The next control in the Breaking Down The Critical Security Controls series is number 7, Email and Web Browser Protections. In order of criticality controls one through six are paramount as the foundation to an effective security program. That’s the ground work. Email and web browsers are the next logical focus area because those two items are the primary attack entry points for any organization. Malware, viruses, ransomware, phishing, key loggers, hundreds of browser vulnerabilities and known exploits, and non-security trained users in control are what makes these so critical.
Here’s what the control says
Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
Leveraging best practices and following the critical controls your program should have a standard email and web configuration deployment for all end users. Remove any ability to install browser toolbars and extensions, remove any ability to alter the configurations, cookie settings, ActiveX or Flash enablement, have a strong web filter at your egress point(s) to help filter out malicious sites. You should go one step farther and put in place a business focused web browser abilities. No social sites, no video sites, no ability to download anything. Of course keep your software patches up to date.
Depending on the technologies in your environment you can also leverage your endpoint security components, agents, access control to limit the ability of browsers being altered or behaving in unintended manners.
The there is the second part to this, which is the most difficult to control. The people. Web browsers, for the most part, can be technologically controlled and limited to what they can or cannot do. When it comes to email the person in control is the biggest risk.
The people problem is why all the best practice guides, regulations, audits and assessments as about your Security Awareness training. Education. Communications. Training. An organization must do everything it can to get the information out to the employees about security risks, best practices, and company policies.
With all the technology and tools in place all it can take is one click on a phishing email to ruin your day. A legitimate or compromised website that drops a payload that records the user’s keystrokes and sends the username and password they typed to a malicious person. When that happens it doesn’t matter what protections you have in place, if a hacker has the keys, they are in the door.
How It Can Be Exploited
The most common methods of attack on browsers are malicious browser extensions, exploiting known vulnerabilities, and using vulnerable add-ons such as Flash.
Through email the primary method, an most successful, is phishing. Sending a legitimate looking email to trick the user to click on a link or open an attachment that delivers a malicious package to the end user’s machine or network. Ransomware, malware, key loggers, viruses all can be delivered through this mechanism.
There is also the concept of spear phishing which instead of a random email sent out an individual or group is specifically targeted. Spear phishing is the cause of companies sending money out to who they think are legitimate business partners but really are the criminals and the email was fake, but the business believed it.
Phishing can be reduced through technical controls but it will never be eliminated. There will always be emails that slip through your spam filters, come from legitimate people that contain links that look real. People make mistakes, people trust sources, people click without thinking and it happens everyday.
When you go through and setup your protections make sure you do an impact analysis so when, not if, something happens you know where the damage will go. Will the ransomware just wipe out the user’s laptop or will it see the company network share of terrabytes of files and wipe those out too because you have open ACLs on the share?
Have an open, transparent security program. The more the employees know about you, your mission, your challenges the more they will begin to think about their own security. A little is better than zero or deliberately ignoring it.
As I always tell the employees and clients-
“If you get something you are unsure of it’s better to hesitate and ask than click and be wrong.”
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.