CNWC: Google Cybersecurity Embed

The browser: cybersecurity’s front line

in partnership with

Ransomware was estimated to cost global businesses an estimated $20 billion in 2021

Cybersecurity Ventures

Ransomware was estimated to cost global businesses $20 billion in 2021, according to the research company Cybersecurity Ventures. Those attacks happen with increasing frequency. The UK government reports that almost a third of firms suffer cyberattacks at least once a week, and there will be many that go undiscovered. Two forces are accelerating this trend. The first is the ongoing boom in the cybercrime industry. Swathes of formalised criminal organisations offer ransomware-as-a-service on an industrial level. “There’s increasing cybersecurity protections across the whole spectrum, so [hackers] get more specialised in focusing on specific areas of [system] compromise,” says James Shires, Senior Research Fellow in Cyber Policy at Chatham House. “There’s also competition, which leads to more, in some cases, professionalisation. They change their practices to make sure they remain a preeminent cyber-criminal organisation – and in other cases, form partnerships. They might say, ‘We’ll work together’, or ‘We won’t target the same targets’.” Nation states who tolerate or encourage cybercrime when it is used against their enemies exacerbate the problem.

The second key factor is the impact of the pandemic. It caused a surge in organisations adopting flexible working, a situation that many companies have kept in place, even as business continues to return to normal. This means more collaboration and productivity happens in the cloud than ever before. For enterprises, the browser is now the primary endpoint that a company needs to manage and secure. Workplaces could once take solace from the fact that employees were using locked-down machines connected to enterprise-protected corporate networks. Now, thanks to hybrid working, staff increasingly use personal devices at locations of their choice – at home, in a café – meaning that the network they connect through is not necessarily safe. No wonder that the defensive role of the browser is becoming more significant. Take phishing, for example. According to Cisco, this was responsible for around 90 percent of data breaches in 2020. When people click on dangerous links, their computer can be taken over or their information can be stolen. Browsers are well placed to detect these threats and provide warning signals before they infiltrate computers.

In turn, browsers are also stepping up their own security, because their ubiquity makes them a target. Hackers may attempt to exploit the technological processes involved in browsing the web. In addition to finding vulnerabilities in the browser’s central code, there’s the associated infrastructure. Consider the extensions that offer enhanced functionality, or the cache, which allows the browser to store items for faster loading times. If those areas are not secure, then attackers can find an entry point.

Given what’s at stake, it might seem tempting just to put the kibosh on all but the essential elements of the browser. “By shutting off various usability features and enabling various security-related features you can ‘harden’ the browser to reduce the number of potential ways that it can be exploited, and thereby enhance security and privacy,” says Joseph Steinberg, a corporate cybersecurity consultant and expert witness in US cybersecurity trials. “Browsers can be even further locked down as needed – for example, if someone is using a computer to perform large wire transfers as part of an accounts payable department, they could be given a separate device to use for such purposes, and that device can be blocked from doing anything on the internet other than accessing the appropriate, authorised website to perform such transfers.” For the average work computer, however, this approach would be impractical. Not only would it introduce critical frictions, but this level of control may result in individuals feeling policed by their IT department. “There has to be a balance between browser security and user experience,” says Google’s Jen Langholz. What’s more, human beings are, well, human. They will keep using technology in the way that best suits their busy lives – and sometimes, that means using it in a way that shortcuts security for the sake of convenience.

