Security blogs and articles about browser problems abound. The browser is typically blamed for most if not all Web-related security problems faced by business and home users. However, this position doesn’t resonate with the way I see security today. It isn’t the browser that’s the problem. The real problems still sit under the browser and about 19 inches from the monitor.

Ok, so a browser with some security features is a good idea. Why open the gate completely when you’re certain barbarians are lurking on the other side. But relying only on the gate to defend the castle is a bad idea.

Another way of looking at the problem is from the perspective of disease control. Melith Abdulhayoglu wrote about this in a recent Security Focus article.

There was a time when most diseases were fatal for humans. Intense study and research helped doctors manage diseases better, and subsequently even prevent them altogether.

Today, vaccination is an established and permanent method of preventing diseases by strengthening the body’s natural defenses against the causal elements. The solution lies in eliminating the threat by shoring up the immune system and creating a wall of defense, and not in just managing the symptoms.

The same principle applies to Internet browsers too. True, browsers do come with a built-in security mechanism. However, it should not be their job to be on watch all the time. Browser[s] are there to perform a function: to browse the Internet. Rather than also attempt to secure the user, they should work together with security products to protect the computer network and data against intruders and prevent attacks.

Source: Don’t Blame the Browser, Melith Abdulhayoglu, Security Focus, 6 February 2009

The key statement here is that browsers are intended to perform a specific function, browsing, not protect your computer from the thousands of exploits floating around the net. And they should never be expected to protect the business network from user behavior. The browser can only do so much, and we have to expect bad things to come through it into our systems. The question, then, is not how well our browsers stop exploits. Rather, we need to ask ourselves how prepared we are to defend against inescapable successful infections of one or more computers connected to our enterprise networks. And what precautions do we take when risky Web browsing is either necessary or inevitable?

Let’s start with the second question first. How DO we ensure safe browsing? For example, I’m always visiting new and interesting Web locations in my research. No browser on the market today can completely protect me from automated nasties I occasionally encounter. Further, I want to click on the unknown just to see what will happen. So how do I protect myself?

First, I don’t rely on my browser. Although I use Firefox for general browsing, I use Google’s Chrome for research. Yes, Chrome. I find that it is a much better tool than Firefox to support the way I work. Do I rely on Chrome to protect my computer? Not a chance. I do, however, rely on the steps I take to minimize the risk to my home research network.

  1. I run Chrome sandboxed with Sandboxie. Any stuff that finds its way onto my computer is not permanently stored. When I close the sandbox session, all unwanted visitors are deleted. This is supplemented in the new version of Sandboxie with a DropMyRights-like setting that allows me to work within the sandbox without local admin rights.
  2. All computers are protected with a firewall, anti-virus, and anti-spam software.
  3. All computers are patched with the most current security patches. This is the most important path to an inoculated computing environment.

I also use good old common sense. However, I can’t rely on common sense at the office. So, I add the following:

  1. The network is monitored for anomalous behavior, including extrusion and data leak prevention.
  2. Web filtering to minimize inadvertent visits to high risk sites.
  3. Awareness training in the hope that it will cause at least some users to think before they click.
  4. Where possible, users are not given local admin rights on desktops and their use of handheld devices is controlled.

Finally, I assume there will be an infection or a breach, and I plan for it. No one should expect a strong layered approach to stop a strongly motivated attacker. Nor should we expect any number of security controls, no matter how strong, to protect our networks when users continue to invite disaster. So how can we expect a browser, any browser, to provide end-user device or network security?

My only expectation of a browser is that it works as advertised with no vulnerabilities caused by careless programming or negligent design. Maybe we should ask our browser vendors to focus on these outcomes while we look for other ways to secure our computing environments.