Be smart about browser security
Fix browser security with artificial intelligence
If you had told me 30 years ago that the first web browser would be the ancestor of most software interfaces, I would have been skeptical. Of course, that was before most of us had any idea what the web would become. Even with this hindsight, it’s amazing how web browsers have become our primary windows to the digital world. Without mobile applications, this dominance would be almost absolute. And many apps use the same scripting languages that build modern websites.
The rise of the cloud and service era has cemented the ubiquity of the browser. It doesn’t matter what backend software or operating systems you deploy. Up front, users can launch any modern browser and interact with these systems. Rather than installing bespoke client software on each device, you simply direct users to a URL.
Browsers are the new operating systems – and while great for accessibility, this creates a huge security headache for people and organizations.
The flaws of our browsers
Historically, browsers represented confined spaces. What happened in the browser stayed in the browser and could not influence the rest of the system. This idea became obsolete as browsers evolved to become more versatile and relevant. Yet the spirit persists: it’s still easy to think of the browser as a confined space, not a highly integrated part of your digital experience.
To clarify, browser technology has not languished: today’s browsers are much more security conscious. But they face two big adversaries: highly motivated criminals and user errors. Browsers are improving, but the game is against them.
Going back to the days of dedicated software clients would be a step backwards for security and a giant leap backwards for technology. Browsers are universal and agnostic: they provide access to different interfaces such as dynamic websites, 3D (GrabCAD or Online 3D Viewer), or even virtual reality (the WebVR standard). Browsers even power modern development – using open languages such as HTML5 and Ruby on Rails, developers can make rapid changes and continuous improvements to interfaces.
Regressing to days before the browser became the operating system would also have huge cost implications. Imagine that Salesforce users around the world don’t access its services through browsers. Ditto for Amazon and Gmail. Apps have emerged as an alternative, but the world of digital software is a browser world. Around the world, millions of people access versions of Microsoft Office or Adobe Photoshop directly in a browser. We’ve come a long way from the need to install software for every service. Orphan browsers are a step backwards.
Be smart about browser security
There is a security cost to browser ubiquity. Browsers interact with sophisticated websites and use powerful extensions and plugins – headlines have often pointed to third-party software such as Flash and Java for security vulnerabilities. And browsers are present on many user devices. The way we work today – mixing personal and professional lives from remote locations across multiple devices – adds even more to the security threat landscape.
Browser security issues are linked to another trend in the cybersecurity market: the rapid marginalization of security perimeters. The Computing Technology Industry Association (CompTIA) wrote an article titled, Death of the perimeter: Zero Trust is (almost) here to staythat “we finally killed the idea of the perimeter as a viable defense metaphor”.
Cybercriminals have devised ways to circumvent security perimeters. Using extremely targeted and sophisticated spear phishing attacks, they trick users into giving them access. They mimic authentic communication (in a way undetectable to the human eye) but instead offer ways to breach systems without security being alerted. If you received an urgent email saying your bank account is in jeopardy, or an express delivery gone wrong, or an urgent request related to a collaboration platform you use, like LinkedIn or Slack, asking you to remedy by clicking on a link and confirming your login details, you come face to face with phishing. And, to emphasize, gone are the days when bad spelling, poorly pixelated company logos, and unbelievable claims from strangers asking for access to bank accounts made phishing attempts easy to spot. Today’s cybercriminals use far more sophisticated approaches that humans need intelligence and machine help to identify.
Browsers are often an integral part of phishing attacks – links in emails are displayed through a browser. Dangerous links are hard to contain. They emerge from legitimate infrastructures and places of trust. According to research by SlashNext, 70% of all phishing email URLs were hosted on legitimate cloud infrastructure, including AWS, Azure, outlook.com, and sharepoint.com.
It has become the main cybersecurity challenge for organizations. They need browsers to access software services. Access to the browser must be easy, otherwise it can affect productivity. Yet browsers must also be secured in ways that traditional perimeter security cannot provide.
The answer is to emulate human intuition with the power of artificial intelligence (AI) and machine learning (ML) – then reinforce it. These technologies excel at spotting abnormal behavior and reacting quickly in response. By using natural language and link-based detection, they can protect users against email phishing, mobile-based smishing (SMS phishing), browser-based spear-phishing (spear-phishing) and corporate email compromise (when criminals intercept corporate correspondence and insert malicious messages). information, such as different bank details).
By leveraging AI and ML, we can secure browsers and preemptively stop attacks that target users such as employees or customers. We also solve the conundrum of securing digital interactions in a world where the browser is our operating system. Rather than reinventing the software wheel, a little IT intelligence and vigilance can go a long way in solving the browser security paradox.
The Getting Intelligent About Browser Security post first appeared on SlashNext.
*** This is a syndicated blog from SlashNext’s Security Bloggers Network written by Lisa O’Reilly. Read the original post at: https://www.slashnext.com/blog/getting-intelligent-about-browser-security/