The Gaping Hole in Your Data Security: The Web Browser
By Laurie Coffin
Organizations are deploying enterprise web applications, SaaS and cloud services in an effort to provide anytime, anywhere access to information. Data compliance regulations are increasing and the Bring Your Own Device (BYOD) trend introduces new risks of costly data breaches. In addition, Web 2.0 and social media applications are producing financially motivated, targeted threats to exploit security gaps. Investments in web-based efficiencies means that the volume of sensitive data delivered by the browser and accessed by a variety of devices is only increasing.
There are many advantages to allowing employees to use their personal devices for work, but potential unintended consequences-such as data leakage and malware-reinforce the need to secure company data. Organizations must control the data after it's delivered to the endpoint device in order to prevent accidental or intentional loss by end users. Users are also installing a variety of games and social networking apps on their mobile devices that are potentially malicious and put data at risk. It's no surprise that the volume of mobile malware is increasing.
The endpoint browser continues to be the weakest part of any network, as one wrong click of the mouse can open an organization's most sensitive data to significant threats. As companies of all sizes increasingly use browsers as the primary platform for delivering information, they have become the primary point of theft or data leakage. Malware and keyloggers can compromise web sessions after the data has been decrypted, stealing sensitive information or account credentials and transparently redirecting users to hostile sites and mining session content. Cyberthieves and hackers are always looking for ways to obtain sensitive information, and data can remain in the browser cache in clear text format and easily extracted by either malware or users, even after the web session has ended. This also means that stored user names and passwords from browser sessions remain available in the authentication cache and vulnerable to malware.
As we've seen now many times, with headline after headline of data breaches, companies are not aware of the gaping hole that the browser represents to high-value data. Not knowing the security state of the endpoint is a critical security gap for a website or web application owner.
It's time for organizations to stop making a distinction between managed and unmanaged devices, authorized and unauthorized users, and focus instead on protecting sensitive data. Organizations need to go beyond traditional endpoint protection and user education, recognize that the browser is a key part of the security value chain, and establish a strong security strategy to embrace this model in a suitable manner. This means securing information from storage through transport to delivery in the browser at the endpoint to prevent potential data loss.
This also means better compartmentalizing access to sensitive information, better audit logging and log analysis, and deploying security solutions that are designed to support today's multiple device, browser-based information world, such as those that can control the unauthorized use and replication of your data by malware and end users.