Concern grows over browser security

Browser-based security threats are on the rise and may pose the next significant risk to information technology operations, according to a technology trade association.

The Computing Technology Industry Association (CompTIA) on Monday released its second annual report on IT security and the work force. The survey asked nearly 900 organizations to rank their top 15 security concerns. According to the results, 36.8 percent said they were plagued by one or more browser-based attacks in the last six months. That's up from 25 percent in last year's survey.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"Browser-based attacks are a logical evolution," said Randall Palm, director of IT at CompTIA. "The better we get at stopping attacks, the more creative hackers get at writing new ones. Ten years ago, most viruses were distributed on floppy disks. Then came e-mail and instant-messaging software. Now, they are targeting browsers."

Browser-based attacks are typically unleashed when a person visits a Web page that appears harmless but actually contains hidden code intended to sabotage a computer or compromise privacy. Some attacks simply crash a browser, while others pave the way for the theft of personal information or the loss of confidential proprietary data.

One of the most common ways of disseminating these attacks is through e-mails that include a link to a malicious Web server. Because the attacks usually aren't launched until the user clicks on the link, many firewalls don't catch them. Traditional firewalls examine traffic coming into the network, but guarding against browser attacks requires that traffic leaving the network also be inspected.

Some companies are using products from start-ups such as SurfControl and Websense that are designed to monitor and control corporate Web usage in order to help protect against browser-based attacks. Firewall vendors, like Check Point Software Technologies and NetScreen Technologies, have also added some protection. But Palm said these companies still have a long way to go before they eliminate the problem.

"Stateful inspection of inbound vulnerabilities is not Check Point's or NetScreen's main focus," he said. "All the firewall vendors are playing catch-up, when it comes to protecting against this threat."

Browser vendors also are taking action to minimize the risk to their products. In January, Microsoft said it would release software updates to Internet Explorer and Windows Explorer designed to protect Web surfers from being lured to Web sites that could contain malicious code. In December, a Danish security firm alerted the security community to an IE bug that would let hackers display false Web addresses.

While concern over browser-based security threats is growing, companies still view computer viruses and worm attacks as the most threatening security risk. But these threats are significantly less common than they were a year ago, according to the survey. Last year, 80 percent of organizations identified worm and virus attacks as their most common IT security threat. This year, that number is 68.6 percent.

Last year, network intrusion issues were the second-most common security threat, garnering 65.1 percent of the vote. This year, network intrusion issues dropped significantly, falling to 39.9 percent. This drop could be attributed to the high percentage of companies using antivirus applications to fight viruses and worm attacks. According to CompTIA, 95.5 percent of organizations use some form of antivirus technology.

Firewalls and proxy servers are the second-most commonly used antivirus technology, employed by 90.8 percent of respondents. Companies also are doing more security audits and penetration testing. They were used by 61 percent of respondents, up from 53 percent.