Clueless “end users” are a common straw man (or woman) in the security industry. They’re blamed for everything from data breaches to malware infections. Accepted wisdom is that companies “get it” when it comes to security – consumers (their employees) don’t. But what if it is the other way around?
That’s one tantalizing bit of data you could take away from Qualys’s Browser Check service. The free online vulnerability scanning service has assessed millions of endpoints in its two years of existence. And, by and large, it has found that consumers – not corporate users – are following good security practice by migrating to more modern, and secure web browsers.
In our inaugural Security Ledger Podcast, we sat down with Wolfgang Kandek, the Chief Technology Officer at Qualys Inc. to find out. Qualys operates Browser Check (browsercheck.qualys.com), a free service that allows consumers to assess the security of their browser deployment. Qualys has offered the service for more than two years and has conducted millions of scans of end user systems to assess the security of users’ web browsers.
“Newer browsers are safer – just from an architectural perspective,” Kandek said. “Many of the attacks on IE6 and IE7 don’t work on IE9 and IE10, because of memory allocation and randomization of memory. These newer browsers were designed with security in mind, which just wasn’t the case with earlier browsers.”
However, companies have historically been more reluctant to change, Kandek said. “End users follow the suggestions given by the operating system vendors…When they’re offered an upgrade they follow this.” In enterprises, however, IT staff are more likely to look at what’s changed and, so long as the older platform works, they stick with it, he said,
That’s not a small matter for enterprises. Vulnerable web browsers and web browser plug-ins are the common link in many successful hacks these days. Why invest the time and energy needed to attack Windows directly by subverting the security features in Windows 7 (or 8!) when Adobe’s Reader or – dare we say – Oracle’s Java are low hanging fruit? Links to malicious web pages (either attacker owned or hacked, legitimate sites) are sent via e-mail, IM, Facebook, or some other medium are a common element in both sophisticated, state-sponsored hacks and run-of-the-mill cyber criminal heists.
That’s one reason why Qualys launched BrowserCheck Business Edition today. The expansion adds enterprise-focused features to what has been a consumer-focused offering. Among those features: automated deployment through configuration management tools like Microsoft’s System Center, automated scanning on end users systems and automated user notification using “Fix It” buttons should BrowserCheck detects that something on the end user system.
This podcast is published in two installments. In the first, Wolfgang shares with us some recent statistics from Browsercheck and we talked about the browser security landscape. In the second, we talk about platform security and the gap between newer systems and legacy systems when it comes to security and patching for browser related vulnerabilities.
Check it out and use the Comments section to let us know how you liked the podcast.