In June 2022, the Internet Engineering Taskforce updated the Hypertext Transfer Protocol (HTTP). This is the means through which a browser connects to a server and receives a web page. Among many improvements, the update addressed browser security concerns through introducing new standards such as enabling encryption by default. This came as part of a growing emphasis on browser security across the tech world. There has been an uptick in startups building browsers specific to business use, for instance. And the biggest browser players are doubling down on their security efforts. The browsers that already have widespread adoption are designed to be used by both consumers and businesses, such as Google Chrome, which is used by more than six in ten people worldwide. This has specific enterprise add-ons, such as Chrome Browser Cloud Management, to help IT directors get a grip on a sprawling network that encompasses both office and home connections. The feature gives IT teams an overview of the browser status of employees, lets them set rules and controls for plug-ins or site access, and offers the capability to shut off access to at-risk browsers to keep the rest of the organisation’s network secure. This can be especially useful when managing live cyberthreats as news of them breaks. When IT teams are pressed by upper management to confirm whether the attack will affect them, it can be a challenging task simply to establish what employees are running on their devices. “Being able to say, ‘I have these reports in a central admin console that will tell me exactly which Chrome versions or extensions are in use, and I'm able to check that against the description of the software vulnerability that was released’ – that's really big for them,” says Philippe Rivard, Group Product Manager for Chrome Browser Enterprise.

How browsers fight back

Professor Victoria Baines, IT Livery Company Professor of IT at Gresham College

“A scam in the metaverse might be an avatar walking up to you and trying to persuade you of something. It might not be a notification on an app. It might not be text on a website. It might not even be a pop-up ad,” says Professor Victoria Baines, IT Livery Company Professor of IT at Gresham College. Keeping the countermeasures fit for purpose will require collaboration across the security industry – with existing strategies such as AI threat detection and sandboxing serving as the foundations for novel ways to protect virtual experiences. For Baines, however, it’s the educational element that’s most important. “The more that we will have even our browsers delivered in line-of-sight, the more we're going to need people to exercise their own critical judgments.” As they say on the internet: stay frosty.

Visit GOOGLE CHROME ENTERPRISE

Visit Wired Consulting

Find out more

Download the pdf

download the pdf

Learn more

Find out more

Google has now released three emergency, out-of-band, security updates for the Chrome browser in as many weeks. What's more this one, like the first, is to fix a high-severity zero-day vulnerability that is already being exploited by attackers. power lines don't mix." PEC’s maintenance was costing them $10m annually. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident, similique sunt in culpa qui officia deserunt mollitia animi, id est laborum et dolorum fuga. Et harum quidem rerum facilis est et expedita distinctio. Nam libero tempore, cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus, omnis voluptas assumenda est, omnis dolor repellendus. Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

It’s said that today’s innovation is tomorrow’s vulnerability, and Chatham House’s James Shires says this is no mere platitude. “If we want to have voice-enabled browsing, we want to have AI or smart autofill or quick loading of pages – what vulnerabilities does that introduce?” Potentially a great many. From adding personal voice data into the browser’s storage to giving greater prominence to AI algorithms that operate in an opaque fashion, a new status quo comes with new opportunities for criminals. And what happens as we start to use browsers in new contexts such as virtual environments?

What’s next?

In April 2021, Brendon Tiszka alerted Google to a security flaw in its Chrome browser. It allowed him to run an exploit known as a ‘‘sandbox escape’’, which helps enable an attacker to bypass security restrictions. To thank him for his efforts, Google paid him a cash sum: $27,000. It was the largest amount Google awarded that year for the discovery of a browser bug, as part of its initiative to reward those who uncover vulnerabilities in its products. But for Tiszka it was business as usual – because Tiszka is a bug hunter. Bug hunters are a global community of hackers who participate in vulnerability reward programmes organised by tech businesses. The rationale behind these programmes is simple. All software can have bugs, but the need to get it to market is at odds with the time that would be required to root them out completely – if indeed such a feat would even be possible. Bug bounties let companies co-opt the best hackers in the industry to identify those flaws so the company can patch them. Google started paying bug bounties in 2010, before such programmes were commonplace, and today this initiative is thriving: in 2021, the company rewarded 696 hunters with a total of $8.7 million. The company runs a leaderboard for bug hunters, a university for would-be hunters and even issues hunter swag to foster a sense of community. Tiszka’s path to bug hunting started in 2012, while he was at high school in Missouri. He read about a Google hack challenge in which a teenager won a $60,000 prize for identifying a potential vulnerability in Chrome. “I was like, ‘Oh, I want to do that – that's really cool',” recalls Tiszka, now 28 years old and based in New York City. “So then I spent the next four years studying computers science.” After graduating from the University of Missouri in 2016, and finding work at a big tech company, he decided to spend his down time looking for high-severity Chrome bugs. After about a month, he found one, and Google paid him $7,500 – a huge sum to the recent graduate. “I just wanted to do it again and again and again.” Since 2016, Brendon Tiszka has found 13 Chrome browser vulnerabilities totalling around $200,000. Although the money has been helpful, providing him with a source of income while he took a one-year break from his career in order to travel, it was always about something bigger. “I think a lot of vulnerability researchers are motivated by the art of it, and having other researchers tell you, ‘Nice vulnerability’ – that feels really, really good.” This summer, he got rather more emphatic feedback – Google employed him on its Chrome Security Team as a Security Engineer, a progression not uncommon among elite hunters. “The only way to stop a hacker,” says Chrome Browser Enterprise Lead, Jen Langholz, “is to think like one.”

