Tom Olzak

Browsers are not security controls

In Cybercrime, Data Security, Firefox, Internet Explorer, Risk Management, Safari on March 19, 2009 at 11:13

Major Internet browsers were shown to be hackable this week at CanSecWest.  This isn’t really a surprise.  Browsers are malware portal opportunities waiting to be exploited.  What might be a surprise is that IT professionals might actually consider the browser a security layer.  It isn’t and probably never will be.

Browsers are by nature human created and managed mechanisms used to access applications written by one of millions of developers, developers often unknown to the user.  They access sites which may or may not be malicious, even if they appear to be hosted by familiar institutions we trust.  Finally, we can always count on the user to do something he or she has been warned many times not to do.

I’m not saying browser developers shouldn’t try to plug as many holes as possible.  However, there are too many variables when surfing the Web to ensure reasonable and appropriate browser trustworthiness.  So what is the answer?

We should stop trying to make our browsers perfect and begin examining the effects of various attack vectors.  This provides the information necessary to select appropriate security controls to layer between the browser, sensitive data, and the network.  Examples include anti-virus, personal firewall, and host-based intrustion prevention software.

Going beyond the desktop, we need to revisit the Internet’s security overall, starting with DNS.  Until we can ensure the most fundamental services are reasonably secure, the security of our browsers is at most a secondary concern.

We should also assume a breach will eventually occur.  Until humans are replaced by design and development cyborgs incapable of making mistakes, and until security budgets are doubled or tripled beyond that which is considered reasonable and appropriate today, there will always be gaps between our actual security state and 100 percent protection.  So in addition to trying to prevent malicious intrusions, we should also implement technology and processes to detect and respond to extrusions.

I’m not saying we should ignore weaknesses in browsers, or any software.  However, it’s unreasonable, and possibly negligent, to point fingers at browser vendors while ignoring the part we should play in protecting our organizations from browser-based attacks.

%d bloggers like this: