comes to regulating extensions, defining what is acceptable and what is not is paramount to maintaining security integrity. Acceptable extensions should align with business needs and pass through critical evaluation for safety before being sanctioned for use. Conversely, enterprises must be unwavering in prohibiting extensions that pose any risk of accessing and compromising sensitive corporate data.

Enforcing an effective extension policy requires not only blocking installations of unauthorized add-ons but also managing the permissions assigned to the extensions in use. By regulating these permissions, enterprises can control the level of access granted to devices, hence mitigating vulnerabilities.

Moreover, there must be strict controls to curb the proliferation of unnecessary administrative privileges. This minimizes the risk associated with compromised high-privilege accounts which could otherwise serve as gateways for security breaches.

Table 1: Extension Management Policy Guidelines

Policy Aspect

Description

Examples

Acceptable Extensions

Those vetted for aligning with business goals and safety.

Password Managers, VPNs, Productivity Tools

Prohibited Extensions

Those posing risks and unauthorized access to data.

Unvetted Social Media Plugins, Unknown Developer Tools

Permissions Management

Control over the extent of extension access to devices.

Limiting to Read/Write on specific sites or data

Admin Privilege Limitation

Prevention of excess high-privilege accounts.

Enforcing the principle of least privilege

Enforcing these policies with diligence ensures that enterprises can maintain a secure and productive browsing environment that contributes to their overall success.

Risks Posed by Malicious Extensions

In the digital workplace, the integration of browser and email plugins can streamline workflows and enhance efficiency. However, these tools also introduce significant security risks to the enterprise when malicious extensions enter the network. Malicious actors exploit browser extensions to carry out a range of harmful activities. They can automate clicking on pay-per-click ads for financial gains, collect sensitive user data without consent, and more alarmingly, intercept messages – including those from platforms like Gmail. There have been notable instances, such as a counterfeit ChatGPT extension, crafted to hijack Facebook accounts, showing how the semblance of legitimacy can mask a rogue extension’s true intent.

Owing to the insufficient screening of browser extension marketplaces, the gatekeeping of such plugins is often inadequate, leaving the door open for those with malicious intentions to enter. This laxity in oversight can lead to enterprise networks being hit with spam delivery, unauthorized saving of user inputs, and injection of harmful codes directly through the browser interface. These risks underscore the imperative need to exercise extreme caution and implement preemptive measures against the encroachment of hazardous browser plugins and extensions.

Not only can these extensions steal information like login credentials, but they can also harbor code-level vulnerabilities including bugs or outdated elements that can jeopardize the very integrity of the browsers and create security loopholes. In a preventative vein, enterprises can layer their security protocols with both technological and behavioral controls. This might involve barring employees from installing any extensions on business-operated devices and promoting the use of managed enterprise browsers to reduce exposure to such threats.

Understanding the potential security threats

Malicious browser extensions pose an array of potential risks that can compromise an organization’s security posture. Extensions that are poorly coded or have not been updated to patch known flaws become weak points through which attackers can launch their exploits. For instance, malicious entities can repurpose genuine extensions, creating counterfeit duplicates to deceive users. The repercussions of such deceptions range from the dissemination of spam to more dire consequences such as financial fraud.

With broad permissions in place, harmful extensions are well-placed to conduct undercover operations such as clicking on pay-per-click ads for profit, snooping on private user data, intercepting personal and professional communications, and carrying out account takeovers. These capabilities grant malicious extensions the potential to carry out espionage, fraud, and extortion.

Moreover, distinguishing safe from unsafe extensions is daunting due to the sheer number available. This challenge highlights the paramount importance of adopting a steadfast and proactive attitude toward cybersecurity. Organizations must not only rely on the utility and convenience that extensions provide but also remain acutely aware of the embedded risks they carry.

Identifying indicators of malicious extensions

To vigilantly combat the infiltration of malicious browser extensions, it is crucial to recognize their indicators. Such extensions often operate covertly, engaging in activities like secret clicks on monetized ads, wholesale collection of user data, access interception of private communications such as Gmail, and unauthorized control over social media accounts.