How browser innovations are taking on new cyber threats

The work that Tiszka and his fellow Chrome bug hunters do is becoming ever more significant. Many browsers are built on top of Chrome’s codebase, an open-source project called Chromium, and browsers themselves occupy an increasingly prominent place in our lives. There was a time when your browser was just one of the many applications you used every day. Now, it is where many people spend much of their work day and beyond. Workplace productivity and collaboration is shifting to the cloud, e-commerce is growing rapidly, and our worlds are moving to the web. To make life easier, browsers are storing valuable information such as passwords, addresses and credit card information inside them. Thieves have noticed. All of this makes browser security ever more important. Naturally, that’s about identifying and patching vulnerabilities. But it’s also about turning the browser itself into an active security tool – for detecting attacks in real-time, for gathering data on threats and, ultimately, for stopping hacks at the point of entry. The browser has thus become a hot area of innovation in cybersecurity, with developers working hard to ensure that browser technology is not only as secure as it can be right now, but that it is also ready for the threats of tomorrow.

Before users are exposed to threats, security-minded browsers tend to offer multiple lines of defence. Chrome has threat protection-type features such as Enhanced Safe Browsing which proactively protects against dangerous downloads, websites and extensions. “Safe Browsing technology built into Chrome now protects 5 billion devices from risky sites,” says Oliver Madden, Chrome Browser Enterprise Specialist. The wealth of data that Google has accumulated on the threat landscape allows it to use machine learning to identify potential threats it hasn’t even encountered yet – once again, in a sense, thinking like a hacker. If attackers manage to break through the front line, browsers have two main strategies to limit the impact: ‘‘sandboxing’’, the ability to constrain processes to within the browser itself; and ‘‘site isolation’’, which keeps each site in a separate sandboxed process. “Chrome was the first browser to implement very strong sandboxing,” says Madden. “Later, in reply to the threats of Spectre and Meltdown [two major attacks], site isolation was launched.” The beauty of sandboxing and site isolation is that they prevent attacks spilling over to other parts of the system. This makes it more difficult for malicious software to run – or continue downloading – once the browser or a tab has been closed, and makes it far more difficult for that code to get into the filesystem, operating system or to access data from other sites. Of course, keeping web use secure is also about people. Teaching cybersecurity hygiene has been a struggle since the dawn of the internet. Chrome aims to create educational moments where threats may occur. For example, it notifies users when a corporate password is used on a non-corporate site, prompting them to change it. “I think most folks want to do the right things. They don't want to put their personal data at risk. They also don't want to put company data at risk,” says Lorena Crowley, Product Marketing Lead for Chrome Browser Enterprise. “It's a bit of an evolution that needs to happen in that IT teams need to look at the web browsers not just as a source of threat, but also an opportunity to protect, educate users and really combat those threats in real time versus just assuming that the incident is going to happen.”

“Safe Browsing technology built into Chrome now protects 5 billion devices from risky sites”

Oliver Madden Chrome Browser Enterprise Specialist

Visit GOOGLE CHROME ENTERPRISE

Visit Wired Consulting