NCSAM Tip #7: Surfing in Different Oceans
Web-based threats have never been higher and are expected to keep growing. Remember the days when viruses were spread via floppy disks, then email, then USB flash drives, and then instant messenger applications? While most of those risks still exist today, they are overshadowed by the enormous risk that casual web browsing has become. Some of the most common threats include technical problems like “cross-site scripting” and “cross-site request forgery” that cause browsers to behave in unexpected ways, often without any indication of a problem. “Phishing” and silent unintended downloads called “drive-by downloads” are also serious threats that can leave an unsuspecting user with malware that steals banking and personal information.
It’s also true that many of us have multiple web browsers installed on our computers. If not, they are easy to install. The most common choices seem to be Internet Explorer, Firefox, Safari, Chrome, and Opera. We can take advantage of this fact to create a very simple but effective security advantage.
Spend a little time thinking about your typical web browsing activities. It might be useful to look back through your browsing history for the last week or two. What kind of activities do you tend to use your web browsers for? Perhaps work sites, social networking, web mail, on-line finances, bill payment, taxes, shopping, entertainment, research, plus some untrusted or unknown sites. Try to group these broad categories into risk levels from low-risk to high-risk.
It might look something like this.
|2||Financial, Bills, Taxes|
|4||Social, Entertainment, Shopping|
Next, assign a web browser to each category or risk level. The browser you choose for each category will be influenced by many factors. You might have corporate applications or financial providers that only support Internet Explorer. Your web mail might be buggy in Safari. Also consider which browser plug-ins you use and which ones you may need or want for certain categories. For example, there are several excellent security tools for Firefox and Safari.
Your browser assignments might look something like this.
|2||Financial, Bills, Taxes||Internet Explorer|
|4||Social, Entertainment, Shopping||Safari|
|5||Research, Untrusted/Unknown, Risky||Firefox with NoScript (See below)|
Note that in my example I placed web mail in its own category. I would consider the risk of infection via web mail in the same ballpark as social networking but I like to conduct web mail in a separate browser because a compromised inbox often leads to additional compromises, especially if we forget to delete a password reset message or share a password across multiple services. In my experience, inboxes are often treasure troves of sensitive information “hidden” right under our noses. Many of the recent highest-profile internet breaches began with a quietly guessed or socially-engineered web mail password. Web mail is a place you want to be extra careful to avoid cross-site scripting, cross-site request forgery, phishing, injection flaws, etc.
For the highest risk, untrusted, or unknown websites power-users can and should go a step further. All of the most common operating systems today support several different virtual machine technologies. Consider creating a very simple virtual machine with your favorite operating system as the “guest OS.” When selecting the virtual machine technology look for features that will make it easier for you to integrate the guest OS into your normal workflow, such as copy/paste support, file sharing support, etc. Once you have a clean virtual machine installed with all the updates applied, take a “snapshot” before using it on the web. If there is no snapshot feature, shut down the virtual machine and make a copy of the guest OS directories. Either way, you should now have a virtual machine “image” with a known-good state that you can duplicate to create new virtual machines anytime you suspect a compromise or just for good measure on a regular basis. Best of all, any viruses or malware inside the virtual machine will not affect your host operating system—where your important data lives.
Most importantly, challenge yourself to be disciplined with this new compartmentalization. It’s easier than it sounds since the groupings tend to be task-based. In this example, you would reach for Internet Explorer to submit your project update, then check your web mail in Chrome during lunch and maybe sneak a peek at your social network page in Safari. Did someone send you a questionable link? Paste into your virtual machine and check it out first.
If this concept seems too large to tackle, try simply moving your most sensitive web activities to a new web browser that you never use for general web surfing. Even that is a great start. Happy surfing!