Cybercriminals exploit these tools to gain detailed insights into users’ browsing patterns, pilfer account credentials, and harvest Personally Identifiable Information (PII). Notorious examples of malware, such as Grandoreiro, Kimsuky, and Mispadu, have utilized malicious browser extensions to facilitate their data theft operations.

To deflect these security threats, enterprises must rigorously audit their systems to ensure all installed extensions are legitimate and do not harbor malicious intent. Instituting a browser extension whitelist, or more restrictively, a deny list, acts as a proactive execution prevention measure, effectively mitigating the risks associated with these potentially harmful plugins. A consistent review process and the ongoing education of employees about the dangers of unsanctioned extensions further fortify an organization’s defenses against these hidden dangers.

Table 2: Indicators of Malicious Extensions

Indicator

Description

Unusual Browser Behavior

Unexpected pop-ups or redirects to unknown sites

Unauthorized Ads Clicking

High ad activity without user interaction

Data Collection Anomalies

Spike in network traffic indicating data exfiltration

Account Irregularities

Unauthorized account access or messages sent

Extension Source Verification

Extensions not from verified developers or official stores

By maintaining persistent vigilance and implementing strict control measures, enterprises can safeguard their digital environments from the pernicious effects of malicious extensions, thereby preserving their operational integrity and their stakeholders’ trust.

Importance of Security Patches and Updates

In today’s fast-paced digital environment, the importance of security patches and updates cannot be overstated. With cyber threats constantly evolving, enterprises must remain vigilant by utilizing a comprehensive array of defensive measures. Web browsing proxies, content filtering, and email scanners are just some of the tools that can detect and thwart web threats before they ever reach user browsers. Browser security solutions serve as a crucial layer of defense, helping to close the gaps that malicious entities may exploit.

Notably, the implementation of automated patch management systems is central to maintaining the security perimeter. These systems ensure that browsers, operating systems, and all related software are up-to-date, minimizing the opportunities for cyber attackers to exploit known vulnerabilities. Regularly updating security patches and refining software versions add significant strength to the organization’s protection against the sophisticated and continuously evolving threats present in today’s browsing environment.

Furthermore, managing the array of extensions employees use is integral to maintaining a secure enterprise. Strict policies for managing these add-ons coupled with meticulous review processes can significantly enhance an organization’s security posture while also contributing to a more robust and streamlined user experience.

Table 1: Security Measures Enabled by Patches and Updates

Measure

Description

Web Threat Detection

Identifies potential threats through web browsing proxies and content filters.

Automated Patching

Streamlines the process of updating software to address security vulnerabilities.

Extension Management

Reviews and regulates browser and email plugins to prevent unauthorized activities.

Employee Training

Educates staff on threat recognition and avoidance techniques.

Continuous Monitoring

Ensures all systems and applications stay secure with the latest protective measures.

By following these practices, organizations can erect robust defenses against malicious activities, ensuring the continuity of their operations and the protection of sensitive data.

Staying up-to-date with the latest security patches

Amid an ever-changing cyber threat landscape, staying current with the latest security patches is a fundamental aspect of any robust cybersecurity strategy. Automated patching is indispensable as it guarantees that both browsers and operating systems operate on the latest and most secure versions available. An automated approach to patch management ensures continuous protection against vulnerabilities, making it a cornerstone of organizational security.

Security patches act as a critical defense mechanism to address exploitable flaws that could otherwise lead to data breaches or system intrusions. Consequently, a comprehensive patch management policy is vital for safeguarding networked hardware and software from these risks. Furthermore, the use of web browsing proxies and content filtering complements these efforts by proactively preventing threats from compromising user browsers.

Organizations must pair technical measures with human-centric strategies to fully fortify their security. This involves deploying regular training programs aimed at equipping employees with the skills to recognize and circumvent phishing attacks and other social engineering tactics. By merging these components, enterprises can create a multi-layered defensive infrastructure poised to counteract various cybersecurity challenges.

Implementing regular updates for enhanced security

Implementing regular updates is fundamental for maintaining an airtight security shield within an organization. Tools like Browser Security Plus monitor and promptly identify outdated plug-ins, which are common vectors for security breaches. In a corporate setting, where the stakes are invariably high, efficiently managing add-ons is a priority for upholding browser security.

