Skip to content

Controlling the Browser… If You Can

February 5, 2009

Andreas makes a number of good points in his weekly NetworkWorld column about Firefox add-ins. His general point is that software extensibility is good, but it must be controlled lest you introduce significant new risks to your environment. I couldn’t agree more. That’s why a lot of the work we at eIQ do with configuration auditing is such an important part of maintaining a secure environment.

Most security organizations don’t have the pull to really lock-down desktops. Sure they can mandate a standard build, but in most cases users can install software that they want, and sometimes that software becomes a problem. The reality is you can’t avoid these issues, but you need to figure out how to react faster and appropriately when an issue crops up.

The first step is to know what’s out there. A lot of organizations rely on asset management tools to assemble information on who is using what. You can also figure out what software is out of policy and decide whether to do anything about it. Sometimes it’s the better answer to turn the other cheek, in terms of getting rid of unauthorized software. But it’s not OK to not know it’s there.

Just as important as understanding what’s out there, you need to understand what’s changing. That’s why constantly revisiting the asset base and the device configurations are critical. And just doing one or the other isn’t enough. New software can (and usually does) change configurations and that can create security exposures.

To bring the point home, it’s probably unreasonable to expect that your users will allow you to totally control what software they are running. But you CAN and SHOULD know what they are running and be able to pinpoint when something changes to evaluate the security risk to your environment. That’s just good security practice.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: