S 5.45 Secure use of browsers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User

Browsers are programs for viewing websites. They are not only used on workstations, but also on mobile end devices such as PDAs and mobile phones. Browsers can display and play various media formats regardless of the operating system, but sometimes only with the help of plug-ins or add-ons. They can cause various security problems due to incorrect handling, inadequate configuration or programming errors.

Local data can be under threat if, for example, programs are downloaded from the internet and executed on the local computer without user prompting (e.g. ActiveX programs, Java applets or similar). Documents, images or animations can also contain commands that are executed automatically when viewed, with harmful consequences.

The variety of functions entails complex configuration options and potential security problems. To avoid such problems, the safeguards described in the following should be implemented

Basic functions

The default settings of most browsers are often insecure. For this reason, first of all, the security settings should be adapted to the organisation's requirements.

Invocation of external files

During invocation of external files and/or programs, a number of security problems can occur, such as execution of malware. Users should never rely, when using the internet, on the assumption that the downloaded files or programs come from trusted sources. It is difficult for the users to assess whether internet content is trustworthy and has not been manipulated.

When the browser is configured, care must be taken to ensure that when downloading files the associated applications are not launched automatically (see also S 4.3 Use of virus protection programs). Instead, the corresponding files should be firstly saved, scanned for malware and only then started. An alternative is the use of viewers which do not support the execution of macros, for example, when displaying Office files.

All users must be reminded that they themselves are responsible for taking all the appropriate precautions when calling up or downloading files. Despite all security safeguards of an organisation, there are residual risks.

Plug-ins and add-on programs

Some file formats cannot be processed directly by browsers. Additional programs are required for invocation of these formats which frequently come from third party suppliers and are directly integrated into the browser as plug-ins or add-ons. The file concerned is then displayed in the browser rather than in a separate application window. Common plug-ins or add-ons include Flash Player or Java.

Add-on programs, such as viewers, are independent programs which are able to process certain file formats. The invocation of such an add-on program is controlled using one of the browser's configuration files, in which the file extension and program are linked.

When installing programs, the organisation's security rules must be followed. In particular, only tested and approved programs may be installed. Before installation for actual operation, the programs should be tested on stand-alone computers. The authorisation for installing software should be restricted to the administrators (see also S 4.177 Assuring the integrity and authenticity of software packages and S 4.65 Testing of new hardware and software). Furthermore, only plug-ins, add-ons or additional programs that are absolutely required should be installed, as every program added represents a potential threat to security.

Active content

Most of the security problems when using the internet have surfaced in connection with active content, such as JavaScript, ActiveX, Flash or Java and also in connection with other plug-ins and add-ons. Active content is executed on the client instead of on the server via the browser. This can cause security problems on the client. To protect an internal network against misuse by active content from the internet, execution of active content should be avoided, wherever possible (see also S 5.69 Protection against active content).

Encryption

The transmission protocol HTTP (Hypertext Transfer Protocol) transmits all information in plaintext. For this reason, there is no guarantee that confidentiality of the information transmitted will be maintained. Even if a website is password-protected this does not automatically mean that the authentication data is encrypted during transmission.

If it is necessary to enter sensitive information (e.g. a credit card number or bank account details or even only personal data) on a website, then it should be ensured that a connection encrypted using the HTTPS protocol is used (see also S 5.66 Use of TSL/SSL).

Use of existing security functions

The existing security functions of the browser (especially prompting before a program is executed) should be used in every case. To minimise opportunities for attack and misuse in browsers, only the functions required to perform the corresponding tasks should be enabled as a rule.

Part of the safeguards described above are the responsibility of the user, as their implementation, such as enabling certain options, cannot be continuously checked by system administration. If possible, administrators should, however, implement safeguards which make it more difficult for users to change certain settings or prevent them from doing so. With some products, for example, configuration files can be write-protected.

In any case, though, system administration must specify secure basic settings to ensure that the highest possible degree of security is achieved without any user interaction.

Gathering information about security gaps

Since new security gaps are constantly being discovered in browsers, information on such security gaps and how to eliminate them should be gathered regularly. Purchasing the most up-to-date version of the product should not necessarily be the top priority as new software modules could create new security problems. However, in any case appropriate patches should be installed so as to ensure that any security gaps that have been identified are eliminated (see also S 2.273 Prompt installation of security-relevant patches and updates). It should not be forgotten that patches are also constantly released for plug-ins or add-ons. These must also be installed promptly.

If major applications of an organisation or a government agency entail the use of the browser or if the protection requirements regarding availability are particularly high, then all patches should be tested on a test system prior to installation. This entails checking whether the patches have any undesired side-effects which might disrupt secure and smooth operation.

Review questions:

• Does an internet security policy exist?
• Has it been documented which browser and, if applicable, which plug-ins are used and how they should be configured?
• Is the browser configured so that potentially dangerous file types are not executed directly, but at most saved locally?
• Are data protection guidelines taken into account during configuration of the browser?
• Have the users been trained in and sensitised for the use of WWW browsers?
• Have safeguards been implemented to prevent unauthorised installation of software and plug-ins?
• Have rules for private internet use been established?