Manage Learn to apply best practices and optimize your operations.

Web browser protection for users: Adapting to new Web security threats

Expert Nick Lewis explains how to provide a secure Web browsing experience for users when threats are no longer contained to certain parts of the Web.

My company has a reasonably loose policy when it comes to employee Internet use. As long as you're not visiting a "shady" site, you're OK. The 2013 Cisco Annual Security Report seems to indicate that thinking is completely backward though; most malware is served up through malicious online advertisements via otherwise secure, legitimate sites. How should enterprises react to this report? Are there ways to ensure Web browser protection for users?

Ask the Expert! expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

Historically, the most malicious sites were found on the less-savory side of the Internet, so to speak, which meant organizations could block a significant amount of Web-based malware simply by preventing their users from visiting those sites.

As stated in the 2013 Cisco Annual Security Report, users are now more likely to be infected by what some would think is a secure website. Compromised ad networks, search engine poisoning and watering hole attacks are now making high-profile websites even greater security risks than sites that were traditionally thought of as "shady." From an enterprise perspective, this is especially troubling because the number of users who frequent secure websites will be far more than those visiting stereotypically dangerous ones.

In terms of how enterprises can react to this change in the Web security threat landscape, there are unfortunately not a lot of options that actually address the underlying issue. Blocking malware at the network level does not address smartphones using their cellular data connections, alternative Internet connections or mobile users on external networks. Network-based blocking and analysis does have significant advantages for detecting potentially suspicious network connections and blocking them, but if the outgoing connection is only blocked after the system is compromised, the protection might not be sufficient. With the increase in watering hole attacks, even whitelisting approved websites won't protect insecure clients.

Regardless of the platform, securing the client system is the only way to secure the general Web browsing experience for users.

This was last published in March 2014

Dig Deeper on Web application and API security best practices