KBA October / November 2017From our desktops to our phones, we are a connected society. We check email, social networking sites, news sites, message boards, and a large variety of other websites on a daily basis without thinking about the security implications of having billions of devices connected to countless interconnected servers that are run by people we have never met through an Internet infrastructure that was created without security in mind. While this is scary enough to think of from a personal standpoint, it has even larger implications for businesses that store and transmit confidential company and customer data. There are, however, actions that can be taken to help mitigate some of the security concerns that go hand-in-hand with Internet browsing.

First, it is extremely important to limit system and network privilege levels for employees with Internet access. A recent analysis of Microsoft vulnerabilities by the security company Avecto revealed 94% of critical Microsoft vulnerabilities reported in 2016 were found to be mitigated by removing local administrative rights[1]. In other words, if your employees don't have local administrator rights on their systems, the vast majority of critical Microsoft vulnerabilities would already be addressed without additional controls. Now, there are times when a vendor will push for local administrator privileges for employees in order for their software to run without issues. While this was acceptable many years ago, this is no longer a viable option and other controls, such as limiting elevated privileges to certain directories through whitelisting, should be considered instead. In addition to normal users, it is perhaps even more important that domain administrators do not browse the web while logged in but instead use a standard account for normal tasks and only elevate when necessary. While an argument can be made that domain administrators are typically more security minded than the standard employee, they also have far greater capacity to install malware on all of the systems in the network domain.

Secondly, restrictions should be in place for connecting to the Internet. This includes not only general ingress (incoming traffic) and egress (outgoing traffic) filtering at the firewall level but also blocking access to sites and site categories that are not necessary for business use. At the firewall level, any known malicious IP addresses should be blacklisted and access to/from any external IP should not be allowed but instead limited to IPs for the core provider, IT vendor, etc. As far as site category blocking goes, a number of categories should be restricted from all employees such as gambling, adult, and file sharing while other categories such as webmail, cloud file storage, and social networking should be restricted from most employees with exceptions granted for legitimate business use only if approved by the board and senior management. It is surprising how often we see a disconnect between the number of security controls in place for company email through Exchange/Outlook and the wide-open access granted for personal email sites. Malicious email is being sent to ALL available email addresses, and personal web based email is possibly even a bigger threat than business email due to the lack of controls in place. 

Finally, it all comes down to the user, which is both an encouraging and frightening statement. All it takes is one individual to download ransomware or visit a malicious site for company systems to be compromised. Because of this, most businesses take a defense-in-depth approach that includes firewalls, antivirus, effective patch management procedures, email filtering, and various other items but sometimes this approach skimps on training the employee that is actually using company systems and accessing critical data. Hardware and software is important, but there are times when these controls will fail and at that point it is up to the individual employees to maintain effective security. They need to be informed and reminded about acceptable Internet usage and then tested to ensure this knowledge is retained and put into practice.

In summary, even though it was created without security in focus, the Internet can be safely surfed if the proper precautions are taken, effective controls are put into place (and tested!), and users are trained to be aware of the sites they visit and the actions they take when connected to the web.

[1] https://www.avecto.com/news-and-events/news/94-of-critical-microsoft-vulnerabilities-mitigated-by-removing-admin-rights