2018 Browser Security Checklist
Summer 2018 is quickly coming to a close. As we begin the next quarter and head toward the holiday season, scams and phishing become ever more prevalent. Here's a "quick win" guide for companies looking to keep their users and their browsers secure.
Managed Browsers and Profiles
Pick a browser that is secure and ensure 100% adoption throughout your organization. I recommend going with Google Chrome. If you're a GSuite/Google Enterprise customer, you have the ability to push and manage profiles and software easily through their interface. This ensures users are up to date, using the correct software, while limiting the ability for malicious software to be accidentally installed.
Keep passwords strong, secure, and don't worry about people forgetting them. By adopting and deploying a password manager, you can allow your teams to have extremely strong passwords they don't need to remember. Most password managers including browser extensions that automatically generate and fill web forms with their strong passwords. This prevents phishing attacks and keeps weak passwords to a minimum.
Much like strong passwords, everyone needs multi-factor authentication. Multi-factor authentication requires a user to use something they know(a password) and something they have(a token, a fingerprint, etc) to access an application. Many applications support two-factor and by enabling this as a requirement, your users remain safer against password hacking attempts.
Apozy Cloud Web Security & Extension
Apozy NoHack is a cloud browser security platform that stops credential theft, prevents malware downloads, and protects against data loss by using Sitelock technology to turn malicious sites "read-only". It deploys to browsers without an agent or gateway and uses cloud detection engines to make decisions in real-time. As Apozy is used in your organization, it's improving algorithms with machine learning. With NoHack browser isolation, phishing and malware sites are neutered and deemed harmless in real-time. Sign up for a trial on https://www.apozy.com.
Monitoring Malicious Browsing
Given most sites deploy HTTPS(and if not, see above), much of the malicious traffic users encounter is encrypted. Encrypted traffic can't easily be monitored which makes it difficult for incident response and detection. Breaking SSL is an option but is slow, difficult, and sometimes breaks privacy laws like GDPR. In order to effectively monitor and use traffic, Apozy NoHack, mentioned above, gives full post-rendered data about sites, payloads, requests, and more. Use NoHack with your SEIM or event manager of choice for instant alerting on malicious sites that are visited.
No need to reinvent the wheel, here's a quote from this extension's page: "HTTPS Everywhere is an extension created by EFF and the Tor Project which automatically switches thousands of sites from insecure "http" to secure "https". It will protect you against many forms of surveillance and account hijacking, and some forms of censorship." This extension is a great addition to the browser to ensure security where sites otherwise lack it.
When deploying a managed browser, ensure that security settings are tailored to your organization. For example, removing the ability to store passwords for known forms or disabling the ability to download unverified extensions. You can also disable the ability to do Incognito Browsing, which could remove the abilities of some security tools. Furthermore, ensure that security extensions like password managers, Apozy, and HTTPS Everywhere are forced across all profiles including Incognito.