Security solutions such as Symantec Endpoint Protection play a key role in equipping businesses with the capabilities to roll out fast and automatic updates. This agility is especially critical in the face of zero-day vulnerabilities, which require immediate attention to prevent exploitation. In the context of Chrome browser extensions, keeping them up-to-date is widely recognized as a best practice for enterprise security.

In managing browser extensions, enterprises can benefit from a range of strategies, such as the ability to block, enforce installation, or allow employee requests for extensions. These measures enhance overall browser security by giving organizations greater control over which extensions are permitted and ensuring that all permitted extensions are current and secure.

By embracing regular updates, businesses can significantly solidify their security stance. This proactivity not only mitigates risk but also instills confidence among stakeholders that their data and systems are well-protected against emerging threats.

Enhancing Security Posture with Proper Visibility

In an era where cybersecurity threats loom large, the importance of enhancing an organization’s security posture cannot be overstated. Proper visibility into user activities and system configurations is paramount to identifying threats and mitigating risks before they evolve into full-blown security incidents.

One of the first steps towards enhancing browser security is to track user activities including visited websites, downloaded files, and clicked links. This monitoring helps pinpoint potential threats and unusual behavior that may otherwise go unnoticed. Leveraging tools and services that provide real-time alerts and reports on these activities can significantly strengthen an enterprise’s defense mechanisms.

Gaining Insight into Security Events and Incidents

Visibility into security events and incidents is crucial for browser security management. By monitoring browser activities and configurations, IT administrators can gain valuable insights that inform the overall security strategy. It’s vital to track incidents such as password reuse, unsafe site visitations, and malware interactions. Identifying these events promptly allows for quick intervention and resolution, keeping the potential impact at a minimum.

Insights into security events can also stem from managing and tracking extension details and control movements. Approval workflows for browser extensions are essential in mitigating risks related to the permissions and capabilities granted to them. Additionally, comprehensive reporting of browser usage data—including browser versions, settings, and device information—plays a critical role in the analysis of security incidents.

Implementing Tools for Monitoring Extension Behavior

Tools like Browser Security Plus serve as an indispensable asset in monitoring the behavior of browser extensions. By distinguishing between signed and unsigned plugins, it offers a baseline assessment of the trustworthiness and safety of these components. Monitoring the permissions used by each extension sheds light on potential data security risks and helps enforce strict control over which functionalities are necessary and safe.

To effectively monitor extension behavior, IT administrators can employ tools that track not just website visits and file downloads but also detect modifications to browser settings. Watching for indicators of suspicious behavior, such as newly created files, unexpected network connections, processes, and registry key changes, is critical for holistic browser security. Before the enterprise-wide rollout, each browser extension or plugin must undergo a thorough inspection to certify its safety and reliability, thereby protecting the integrity of enterprise data and assets.

With these measures in place, organizations can significantly enhance their security posture by ensuring proper visibility and control over browser and email plugin activities within the enterprise.

Table 2: Tools and Strategies for Monitoring and Gaining Visibility

Tool/Strategy

Purpose

Benefit

Real-time User Activity Monitoring

Tracks websites visited, downloads, and link clicks

Identifies threats and unusual behavior

Extension Approval Workflows

Manages extension controls and permissions

Prevents potential vulnerabilities

Comprehensive Reporting

Gathers data on browser versions, settings, and device info

Assists in incident analysis and response

Signature Verification for Plugins

Differentiates between signed and unsigned plugins

Assesses plugin safety levels

Permission Usage Monitoring

Observes the permissions each extension utilizes

Identifies potential data security risks

Behavioral Analysis of Extensions

Detects file creation, network connections, and setting changes

Alerts to suspicious browser extension activity

Enterprises that integrate these monitoring tools and strategies into their security framework create a more transparent and secure online environment, shielding their infrastructure from the multitude of threats posed in the digital age.

Integrating with Active Directory for Seamless Management

When managing enterprise environments, the integration of browser and email plugin restrictions with Active Directory (AD) can provide a seamless and efficient centralized management experience. This integration is vital for ensuring that security policies are consistently applied across all users within the organization.

Leveraging Active Directory for centralized management

With Active Directory, configuring Group Policy Object (GPO) policies is crucial for the centralized management of browser extensions. In particular, when it comes to the installation of browser extensions, AD GPO policies take precedence, effectively becoming the highest priority and overriding any installation method—including SEP client registry values. This centralization means that IT administrators can ensure a consistent and controlled deployment, which is crucial for maintaining a secure and compliant enterprise network.

Active Directory’s Group Policy Object can also provide a streamlined approach for managing Chrome or Edge browser extensions. By utilizing the GPO, enterprises gain the ability to facilitate precise control over extension installation processes. This includes the power to prevent the installation of potentially unwanted or unauthorized extensions, which helps keep network traffic optimized by eliminating unnecessary downloads.

Active Directory Feature

Function

Impact on Management

GPO Policies

Centralized management of extensions

Overrules other installation methods

Installation Blocking

Prevention of extension installations with clients

Reduces unneeded network traffic

Add-on Management

Managing permissions and behaviors

Safeguards against vulnerabilities

Automating extension deployment and configuration

When it comes to the deployment and configuration of browser extensions, IT administrators can turn to automated solutions like Chrome Browser Cloud Management or Microsoft Group Policy Object (GPO). These platforms enable the remote installation of extensions on users’ browsers through policies such as the ‘Extension Install Forcelist’. Automating these processes not only saves time but also ensures that only authorized and necessary extensions are installed, adhering to the company’s security protocols.

To further tailor the user experience, enterprises often develop custom extensions that cater explicitly to their operational needs and then deploy these through specific policies. However, with the risk of malicious extensions that can compromise user data or inject harmful payloads, it’s recommended that enterprise environments restrict the installation of extensions on business-related devices. Security-first enterprise browsers can be configured to block unauthorized extension installs, mitigating potential security breaches before they happen.

In cases where organizations allow the installation of extensions, deploying tools to inspect and verify the security of these plugins becomes essential. These security checks help prevent any extensions with spammy behavior, suspicious permissions, or the potential to save user inputs from infiltrating the enterprise network.

By leveraging Active Directory for centralized extension management and automating the deployment of secure and custom extensions, enterprises can enhance their security posture while ensuring a robust and efficient operational environment.

Automation Tool

Purpose

Benefit

Extension Install Forcelist

Remote installation of extensions

Facilitates controlled, standardized deployment

Custom Extension Development

Craft extensions for specific needs

Meets precise enterprise requirements

Security Inspection Tools

Inspect and verify plugin safety

Prevents potential security threats

Utilizing these methodologies allows firms to maintain a strong security shield while providing users with the tools they need for productivity, without compromising on safety or control.

Efficient Management of Extension Permissions

With the ever-growing arsenal of browser extensions available, enterprises should meticulously manage the permissions such extensions are granted to ensure minimum privilege access. Permissions can act as a gateway for extensions to make changes on devices or manipulate web content under the guise of functionality. They are typically categorized into host permissions, which govern what web pages the extension can access or alter. A measured approach to assigning and overseeing these rights is germane to avert security risks akin to data theft or exploitation of browser vulnerabilities. By prudently defining and controlling the scope of access, organizations can foster an environment where security, compliance, and productivity coexist harmoniously.

A table illustrating effective permission management strategies:

Management Strategy

Objective

Benefit

Minimum Privilege

Grant only necessary permissions

Reduces risk of unauthorized data access

Host Permission Control

Define accessible web pages

Protects sensitive corporate content

Regular Audits

Review and adjust permissions

Ensures ongoing compliance and security

The efficacy of permission management lies in striking the perfect balance – allowing enough access for extensions to serve their purposed function without opening the floodgates to potential security breaches.

Controlling and Monitoring Extension Permissions

In the enterprise ecosystem, managing browser extensions by leveraging their permissions and limiting their access to only essential websites is a potent strategy for heightened security and more streamlined management. By utilizing tools and policies, such as the Runtime block hosts policy, organizations are equipped to dictate which websites extensions can interact with, thus securing critical sites from unauthorized script injections or data exfiltration attempts.

