The Browser Is Broken | A cybersecurity horror story about internet monsters.
We love browsers, they are our window to the world.
We love browsers so much that we have fought wars over them, wars so fierce and prolonged that only three browsers really survived.
Two of them arguably survived because their developers also happen to own major operating systems and I do not even need to name names, when it comes to browsers, you all instinctively know who I am talking about.
Whatever its name, we rely on the browser and we need the browser, otherwise how else are we supposed interact with the outside world?
Go outside you say? Well I am sorry, but I am far too busy for that.
Going outside is great, but when it comes to seeing whats going on elsewhere and interacting with it, going outside ain’t got nothing on the browser. We can agree that life without the browser would be miserable.
But that doesn’t mean that the browser isn’t broken.
That doesn’t mean that the browser doesn't let the monsters in.
What? Don’t believe me?
Who gave you that last virus without telling you that you were infected? Who let that ratfink ransomware come in and encrypt all of your stuff, demanding a bitcoin ransom to decrypt it all? Who greedily gorges themselves on cookies and tracking code to let others watch you?
Who left the window open so those filthy degenerate perverts could look through the window into your bedroom and watch you getting changed?
Go on, I will give you three guesses and a clue.
It wasn’t that bloated excuse for word processor that is Microsoft Word, but then again it might have been, you never know these days.
Nope, it was the browser and if you need yet more evidence its broken, when was the last time it stopped your ISP or whoever happens to be sniffing the Starbucks wifi network today from watching you browse Reddit?
When was the last time it stopped those advertisers from assaulting your eyeballs without an adblock plugin leding a helping hand?
Never is the answer, its not the browsers problem apparently.
Like I said, the browser is broken.
Whoever fights monsters should see to it that in the process he does not become a monster. And if you gaze long enough into a browser window, the browser window will gaze back into you. — Friedrich Nietzsche
The problem we have is that the browser is broken and takes responsibility for nothing, choosing to shirk off its responsibilities to the anti-virus, the firewall or whatever security software you think will protect you.
We already know how well they do though, you may as well have a ‘Beware Of The Dog’ sign as your screensaver and keep your fingers crossed.
The reason we have a clear problem is because the vast majority of attacks against your computer are not coming through your wifi connection, they are not coming through your IM client or from dirty USB sticks.
The browsers dirty little secret is that the vast majority of monsters are climbing in through its open window and even when you think you closed and locked that window, the browser still lets the monsters in.
A recent study from the Ponemon institute stated the obvious and identified the browser as the primary attack vector for the majority of cyber attacks, but of course we already knew that because most of us have already been mauled by some sort of browser originating malware at some point.
Even if we haven’t fallen victim to a ransomware attack yet, we all know that shady websites belch malware onto you through your browser, it doesn’t take a genius to work out that when you open a browser window and gaze for long enough into the abyss, the abyss will gaze back into you.
Brilliant, lets not use browsers then, that way nobody will ever steal our online dating messages, trading accounts or blog posts on breakfast.
Oh wait, we actually need a browser for everything (unless there is an app for it) and not using them really isn’t an option for most people, so I suggest that we should do the next best thing and wear a condom.
We know every time we stick a piece of ourselves into the internet, we are going to catch some kind of nasty dose, so lets just wear internet condoms.
By this I mean lets place a physical barrier between us and the nasty infectious stuff that lurks around on the internet, it is something that we are already used to when you think about it. No glove, no love.
As IT professionals, we know that the vast majority of attacks originate in the internet browser, so why are we not isolating our users browsers?
Browser isolation is a simple premise, it requires that you recognize where all the cyber risk comes from (the internet) and commit yourself to physically isolating that risk away from the things that matter to you.
You take the browser and all of the associated browsing activity and physically isolate it away from your financial and customer records.
In doing so, you physically isolate yourself from the monsters.
Do not use the browser on your local machine to browse the internet, here be dragons. Instead physically isolate your browser together with all of the malware that your browser picks up when you use it.
There are a number of ways to achieve this end, you could let log into a virtual desktop that is hosted on a third party server, effectively using somebody else’s browser for web browsing.
Using hosted desktops is an effective way of isolating yourself from malware, one that I first leveraged almost a decade ago, but unfortunately its not very scalable and it can very expensive over a large number of users.
Luckily there is more than one way to isolate a browser cost effectively.
If we are serious about protecting our users, we need to wake up to the fact that the browser is broken and start treating it like it is toxic.
We need to start physically isolating our browsers, because its the only effective way to stop the vast majority of monsters from feeding upon the vast majority of innocent everyday internet users.
Until we recognize that the browser is broken, that it causes most of our cybersecurity problems and treat it accordingly, our dependence on the browser will continue to put us at the mercy of the monsters.
Physically isolating your browser lets you dramatically enhance your overall cybersecurity posture and shut that browser window for good.
Personally I use the tuCloud Safeweb Engine to physically isolate my web browser in a cost effective way, but I also maintain a list of browser isolation vendors because whatever your poison, the monsters must not win.
What’s that? You like the cut of my jib? Follow me on Twitter then and give me a CLAP using the clap button, you can clap more than once ;)