Cyberattacks originating through web browsers have seen a significant increase in recent years, with browser-based phishing attacks rising by 198% in the second half of 2023. In many industry reports, phishing is still considered the tool of choice for many hackers. Additionally, the report uncovered an even larger increase of 206% in evasive attacks, where tactics employed include Multi-factor Authentication (MFA) by-pass, SMS phishing, brand impersonation (a big one in my Tax Office days) and Adversary-in-the-middle.
These evasive tactics are utilised in a targeted approach where the adversary seeks to circumvent traditional security controls and exploit browser vulnerabilities thereby increasing the likelihood of successfully gaining access to systems and networks.
In response to these threats, organizations are implementing measures such as enhanced staff training, alert systems, and regular software updates to mitigate browser-based cyberattacks.
Why Secure Browsers?
Browser-based attacks continue to be a significant threat across various industry sectors, exploiting vulnerabilities in web applications and user interactions. SiteLock, (a website security organisations) analysis of millions of websites reports that websites currently experience an average of 94 attacks each day and are visited by bots approximately 2,608 times a week. Additionally, recent Verizon research tells us that web application attacks are involved in 26% of all breaches, making it the second most common attack pattern!
Additionally, each industry sector has its own risk. For example, the financial sector, which holds sensitive, high-value data and financial transactions – making it particularly attractive to attackers - is one of the most targeted by basic web application attacks. Similar risk such as disruption, patient data, espionage etc. exists for other industry sectors, be it Information, professional services, public sector and so on.
Best practice tells us to update and patch regularly - maintaining an up-to-date browser and configuring security settings are fundamental practices. Simply enabling automatic updates ensures that the latest security patches/updates are applied promptly. Additionally, configuring browsers to block third-party cookies, disabling unnecessary plugins, and using features like HTTPS-Only Mode can significantly enhance security.
However, cybercriminals knowing this have targeted updates and patches meaning that when you follow best practice, you can possibly find yourself installing a malware, back doors or other nefarious software.
A More Comprehensive Strategy
In response to these challenges, business and organisations are shifting to enterprise-specific browsers that incorporate security features directly into the browsing environment. This approach enhances protection against data leaks, credential theft, and unauthorized access to Software as a Service (SaaS) applications. By embedding security measures within the browser, enterprises can enforce policies more effectively and reduce reliance on external extensions.
Together with enhanced staff training, advance alert systems, and regular software updates, they aim to mitigate browser-based cyberattacks.
But what is less talked about are browser extensions - While browser extensions can enhance security, they are not comprehensive solutions. Browser extensions are incredibly popular and extensively used to enhance browser functionality, personalise user experience, and integrate various web services directly into browsers. Businesses increasingly use browser extensions to integrate SaaS applications, collaboration tools, and security measures into various workflows.
Browser extensions are widely adopted across many platforms such as Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari. In fact, the Chrome Store alone hosts over 100,000 extensions with millions upon millions of downloads.
However, their growth and ubiquity come with security risks. A more robust strategy involves integrating security at the network level, such as implementing Secure Access Service Edge (SASE) solutions with natively integrated enterprise browsers. This combination offers a holistic approach to secure browsing, ensuring that data protection and threat prevention are managed beyond the browser itself.
Implementing a secure browser inclusive of browser isolation creates a functional barrier between the web browser and the operating system. The effect is to reduce the impact of potential exploits and ensures that any malicious code encountered during browsing does not affect the underlying operating system.
Risk Management and Mitigation
By understanding the landscape of browser-based attacks and recognising industry-specific risks, business and organisations can better prepare and defend against these persistent threats. My four-step approach consists of:
- Regular Security Audits and Penetration test: Conduct thorough security assessments to identify and address vulnerabilities in web applications.
- Employee Training: Educate your staff about phishing and other social engineering tactics to reduce the risk of successful attacks.
- Advanced Security Solutions: Implement robust security measures, including firewalls, intrusion detection and prevention systems, and secure coding practices.
- Incident Response Planning: Develop, test and maintain an effective response plan to minimise damage in the event of a security incident and/or data breach.
Finally, adopt a Zero Trust security model within the browser environment, focused on verifying user identity and device health before granting access to resources. This approach minimises the risk of unauthorised access and aligns with broader cybersecurity strategies aimed at protecting sensitive data, individual users and the business.
Visit the Enterprise Browser resource centre here or if you would like to discuss a Secure Browser Solution email here to get in contact with one of Enablis’ security experts.