For more than 30 years, we’ve been living in a world where one of the most widely-used applications is the web browser. Despite being designed primarily for consumer use, browsers have become essential to how enterprises operate – serving as the connective tissue between identities, applications and data. And yet, despite all of the advancements leading to today’s digital and cloud-centric world, one of the least secure applications is … the browser.
In this post, we’ll discuss why browsers are highly vulnerable to attacks, how today’s threat actors are exploiting them and what IT security teams can do about it.
Why Is the Browser So Unsafe? Start With Identities and What They Can Access
In today’s threat landscape, the nature of privilege is evolving. It’s no longer just IT admins who require protection based on their access to sensitive resources. Now any user within an organization can become privileged, gaining access to highly sensitive information like customer data, financial records and intellectual property – in many cases, more access than they actually need.
And one of the most common ways employees gain this type of access is through their browsers, where they access web-based applications, virtual collaboration tools and shared drives where documents can be accessed, downloaded and changed – among other gateways to organizations’ highest-value data.
All of this activity has been accelerating in recent years, as the way people work – and the various places and devices they work from – continue to evolve. According to a recent CyberArk survey, virtually all (99%) of IT security decision-makers agree they’ll face an identity-related compromise in the year ahead. Among the 2,300 respondents surveyed, the top three cited reasons are:
- Digital transformation (58%).
- Hybrid working practices (44%).
- Third-party usage (44%).
It’s no coincidence these variables rise to the top. They represent an ecosystem of users – internal and external – who contribute virtually to help drive key initiatives, from cloud migrations to new digital products. Each contributor is tied to multiple digital identities used to authenticate and access what they need. And that’s where the risk factor lies. These identities – along with their information, poorly-protected credentials and access permissions – can be compromised through users’ web browsers.
Next-level Risk: How Attackers Can Easily Infiltrate Browser Sessions
To this point, we’ve covered risks around the people (and, in turn, identities) using unsecured browsers across your organization. But what are the specific risks tied to the browser technologies themselves? For starters, some risks are well-known in IT security circles:
- Browsers enable users to install unverified extensions that can secretly upload data to attacker-controlled servers.
- They provide insider users with built-in tools to circumvent preventative controls.
- They allow users to store passwords to all of their applications – work-related and personal – in browser-based tools designed for convenience over protection.
But let’s dig deeper into the risks from an attacker’s point of view.
One of the most dangerous and prominent browser-centric attack methods involves cookies – specifically, attacks centered on stealing, forging, altering or manipulating cookies from users’ web sessions to gain unauthorized access to sensitive resources. The CyberArk Red Team has seen a significant increase in this post-authentication attack vector in which the threat actor:
- Acts as an imposter, hijacking the cookie after it has been authenticated.
- Replays the cookie in the session so they can bypass multi-factor authentication with a very low detection rate.
- Hijacks the in-progress session with an aim toward stealing data, moving laterally and escalating privilege and disrupting operations through malware.
In a way, browser session cookies are constantly defying Zero Trust principles, existing as an automatic bypass from continuous verification. After a user’s initial authentication, the website or web-based application they’re using establishes a cookie that allows repeat visits, without requiring reauthentication. It’s like the unspoken agreements we might have with a front desk attendant after checking into a building once. Want to come back inside again and again? All you need is a quick nod and a “you’re all set” from the attendant, who’s more interested in checking their phone than verifying you’re the same person from earlier.
Even without admin privileges, attackers can hijack cookies once they’ve compromised a user’s device. And once those cookies fall into an attacker’s hands, they become the privileged access gift that keeps on giving – because cookies are saved not only within users’ identities but their specific privileges too. Meanwhile, end users’ tendency to use their work devices for personal use – calling back to our point about how work is evolving – compounds the risk. This practice can potentially enable attackers to gain access to both personal and enterprise data.
And if attackers aren’t using the cookies themselves, they’re buying and selling them on the dark web. Threat actors don’t need to be sophisticated enough to compromise an endpoint to broker access in – they can just buy a cookie and move on to tactics such as phishing, password compromise and all-out attacks.
How to Defend Against Cookie Theft and Session Hijacking
As part of a unified identity security approach, organizations can reduce risk by implementing enterprise-wide, cookieless browsing.
You might wonder if that’s even possible. After all, cookies seem ubiquitous and inevitable. How many times have you been greeted by that beloved “Do you accept all cookies?” prompt today alone? It’s less of a question and more of a begrudged reality.
In short, yes, it’s possible. With cookieless browsing, the cookies are stored on a secure server to allow for seamless use by individuals who are still able to navigate without their cookies being available for theft. This also allows organizations to lock down data and enable security at the user level to protect the most sensitive information. Cookieless browsing enables users to access and use web-based resources in a more secure way, making it virtually impossible for hackers or third parties to steal, hijack and do damage. And with respect to privacy, we can ensure that users’ web sessions, data and accounts remain confidential and secure.
Looking beyond cookies, it’s essential to take a big-picture view of what needs protecting in the browser environment. This includes having the controls and capabilities in place to secure access to business-developed web apps, cloud management consoles and SaaS-based tools and services with controls tailored to each user. And the best approach embodies key identity security principles. This includes ensuring the browser itself has native integration with key defense-in-depth solutions for enabling seamless and secure access while infusing intelligent privilege controls to an organization’s wide array of browser users (aka employees).
A few examples of identity security capabilities that can work together to secure browsers, but certainly not all, include: single sign-on (SSO), adaptive multi-factor authentication (MFA), enterprise-grade password protection, web session monitoring and controls for securing vulnerable endpoints.
Bringing It All Together: What It Takes to Secure Browsers
While somehow the web browser has existed for 30 years without a serious level of protection, we can change that now. Above all, it takes new thinking on how to build and continuously protect browsers, the identities using them and all the sensitive resources these widely used applications enable access to. We believe the modern browser can and should be built to balance protection and productivity. And this is possible through an integrated identity security approach and platform.
Check out this recap of the conference, where our leaders and industry experts shared their vision on how to secure web browsers – and where CyberArk announced a new innovation: the first identity security-based enterprise browser.
John Natale is a senior content marketing manager at CyberArk.