What's your reaction to the latest NSS Labs Web browser security test results? Our organization is particularly...
concerned about the risk of browser-based socially engineered malware. Should we use a particular browser?
The Web browser -- which is the most commonly used interface for accessing and interacting with data on the Web and other networks -- is a critical application that needs to protect users from attack. This means that security should be a key factor for administrators when choosing which browser to deploy across the enterprise. Studies looking at how different browsers fare when pitted against various types of threats can be useful, as they provide metrics to compare one browser against another, helping administrators decide which browser best suits their enterprise's security profile. However, admins must read carefully to fully appreciate what the results really mean, particularly if they focus specifically on only one type of threat. Vendors and test agencies often differ in how they define adware, spyware and advanced persistent threats, and incorporating new and unknown malware is almost impossible in a controlled test.
Socially engineered malware (SEM) is a growing threat. Socially engineered attacks use several different methods to deceive users into downloading malicious software. For example, a website that may look nonthreatening can convince visitors to download and execute a malicious piece of software. As the browser is the primary vector for delivering SEM, it must be the first line of defense against such attacks. The main technologies used for defeating SEM are URL filtering and application reputation.
The latest report from NSS Labs tested eight different browsers -- including three from China -- against SEM. Internet Explorer came out on top with a 99.9% block rate. Chrome came in third at 70.7%, and Firefox and Safari only managed around 4% each. Microsoft and Google use a combination of URL filtering and application reputation, with Microsoft relying more on URL filtering than Google. The disparity between Chrome and IE could be due to a change in how strict the application reputation system is for Chrome, or because hackers have been able to devise tactics that avoid this method of detection.
Interestingly, the Kingsoft Liebao Browser, which came in second behind IE with a block rate of 85%, does not use application reputation technology, but rather scans all downloads with a combination of URL filtering and cloud-based file scanning technology that Kingsoft uses for its antivirus product.
The NSS Labs report clearly puts IE ahead of its competition in providing early protection against SEM. So should enterprises change their browser selection?
If malware is not detected and blocked at the initial download phase, users are reliant on host-based antimalware to block it at the execution phase. For both technologies, the consistency of protection and the amount of time required to update protection against new threats is a critical metric, so cloud-based endpoint protection file scanning (as used by Liebao) could be the way forward, as updates don't need to be pushed to every user.
However, note that what works today may not work tomorrow -- attackers quickly adapt to technologies that try to protect users from their sites, and overall enterprise security depends on users' online behavior and habits. Employees who are taught how to identify social engineering attacks will rely less on technology for protection and will remain more secure when that technology fails or is thwarted. Enterprises should look at how well a browser fits into their overall defensive strategy and how it defends against the particular threats they face to decide which would be the most effective for them.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.