Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Browser Sync – When Your Browser Brings Your Own Device to Work

How Browser Sync Features Can Pose a Risk to The Enterprise

How Browser Sync Features Can Pose a Risk to The Enterprise

Until recently, controlling the endpoint was the cornerstone of any enterprise security program to protect business data. The organization’s IT department was the only source for computing devices, which allowed it to apply security policies by installing certain application (e.g., antivirus software, security patches) and denying others deemed problematic (e.g., file sharing). Since the company owned the devices, it was also aware of the physical whereabouts of the device. Had the device been stolen or lost, the employee had to report it.

Risks via Web Browser SyncHowever, the emerging trend of “IT consumerization” or “Bring Your Own Device” (BYOD) is changing the status quo of enterprises networks. Wikipedia defines BYOD as “employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases.”

While the BYOD trend offers many advantages to the organization (e.g., shifting IT cost to employees and having state-of-the-art hardware), it also brings some serious concerns from an information security perspective as the IT department no longer has full control over the endpoint. Due to these concerns, some organizations refrain from BYOD and stick to the more traditional model.

But in some cases, new browser capabilities enable employees to essentially bypass an anti-BYOD policy. How? Employees can use a more subtle BYOD phenomena which doesn’t include bringing a physical device to work, but rather using the browser’s synchronization feature.

The Browser is the new OS

In the early days of the World Wide Web, the browser was a simple application made to just to fetch static pages and browsing the web was just another thing a users would do on their computer. Since then, a lot has changed, and now the web is commonly the primary reason to have a computer as it delivers functionality rich applications and open new connectivity options.

Naturally, the browser had to evolve to support it. A modern browser, such as the Google Chrome browser, includes features that were traditionally considered to be the sole property of the Operating System (OS). In fact, Google OS and Chrome browser share many features among them. Such features include installing and running applications downloaded from Google’s web store , accessing hardware devices (chrome 21 adds native support for webcams) and managing offline storage (HTML5 offline storage).

Another important addition over the basic browser’s model is the browser synchronization feature. It enables the user to sign in to Google’s web site and automatically synchronize all of the signed in devices. The following information gets synchronized across the devices – apps and extensions, personal browser information such as passwords, history, open tabs, bookmarks, autofill information and the browser’s internal settings.

Advertisement. Scroll to continue reading.

Figure 1- Chrome 21 sync settings

Chrome Browser Sync Security Vulnerabilities

Such level of synchronization really brings BYOD hazards to the enterprise internal network environment. When the user is signing in from both his or her work computer and personal Android mobile phone, they can unwittingly expose their work computer. Business sensitive data such as passwords can be sent to the personal device and extensions from the personal device can be automatically installed on the company-owned computer.

If the personal device gets stolen, some business sensitive data can be taken from it and the IT department never gets any reports of the incident, since this is a privately owned device. If there’s a virus on the personal device it can leap from the personal environment to the enterprise’s environment by abusing the automatic extension synchronization and installing a malicious extension.

The bottom line –BYOD can happen even if the private device is not physically brought to the work environment.

Shifting the weight from endpoint based security to server based security

Surely, enterprises can thwart this specific case of BYOD by browser sync, by blocking browser syncing either with technology or with corporate policy. However, fighting for the endpoint’s security is an uphill battle at best, if not a lost cause.

A possible solution is to stop the “cat and mouse” game between the IT department and the users, allow the users to bring their own devices and accept the fact that endpoint can no longer be considered as safe (and in fact they weren’t very safe even before BYOD). Instead, the data security should be based on the servers that store the information. In other words, don’t focus on the mice, focus on the cheese. The server will protect its data by using various methods such as the online scanning of the endpoint for relevant malware, wrapping the data so it cannot be copied and sent, verifying the user with various authentication methods and not the endpoint.

This paradigm change, as with any other paradigm change, might be hard to stomach in the beginning but it’s seems to be eventually inevitable.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.