Analysis: Browser Security Part III By Roger Beall
Managing The Risk
Serious about browser security? Limit who can access the Internet--it sounds draconian, but it's good security practice. Use layers of security. Set browsers to accept only "safe" sites, then lock the firewall policy down for Port 80, and other in-use ports, to the identified "safe" sites. Other steps to take:
MONITOR Web traffic, and let everyone know you're watching. This is a tried-and-true method to discourage inappropriate browsing. If your policy is to monitor Web site access, for example, monitoring can range from simple--parsing firewall logs with an automated scanner--up to employing a comprehensive outsourced monitoring service. Remember: Policy that is not automatically enforced will be ignored.
MANDATE use of the security features that ship with the browser, and supplement them with additional tools, like Exploit Prevention Labs' LinkScanner, the Google toolbar, McAfee's SiteAdvisor and Netcraft's Anti-Phishing Toolbar, to name a few.
LOCK DOWN the browser using policies to prevent software add-ons or active components from loading, wherever possible.
RUN Web applications and browsers in the lowest permission level possible, ideally unprivileged or restricted account.
DISABLE JavaScript by default, then whitelist only the sites that need it through the "NoScript" Firefox extension.
STAY CURRENT with security advisories for the Web browser(s) that are in use within your organization.
EDUCATE users on safe surfing habits and useful skills like recognizing EV Certificates. Check out The SANS Institute's security newsletter--aka "SANS Ouch!"-- and disseminate the information to your end users. The bulletin provides phishing and hoax alerts, and every issue highlights the "security screw-up of the month." In February it was the loss by the IRS of 26 computer tapes containing information about an undisclosed number of taxpayers. Ouch, indeed. Subcribe here.
Roger Beall is a certified senior network systems engineer at Entre Solutions, specializing in cutting-edge technologies, compliance auditing, rbeall@entresolutions.com.
Managing The Risk
Serious about browser security? Limit who can access the Internet--it sounds draconian, but it's good security practice. Use layers of security. Set browsers to accept only "safe" sites, then lock the firewall policy down for Port 80, and other in-use ports, to the identified "safe" sites. Other steps to take:
MONITOR Web traffic, and let everyone know you're watching. This is a tried-and-true method to discourage inappropriate browsing. If your policy is to monitor Web site access, for example, monitoring can range from simple--parsing firewall logs with an automated scanner--up to employing a comprehensive outsourced monitoring service. Remember: Policy that is not automatically enforced will be ignored.
MANDATE use of the security features that ship with the browser, and supplement them with additional tools, like Exploit Prevention Labs' LinkScanner, the Google toolbar, McAfee's SiteAdvisor and Netcraft's Anti-Phishing Toolbar, to name a few.
LOCK DOWN the browser using policies to prevent software add-ons or active components from loading, wherever possible.
RUN Web applications and browsers in the lowest permission level possible, ideally unprivileged or restricted account.
DISABLE JavaScript by default, then whitelist only the sites that need it through the "NoScript" Firefox extension.
STAY CURRENT with security advisories for the Web browser(s) that are in use within your organization.
EDUCATE users on safe surfing habits and useful skills like recognizing EV Certificates. Check out The SANS Institute's security newsletter--aka "SANS Ouch!"-- and disseminate the information to your end users. The bulletin provides phishing and hoax alerts, and every issue highlights the "security screw-up of the month." In February it was the loss by the IRS of 26 computer tapes containing information about an undisclosed number of taxpayers. Ouch, indeed. Subcribe here.
Roger Beall is a certified senior network systems engineer at Entre Solutions, specializing in cutting-edge technologies, compliance auditing, rbeall@entresolutions.com.
posted by bundit087 at
7:08 AM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home