7. Random Surfing of Unknown, Untrusted Websites
Browser-based vulnerabilities are becoming one of the most popular targets of attackers on the Web. Just ask Microsoft and Mozilla, which have been busy patching new vulnerabilities the past few months. If your organization gives users free reign to surf the Web during or after business hours from the corporate network, beware.
In addition to the well-documented cross-site scripting (XSS) vulnerabilities floating around, there's also a lot of adware and spyware. (See Hackers Reveal Vulnerable Websites .) You shouldn't put it past that 20-something intern to download some free music, for instance, and inadvertently contract some malware as a result.
Even if your corporate policy restricts Web access, the 20-somethings may not honor it. "This is something that young employees, bored security guards, and interns are more likely to do," says the Enderle Group's Enderle. "It's an attractive nuisance, and one of the reasons for a proxy server."
Internet Explorer 7.0, which was released by Microsoft yesterday, and the new upcoming Firefox 2.0 are expected to help browser security -- at least until attackers start cracking them. But that may be wishful thinking: IE7's first bug was reported just hours after it went live last night, although Microsoft says the issue is a component in Outlook Express rather than in IE7.
"Attackers have started to compromise enterprises through the use of browser-based and other client-side vulnerabilities," says David Goldsmith, president of Matasano Security. "This also applies to home users who are becoming increasingly more security-savvy. Hopefully, the releases of Internet Explorer 7.0 and Firefox 2.0 will make it even more challenging for attackers to compromise the browser."
So if you're going to restrict Web access, how do you determine what sites you can trust or not? "If you're really paranoid, surf with active content disabled, use Opera or Firefox, and run your browser with very little permission," says Cigital's McGraw.
