This post is the fifth in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the fifth topic I like to focus on browsers. Browsers have become the primary method most people interact with the Internet. From banking online or searching for information to updating their Facebook account or buying the latest pair of shoes. Because browsers are such a target, and because the Internet can be such a hostile environment we need to make end users aware of certain risks and change some common behaviors.
- The first step is keeping browsers updated. Vendors are not only constantly patching browsers and fixing known vulnerabilities, but adding new security features such as sandboxing. Always having the latest version is one of the best ways to help secure your browser and your system. Teach end users how to check if their browser is updated and how to enable automatic updating.
- The second step is minimizing plugins. The more plugins (or add-ons) a browser has installed, the greater the attack surface, the more likely a threat can find a vulnerability. In fact, most browser based attacks now adays do not target the browser itself but plugins. In addition, we want to ensure that whatever plugins we have installed our always current. Not sure? Check out one of my favorite end user tools Qualys's BrowserCheck.
- The third step is checking URL's. We can teach end user's the basics of reading what is a domain name. If people are visiting PayPal's website, paypal.com should be the domain name, not PayPal in the domain suffix or directory structure. New browsers make this much simpler by high lighting just the domain people visit. If something looks suspicious sometimes browsers will highlight the URL in red.
- Last we want to make sure that anything end user's download is scanned by anti-virus. Yes we all know that AV cannot detect all malware, but security is all about reducing risk, not eliminating it.