Organizations should deploy extension management tools that are pivotal in weaving a protective net capable of blocking malevolent extensions. Ensuring adherence to regulatory compliance and disseminating only vetted and safe extensions across the enterprise network also falls within the ambit of said tools. Key benefits to managing extension permissions proactively include time efficiency and a marked reduction in exposure to security vulnerabilities and potential data breaches, laying the groundwork for a fortified digital perimeter.

Monitoring Aspect

Action Item

Reasoning

Permission Requests

Assess and justify necessity

To avoid over-provisioning of access rights

Webpage Access

Limit to job-relevant domains

To minimize the risk of data compromise

Audit Trails

Maintain records of changes

For an accountability trail and easier review

Defining Role-Based Access to Minimize Risks

Role-based access control (RBAC) stands as a cornerstone in the enterprise defense strategy, concentrating on mitigating risks by aligning access permissions intricately with the specific roles and job functions within an organization. By enacting RBAC, enterprises can curtail the potential damage wielded by insider threats and curtail unauthorized glimpses into sensitive data and resources.

Effectively carving out roles and corresponding access levels enhances security measures by trimming down the attack surface. It also restricts the extent of potential security infringements. Adhering to the principle of least privilege, RBAC ensures individuals are endowed with just the right concoction of access privileges—nothing more, nothing less—vital for their responsibilities.

Here’s how role-based access control can be structured:

  1. Define roles: Identify and categorize job functions within the organization.
  2. Assign permissions: Grant access rights specifically suited to each role.
  3. Enforce restrictions: Implement technical blocks that enforce the assigned permission levels.
  4. Review regularly: Regularly reassess roles and permissions to keep up with changing job requirements and minimize stagnant access rights.

This methodical approach to defining role-based access is instrumental in buttressing the organization’s security posture, mitigating the likelihood of unauthorized activities, and therefore, diminishing the threat of data breaches in the digital enterprise landscape.

Summary

Implementing stringent browser and email plugin restrictions is essential in maintaining a secure enterprise environment. This ensures protection against the proliferation of malicious extensions that pose significant security risks. Utilizing tools such as Browser Security Plus can streamline this process by creating a secure repository of approved extensions, efficiently distributing them within the network while blocking harmful ones. Additionally, security browser extensions enhance an organization’s defenses against cyber threats, phishing, and malware through robust content filtering capabilities and policy management for safer browsing experiences.

Enterprises striving for a secure browsing infrastructure can benefit from the built-in security features and Chrome Browser Cloud Management, which emphasize Zero Trust principles and offer granular control and visibility over security events. Moreover, the Chrome Web Store’s review process for extensions adds a layer of security by requiring domain verification for installation, with options for private or unlisted deployment, manageable either manually or through policies like the Extension Install Forcelist. By enforcing active security policies, regular updates to security patches, and adhering to a strong security posture, enterprises can significantly mitigate risks and bolster their overall security infrastructure.

* AI tools were used as a research assistant for this content. MSI does not resell or endorse any products. All named products are examples only.

 

Ask The Experts: Why Do Security Testing of Internal Computer Networks?

Most organizations have realized the need to have vulnerability assessments of their internet-facing (external) computer networks performed periodically. Maybe they are alarmed by all the data compromises they hear about on the news or perhaps they are subject to regulatory guidance and are required to have vulnerability assessments done. But many organizations draw the line there and never have the security of their internal networks tested. This is a mistake! At least it’s a mistake if your goal is actually to protect your computer systems and the private information they store and process.

It is true that the most attacks against information systems come from external attackers, but that does not mean the internal threat is negligible. About one sixth of data compromises are due to employees and privileged insiders such as service providers and contractors. But there are many other reasons for testing the security of your internal networks besides the internal threat. For one thing, once cyber-criminals find a hole in your external defenses they are suddenly “insiders” too. And if your internal systems are not configured correctly, hardened and monitored, it becomes trivial for these attackers to own your systems and compromise all the private information you have.

The type of testing that gives you the most bang for the buck is internal vulnerability assessment. Doing this type of testing regularly has many benefits. One benefit that people usually don’t associate with internal vulnerability assessment is that it can be used to make maps and inventories of the network. These are essentials of information security. After all, if you don’t know what you have on your network and where it is, how can you protect it? Another benefit is that it allows you to view your internal network with perspective. In other words, it lets you see it the way an attacker would. It will reveal:

  • Access control issues such as default and blank passwords mistakenly left on the network during administration, open files shares or anonymous FTP sites that may contain private data or user accounts that are suspicious or inappropriate.
  • Systems that are missing security patches or that are running out of date software or operating systems that are no longer supported by the vendors.
  • Systems that have been misconfigured or that reveal too much information to unauthorized users.
  • Ports that are inappropriately left open or dangerous services such as Telnet or Terminal Services present on the network.
  • Poor network architecture that fails to properly segment and enclave information assets so that only those with a business need can access them.
  • How well third party systems present on your network are patched, updated and secured.

Also, from a business perspective, performing regular internal vulnerability assessments shows your customers that you are serious about information security; a factor that could influence them to choose your organization over others.

In addition to vulnerability testing, it is also more than just desirable to have penetration testing of the internal network performed occasionally. While vulnerability assessment shows you what flaws are available for attackers to exploit (the width of your security exposure), penetration testing shows you what attackers can actually do with those flaws to compromise your systems and data (the depth of your security exposure). Internal penetration testing can:

  • Reveal how attackers can exploit combinations of seemingly low risk vulnerabilities to compromise whole systems or networks (cascading failures).
  • Show you if the custom software applications you are using are safe from compromise.
  • Show you not only what is bad about your network security measures, but what is working well (this can really save you money and effort by helping you chose only the most effective security controls).

One other type of penetration testing that is well worth the time and expense is social engineering testing. As network perimeters become increasingly secure, social engineering techniques such as Phishing emails or bogus phone calls are being used more and more by attackers to gain a foothold on the internal network. We at MSI are very aware of just how often these techniques work. How well do you think your employees would resist such attacks?

Thanks to John Davis for this post.

Oracle CSO Online Interview

My interview with CSO Online became available over the weekend. It discusses vendor trust and information security implications of the issues with password security in the Oracle database. You can read more about it here. Thanks to CSO Online for thinking of us and including us in the article.

Threat and Vulnerability: Pay Attention to MS12-020

Microsoft today released details and a patch for the MS12-020 vulnerability. This is a remotely exploitable vulnerability in most current Windows platforms that are running Terminal Server/RDP. Many organizations use this service remotely across the Internet, via a VPN, or locally for internal tasks. It is a common, prevalent technology, and thus the target pool for attacks is likely to make this a significant issue in the near future. 

 
Please identify your exposures to this vulnerability. Exploits are likely currently being developed. We have not yet (3/13/12 – 2.15pm Eastern) seen exploitation or an increase in probes for port 3389, but both are expected to occur shortly.
 
Please let us know if you have any questions or if we may be of any assistance with this issue.
 
UPDATE: 
 
 
This article makes reference to a potential worm attack vector, which we see as increasingly likely. Our team believes the exploitation development time to be significantly less than 30 days and more like 1-3 days for resourced attackers. As such, PLEASE TREAT THIS AS A SIGNIFICANT INTERNAL VULNERABILITY as well. Certainly, IMMEDIATE consideration is needed for Internet exposed systems, but INTERNAL systems should be patched as soon as manageable as well.
 
UPDATE II:
 
 
This confirms the scope and criticality of this issue.
 
UPDATE III:
 
Just a quick note – we are seeing vast work on the MS12-020 exploit. Some evidence points to 2 working versions. Not public, yet, but PATCH NOW. Internal & protected networks too.
 
UPDATE IV:
 
MSI is proud to announce the immediate availability of a FREE version of HoneyPoint, called HPRDP2012 to help organizations monitor for ongoing scans and potential future worm activity. The application listens on port 3389/TCP and is available for OS X (Intel), Windows & Linux. This application is similar to our releases for Conficker & Morto, in that it will be operational for a set time (specifically until October 1, 2012). Simply unzip the application to where you would like to run and execute it. We hope this helps organizations manage this vulnerability and detect impacts should scans, probes or a worm emerge. Traditional HoneyPoint customers can use Agent and/or Wasp to listen for these connections and report them centrally by dilating TCP listener HoneyPoints on port 3389. Please let us know if you have any questions.
 
