Project Management

Protect your systems from the dangers of web browsing

Here are the most common myths around web browsing and the necessary steps to take to ensure a safe and secure browsing environment for all your users.

Mark Twain once quipped, "It's not what you don't know that gets you into trouble, it's what you know for sure that just isn't so."

So too, in the world of web browsing, misconceptions abound. My objective in this article is to expose the common myths of safe web browsing.

Before I get to the heart of the matter, some relatively obvious questions come to mind:

Is safe web browsing possible? Can risky sites be avoided? Can a web browser be made into a safe web browser? Is there such a thing as a safe web browser? Can our end users eliminate frivolous web browsing during work hours?

Unfortunately, a yes answer to any of the above leaves our end users completely exposed -- an all-too-common situation in today's marketplace.

Although trying to solve the dilemma by building ever-increasing "walls" between our users and the Internet seems the simplest solution, this solution quickly becomes cost prohibitive and ultimately will not work.

What is the responsible thing to do?

As I look at the most common myths surrounding web browsing, I will offer some positive approaches to preventing loss of security resulting from mistaken perceptions.

Web browsing must be safe because we've been doing it for several years and we've never had an intrusion.

Lucky you! Seriously, this thinking hardly amounts to a real strategy. What's worse you may be infected and not even know it. Many of the more formidable malware intrusions are specifically designed to stay hidden and steal personal and company information covertly. Although the task of staying up to date regarding current intrusions seems daunting, employing meaningful policies and up-to-date prevention technology can prevent security breaches.

Our users are responsible individuals who don't spend their time searching inappropriate web pages and content.

Sorry, that is simply not true. A 2011 research report by Gartner shows that at least 40% of U.S. business bandwidth is used for nonbusiness and inappropriate activities on a daily basis. On average, this amounts to between one to two hours per worker per day. What makes matters worse is the potential for legal damage to the organization brought on by the inadvertent actions of the unsuspecting surfer. Again, regular policy and standards reviews are necessary. These reviews in and of themselves won't eliminate a breach, but they are a positive and necessary part of ensuring system's safety.

Our organization has clear and strict policies in place that prevent inappropriate internet usage.

As naive as this statement appears, a surprising number of organizations rely on such thinking to protect their assets. As obvious as the real solution may seem, these organizations consistently fail to incorporate the necessary technology to safeguard their data environments. Keep the standards and policies in place and be sure to back them up with solid "watch dog" technology.

Only porn, gambling, and other illicit sites are dangerous, and we always prevent our people from going to those.

Recently, Symantec released information indicating that 83% of those sites containing malware were hijacked trusted sites. It turns out that the sites we trust the most tend to be the most infected. Only regularly updated technology that tracks site blacklisting can adequately protect against damage from visits to these sites.

A user must download files or run an executable to get the PC infected.

This was true in the early days of malware development, over 10 years ago! In the modern world of hacking and intrusion, most infections are done automatically. Though this is unfortunate, to be aware is to be forewarned. Fortunately, ALL the top-ranked products for PC client protection do a thorough job of protecting against automatic infections. But, these products must be kept running and up to date.

Our users browse with Firefox, and it is safer than Internet Explorer.

Although this is a common belief, it is statistically inaccurate. All the most dangerous intrusions and infections are directed at components that are used by all browsers. Also, in the most recent review of browsers in use today, Firefox is the least secure browser. The solution here is obvious: do not depend on the selection of a browser or on a particular browser alone for protection!

Only naive users get their PCs infected.

Nothing could be further from the truth. Malware known as drive-by downloads can infect any unprotected PC automatically, without any action by the end user, no matter how computer literate that end user may be. A well-crafted phishing attack can lead to an infected machine simply with a visit to a bogus site. As attackers and their attacks become more sophisticated, so too must we and the products we use to fend them off.

When the padlock appears in the status bar the site you are visiting is safe.

Wrong answer! The padlock is a reference to the security of the transactions to and from the website not the malware free status of the site. Drive-by downloads from an infected site can still deliver infections. It should appear obvious by now that part of the job of maintaining safe, intrusion-free environments depends on anticipating the beliefs and actions of end users, especially when those actions are based on erroneous beliefs or out-of-date information.

Fortunately for us, the security solutions industry has kept pace with modern attackers. There are a number of solid end point and client-based products -- both hardware and software -- that do a comprehensive and competent job of protecting against intrusion and infection.

However, as Tony Robbins reminds us, "knowledge is only power when we act."

Begin today, and take the necessary steps to ensure a safe and secure browsing environment for all your users.


Robert Eugene Miller is an information technology consultant and President of Horizon Technologys ( Horizon provides Business Intelligence Deployment, Systems Security Assessments, and Website Development consulting services to a ...


I mistyped a common URL just last night. I transposed two characters. I was met with a blank white screen and an instant pop-up from Avast anti-virus that said it had just blocked a trojan horse. Thanks Avast! Here's the strange part: I run NoScript on an up to date FireFox. There is no way that this mistyped URL was added to the whitelist. I was under the impression that most code that would force execution of a Trojan horse required client side scripting to be active; something that NoScript usually manages very well. In this case I was saved by having multiple layers of security. I believe that if I was the first person to stumble upon this attack site that I could have been infected due to a lack of signature for Avast! Due to the reactive nature of most security products somebody must get infected before the threat can be neutralized. This means that nobody is safe and if you are the target of new malware you will always need behavior analysis to successfully identify the questionable code.


"Our organization has clear and strict policies in place that prevent inappropriate internet usage." I think the disagreement on this might depend on how you're defining "policies". If you mean, "Here are the rules for using Internet access, anyone breaking them will be punished", then yes, you will still have vulnerabilities. On the other hand, I've worked for employers that, as part of their Internet policy, employed strict "whitelist" protocols: if the website wasn't on the whitelist, you couldn't access it from work. Since the whitelist didn't include websites to download "alternatives" to IE, & the floppy drives & USB ports were disabled, that meant a much higher level of control over Internet access. It wasn't 100% perfect, but it was pretty high.


are not meant to protect "users", rather they are in place to protect the company from possible litigation due to security breach, loss of company IP or in cases involving terminated employees as a cause for dismissal.


That wasn't my current employer, anyway. Although, when I say their whitelist was "restrictive", I mean they had it locked down quite a bit. No Yahoo or Google (although worked -- go figure), most sites were either internal to the client (i.e. available to the client's employees but not their customers), & some vendors' websites to get troubleshooting information (but not all of them, either).

Editor's Picks