Web Browsers: The Weak Link Where User Identities Need Protection
- By Lim Teck Wee, CyberArk
- April 02, 2024
Browsers contain a treasure trove of privileged access, giving attackers easy inroads to company assets.
Among the many technologies that users worldwide rely on, few are as commonplace as the web browsers used daily. Beyond personal use, the browser also connects users to workloads and corporate applications relevant to their roles and responsibilities in the enterprise landscape.
However, despite web browsers' many benefits, they are also highly vulnerable to attacks. This is worrying as attackers constantly change their tactics and find new ways to gain unfettered access to sensitive resources for their nefarious purposes.
No identity is safe
Today, low-ranking employees and IT administrators can easily access confidential company data through their browsers. Specifically, programs such as web-based applications, virtual collaboration tools, and shared drives allow users to open, download, and modify high-value information, including customer records, transaction data, and a company's intellectual property.
Our recent survey found that 99.9% of organizations polled expect to be targeted for identity-related compromise throughout 2023. Digging deeper, the report discovered that the number of human and non-human identities is more than double (240%), with 62% of organizations stating that their most sensitive identities do not have adequate security. Because these identities enable employees to access their resources, organizations must focus their cybersecurity efforts in this area to minimize the risk of a successful attack.
Browser cookies: An attacker's treat
One of the attackers' most effective methods to access users' identities is targeting browser session cookies.
These cookies are created after the initial login to applications, allowing users to continue re-visiting their accounts without verifying their identities. While this feature can be convenient for users, it also makes it easier for attackers to evade Zero Trust security measures.
Authenticated cookies allow attackers to replay previous browsing sessions and pose as legitimate users while skipping multi-factor authentication (MFA) processes. Simultaneously, they can use cookies to hijack current sessions to increase their privileged access. This makes it easy for attackers to tamper with mission-critical data and components. In addition to browsers, attackers can also find cookies on users' devices, allowing them to steal personal and enterprise files from right under employees' noses.
If threat actors aren't using cookies to target companies' resources, they can also sell them to other threat actors for quick profits. Unskilled attackers can easily purchase these cookies to conduct phishing, password compromise, and direct attacks immediately without having to mine users' devices in the first place.
Making safer Internet a reality
Thankfully, there is some light at the end of the tunnel. Across the world, there are signs that the use of browser session cookies is ending. Case in point: Google Chrome plans to reduce online fraud by disabling third-party cookies for one percent of users in Q1 2024, extending this to every user by Q3 2024.
However, organizations must take the first step to minimize cookie use before that happens. This starts with cookieless browsing, which keeps cookies under lock and key on a secured server. With this, users can work on files without being vulnerable to scheming cyber thieves.
In addition to cookies, organizations must also take a holistic approach by integrating security solutions and features to safeguard browser-based apps, tools, and consoles. To maintain employee productivity, these solutions must be tailored to different users' risk levels, location, device, and time of day.
In particular, organizations must ensure that their browser can be paired with defense-in-depth solutions and intelligent privilege controls to safeguard identities. These include single sign-on (SSO), adaptive multi-factor authentication (MFA), enterprise-grade password protection, web session monitoring, and endpoint privilege management.
While browser security is currently lacking, organizations have an opportunity to strengthen it now. This starts by adopting a new mindset and being cognizant of the most effective measures to safeguard identities and the information in the browser. Organizations can better protect their assets from attackers who target the humble yet ubiquitous web browser by ensuring that users or devices accessing company applications and resources are who they say they are.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Sergey Khakimullin
Lim Teck Wee, CyberArk
Lim Teck Wee is the area vice president for ASEAN at CyberArk.