 
 
 
 

Reflections on a Past Vulnerability, Kind Of…

 Recently, someone asked me about a vulnerability I had found in a product 15 years ago. The details of the vulnerability itself are in CVE-1999-1141 which you can read for yourself here.

Apparently, some of these devices are still around in special use cases and some of them may not have been updated, even now, 15 years after this issue came to light and more than 13 years after Mitre assigned it a 7.5 out of 10 risk rating and an associated CVE id. That, in itself, is simply shocking, but is not what this post is about.

This post is about the past 15 years since I first made the issue public. At that time, both the world of infosec and I were different. I still believed in open disclosure, for example. However, shortly after this vulnerability research experience, I started to choke back on that belief. Today, I still research and discover vulnerabilities routinely, but I handle them differently.
 
I work with the vendor directly, consult with their developers and project teams as much as they let me, and then allow them to work through fixing their products. Some of these fixes take a very, very long time and some of them are relatively short. Sometimes the vendors/projects give me or MicroSolved public credit, but often they do not. Both are OK under the right circumstances, and I am much happier when the vendors ask us if we want to be credited publicly, but I am content if they fix the problems we find in many cases. We do our very best to be non-combative and rational with all of them in our discussions. I think it is one of the reasons why application and device testing in our lab is so popular — better service and kindness go a long way toward creating working relationships with everyone.
 
Now, I don’t want to dig into the debate about open disclosure and non-disclosure. You may have different opinions about it than I do, and I am perfectly fine with that and willing to let you have them. I choose this path in vulnerability handling because in the end, it makes the world a safer place for all of us. And make no mistake, that’s why I do what I do nearly every day and have done what I have done for more than 20 years now in information security.
 
That’s really what this post is about. It’s about change and commitment. I’m not proud of releasing vulnerability data in 1997, but I’m not ashamed of it either. Times have changed and so have I. So has my understanding of the world, crime and security. But at the bottom of all of that change, what remains rock solid is my commitment to infosec. I remain focused, as does MicroSolved, on working hard every day to make the world a safer place for you and your family.
 
In November of 2012, MSI will enter its 20th year in business. Twenty years of laser focus on this goal, on the work of data protection, and on our customers. It’s an honor. There is plenty of tradition, and plenty of change to reflect on. Thanks to all of you for giving me the opportunity to do so.
 
Now that I have nostalgia out of the way, if you are still using those old routers (you know who you are), replace those things! 
 
As always, thanks for reading and stay safe out there! 

MicroSolved’s Strategies & Tactics Talk: #3 APT: Less Advanced Than You May Think

So how “advanced” is APT?

Listen in as our tech team discusses various aspects of APT such as:

  • How it has been portrayed.
  • Why it often isn’t an advanced threat
  • Where do they originate?
  • What can companies do about APT?

Panelists:

Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Keep Your Eyes on This Adobe 0-Day

A new Adobe exploit is circulating via Flash movies in the last day or so. Looks like the vulnerability is present across many Adobe products and can be exploited on Android, Linux, Windows and OS X.

Here is a link to the Dark Reading article about the issue.

You can also find the Adobe official alert here.

As this matures and evolves and gets patched, it is a good time to double check your patching process for workstation and server 3rd party software. That should now be a regular patching process like your ongoing operating system patches at this point. If not, then it is time to make it so.

Users of HoneyPoint Wasp should be able to easily any systems compromised via this attack vector using the white listing detection mechanism. Keep a closer than usual eye out for suspicious new processes running on workstations until the organization has applied the patch across the workstation environment.

Apache Tomcat; Firefox, Thunderbird Info Leak

Some vulnerabilities in Apache Tomcat have been discovered. These vulnerabilities could allow for the manipulation of an SSL session or the disclosure of session ID’s. Administrators running Tomcat should update to version 5.5.26 or 6.0.16.
Multiple vulnerabilities in Firefox, Thunderbird, and Seamonkey have been reported. These vulnerabilities could result in memory corruption, information exposure, directory traversal, and potentially other issues. A proof of concept exists for Firefox 2.0.0.12. Users should update their Mozilla software to the latest version, and keep an eye out for any additional updates to this issue.