Web browsers became widely used from the mid 1990s onward, following the early success of Netscape Navigator and the subsequent rise of Microsoft Internet Explorer as the default option on millions of Windows PCs everywhere. In the 2000s, the Web browsing market diversified with the introduction of Apple Safari, Mozilla Firefox (based on the open source parts of Netscape's projects) and Google Chrome within a five-year span.
Browsers, mobile apps and cyber security concerns
In recent years, browsers have taken a back seat to apps as the primary way that mobile users access the Internet. Although all of the major desktop browsers have versions available for at least one mobile platform, immersive, dedicated mobile apps seem better at holding user attention. A 2014 study by analytics firm Flurry found that mobile Web usage only accounted for 14 percent of typical U.S. smartphone users' daily time with their devices in March 2014, down from 20 percent from the year before.
Browsers are ceding their status as centerpieces of their respective operating systems to apps. Just look at the iPhone. Until the 2008 release of the iPhone 3G, Safari was the only way for the iPhone to show its power as an "Internet communicator," as Steve Job noted in his 2007 keynote introducing the device. Now, there are more than 1 million apps on the App Store competing for user attention.
On the cyber security front, though, browsers are still a front and center concern for enterprise CIOs and their teams as well as end users. Popups, phishing websites and fake extensions are a few of the best known threats that individuals must be aware of when using a Web browser at work. The broad shift from browsers to mobile apps shouldn't divert organizations' attention away from potential weaknesses in Web browser design.
The Web browser is still a weak link in the security chain
From afar, browser security can seem like a solved problem. For example, popup ads have been mitigated over the years by ad-blocking software as well as default anti-popup settings in many major browsers. Plus, the problematic Internet Explorer 6 – infrequently updated despite being frequently targeted for attack – is finally fading away as more modern browsers gain market share.
However, there are still risks to IT at large that can enter through porous Web browsers. A 2015 survey of 645 IT security practitioners, conducted by the Ponemon Institute, found that Web-borne malware was a widespread issue for enterprise network security:
- Unsecured Web browsers caused more than half of the respondents' reported malware infections over the past year. Seven in ten saw Web malware as a bigger threat than in the year before.
- Around 50 percent stated that malware still got past their layered firewalls. Thirty-eight percent said that sandboxing and/or content analysis solutions had failed to catch all threats.
- Almost 80 percent believed that their organizations had been victims of undetected Web-borne malware. The majority of respondents rated their ability to contact such intrusions as weak or very weak.
Moreover, the costs of letting malware slip through a browser's defenses are high. The Ponemon study estimated that a data breach resulting from such missed threat detection could bear a price tag of $62,000. Over the past year, such incidents have cost organizations $3 million in network cleanups, repairs and upgrades alone, with more losses on top of that related to loss of corporate reputation and/or intellectual property.
Why are Web browsers still weak links in network security? For starters, there are widespread budget issues, with 51 percent of respondents stating that their IT departments were not receiving the money and other resources needed to effectively curtail malware from the Web. Many enterprises are also still using old-fashioned tools or relying too heavily on browser developers to find and fix bugs.
More specifically, two-thirds of the Ponemon respondents cited psychological reliance on traditional detection methods as an obstacle to getting better at cyber security. At the same time, many enterprises must wait for zero-day exploits to be patched by the major browser makers. Bug bounty programs, such as the one Google has introduced for Chrome, have been a boon for finding issues in recent years, but a new approach toward Web security by IT is still needed.
What should users look out for when using a Web browser?
While some Web threats require automated processes to be detected and contained, many can be spotted and cut off at the pass through common sense measures, including:
- Checking a site's URL to see if it seems too long or unusual (indicating a possible phishing attempt) and whether it is secured by an SSL certificate, with a padlock or green bar in the URL space.
- Monitoring memory usage to see if any unfamiliar processes are taxing the CPU; if there are, then it could be a sign of Web-borne adware, which can usually be dealt with by resetting the browser and using a removal tool.
- Using a secure browser, as a part of a comprehensive security solution, to conduct e-commerce transactions and enter passwords to important Web accounts.
How each enterprise addresses Web malware will depend on its own cyber security history as well as the size of its organization and its overall wherewithal to respond to threats in real-time. Just as standalone antivirus is no longer the answer to advanced attacks. Traditional detection tools may not always catch intrusions from the Web, necessitating deep discovery solutions that can both automatically find risks and assist human operators in containing them.
"You can't get a clear picture of your vulnerabilities without both automated and manual testing, and you need to test the whole stack," said Wendy Nather, research director of the Enterprise Security Practice at 451 Research, on the occasion of the 2013 launch of Trend Micro Web App Security. "Integrating all of this testing makes it much easier for the enterprise to be consistent and thorough in its risk assessments."