Prevent malware from entering networks through web browsers
About a year ago, the Cybersecurity and Infrastructure Security Agency (CISA) published a Capability Enhancement Guide for Federal Agencies on Web Browser Security to Defend Against Malvertising. In that guide, they pointed out the ease with which web browsers, as the primary mechanism of interaction between the user and the Internet, can be exploited to allow malicious actors to spread malware. Malvertising in particular is designed to bypass protections against pop-ups and website redirects, and then generate forced redirects or deliver malicious payloads.
While CISA’s previous guidance on web browser security was directed at federal agencies, savvy businesses and nonprofits would have been wise to adopt the recommendations, as we advise you at the time. Now, CISA has officially extended its focus to these sectors with the new Web Browser Protection and Malvertising Defense for Non-Federal Organizations Capacity Improvement Guide.
CISA Recommended Malvertising Protections
In a slightly clearer format and text than the version for federal agencies, CISA sets out four main recommendations:
- Standardization and security of web browsers
- Implementation of ad blocking software
- Implementation of domain name protection system technologies
- Isolating web browsers from operating systems
As the CISA guide points out, “malicious advertising and poor web browser security go hand in hand,” so keep web browsers up to date and insurance is an essential first step. Standardizing the browsers used in an organization simplifies the update and patching processes and reduces the organization’s attack surface.
Implement ad blocking software It is, in principle, an excellent idea. In theory, the software can reduce the number of malicious ads and redirects to phishing sites that can reach users’ browsers and prevent third parties from collecting data. However, in many cases, ad blockers themselves can pose a danger. Many use browser extensions with high levels of privileges, including access to all data traffic between the user’s device and the network. Some offer pay-per-play deals with advertisers under which their ads remain unlocked. More seriously, numerous cases of malware disguised as ad blockers have been discovered. As such, this recommendation should be applied with caution.
Domain Name System Technologies provide an additional layer of protection by blocking domain names known to be used in ransomware, phishing, and other malware campaigns. Definitely a nice extra layer of protection, if possible.
Malvertising transforms too quickly for reactive solutions
All of these technologies can significantly reduce the amount of malicious advertising reaching an organization’s endpoints and networks. But malware is a zero sum game: yes none enter, the consequences can be dire. CISA-recommended steps, such as protecting web browsers and implementing ad blockers and DNS technologies, are based on fast updating and/or detection of acquaintance threats and acquaintance malicious domains. If the update is slow or unsuccessful, the protection is weakened. And no matter how consistently and quickly updates and patches are applied, these technologies cannot protect networks against a stranger newly created malware or malicious sites.
That is why, to address malvertising and other web-based threats, CISA says that “browser isolation implementation is a strategic architectural decision made by large corporations.” That is, by organizations that are committed to the “zero-trust premise that all web traffic is untrustworthy and potentially harmful” under which browser isolation operates.
Remote Browser Isolation (RBI) processes all website data in short-lived, isolated containers located in the cloud. Only secure proxy data is sent to the browser at the endpoint, where the user interacts with it as with the original website, only securely. The most sophisticated solutions, such as that of Ericom Software ZTEdge Web Isolation integrate RBI with technologies including secure web gateways, web content filtering, and content disarmament and reconstruction (CDR) to remove malicious content in files before they are downloaded.
The most important, because no website code reaches the browser, the network remains safe even from newly created zero-day threats and phishing sites, regardless of whether all patches and updates have been applied.
Benefits of RBI beyond protection against malvertising
Implementing browser isolation is a more strategic approach than the other steps recommended by CISA in this guide. This is in large part because it is a broader and more powerful solution that offers benefits that go far beyond protection against malvertising.
For example, remote browser isolation solutions eliminate or reduce the need to allow and block lists of websites and anti-phishing training, as they can block all active web code from reach the end points. Many also support policy-based controls that allow administrators to choose which types of websites and/or specific websites can be accessed by which users; types of sites that can be viewed in read-only mode; and what data may (or may not) be shared on which sites.
Administrators can apply scalable policies that range from selectively isolating only traffic that is likely to be malicious to comprehensively isolating all downloads, attachments, and links. And as mentioned above, many solutions include CDR solutions to address the risks of weaponized attachments.
Defense that extends to today’s most essential business tools
Despite targeting private organizations and making reference to how pandemic-related remote work has increased opportunities for unauthorized access to workers’ system endpoints, this Guide to Enhancing the Ability to Protect Web Browsers it does not explicitly address two services of particular concern, web-based conferencing and instant services. Messaging (IM) web applications that use end-to-end encryption. Because distributed enterprises rely heavily on these services, malicious actors are increasingly exploiting them for malware delivery, using malvertising and other methods.
Unique among RBI providers, ZTEdge Web Isolation includes patent-pending technology that enables Zoom, Microsoft Teams, Google Meet and more. online conference meetings to be completely isolated, including video, screen sharing and chat. It also protects organizations from malware sent in encrypted IM chats.
CISA’s recent Guide to Improving the Ability to Protect Web Browsers provides important and valuable information and practical recommendations for businesses, nonprofits, and other digitally connected organizations. Savvy organizations that prioritize security, especially those that are currently upgrading to Zero Trust, or those planning to do so, should consider CISA’s strong recommendation regarding browser isolation: “Throughout its lifecycle, browser isolation can lead to cost savings, based on reduced costs. to maintain ad-blocking software, reduce incident response and recovery costs, and bandwidth efficiency.”
The charge CISA extends recommendations to non-federal organizations first appeared in Ericom’s Blog.
*** This is a syndicated Security Bloggers Network blog from Ericom’s Blog written by NICK KAEL. Read the original post at: https://blog.ericom.com/cisa-extends-recommendations/?utm_source=rss&utm_medium=rss&utm_campaign=cisa-extends-recommendations