Mitigating Attacks on the User of the Web Browser

Attacks that target the web browser’s human element—the user—by using social engineering can be very effective. The developers of web browsers are placing greater emphasis on this attack vector. They do this by providing better guidance to the user regarding the risky actions taken by the website.

NSS Labs tested browsers’ ability to protect users from socially-engineered malware. According to NSS Labs, Internet Explorer surpassed the effectiveness of other browsers to protect the user from this attack vector.

Internet Explorer achieved such performance as the result of its improved SmartScreen feature, which incorporates application reputation capabilities starting with Internet Explorer 9. This aspect of SmartScreen maintains reputation data about known bad and known good executables. It also warns the user when the executable that he or she is attempting to run doesn’t have reputation data:

Anti-virus tools are starting to include similar capabilities, as you can see in the Norton Internet Security 2011 screen shot below; however, Internet Explorer’s improved SmartScreen feature is the first time I’ve encountered application reputation tracking built directly into the web browser.

Application reputation capabilities of end-point security tools help mitigate some risks associated with the user of the web browser executing a malicious program. Security awareness training is an important aspect of the mitigation strategy as well. So is limiting the privileges that the user has locally and on the network.

This note is part of a series that explores attacks that use the web browser. Other posts in this series are:


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more