Security Awareness Topic #5 - Browsers

This post is the fifth in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the fifth topic I like to focus on browsers. Browsers have become the primary method most people interact with the Internet. From banking online or searching for information to updating their Facebook account or buying the latest pair of shoes. Because browsers are such a target, and because the Internet can be such a hostile environment we need to make end users aware of certain risks and change some common behaviors.

1. The first step is keeping browsers updated. Vendors are not only constantly patching browsers and fixing known vulnerabilities, but adding new security features such as sandboxing. Always having the latest version is one of the best ways to help secure your browser and your system. Teach end users how to check if their browser is updated and how to enable automatic updating.
2. The second step is minimizing plugins. The more plugins (or add-ons) a browser has installed, the greater the attack surface, the more likely a threat can find a vulnerability. In fact, most browser based attacks now adays do not target the browser itself but plugins. In addition, we want to ensure that whatever plugins we have installed our always current. Not sure? Check out one of my favorite end user tools Qualys's BrowserCheck.
3. The third step is checking URL's. We can teach end user's the basics of reading what is a domain name. If people are visiting PayPal's website, paypal.com should be the domain name, not PayPal in the domain suffix or directory structure. New browsers make this much simpler by high lighting just the domain people visit. If something looks suspicious sometimes browsers will highlight the URL in red.
4. Last we want to make sure that anything end user's download is scanned by anti-virus. Yes we all know that AV cannot detect all malware, but security is all about reducing risk, not eliminating it.

Notice something missing here? I do not recommend explaining to end users how SSL certificates work. After fifteen years in the industry I'm not sure if I understand how they work, and even if I did I can still probably be fooled. This is one of those examples where attempting to change a behavior does more harm then good. More harm in that teaching this behavior takes up valuable time, time you can be using teaching other more important behaviors. In addition, it is complex and time consuming for end users to implement. Finally, really how much is a risk is this to end users, what percentage of cyber attacker leverage or forge fake SSL certificates in attacking end users? Pretty damn small. PREVIOUS POSTS IN TOP TEN TOPCIS SERIES #1 - You Are The Target #2 - Social Engineering #3 - Email and IM #4 - Social Networking