How to secure the browser and minimize your district’s attack surface
When I was in elementary school, we had one computer lab in our library that was filled with old Macintosh computers that were 1 and a half feet by 1 and a half feet cubes that weighed 50 pounds each. Each one had Microsoft Word installed on the machine with no web browser in sight. Fast forward to my middle school years and we had slightly better PC’s in our computer lab but they were mostly used for playing flash games, updating my MySpace account, and searching internet explorer for less than school-appropriate stuff. By the time I got to high school, computer labs were used often and most research was being done on computers and the internet instead of old library books. However, flash forward 10 plus years and now in 2022, computers and the internet play a central role in how students learn and how teachers teach learning.
For almost all school districts in the United States, the browser, meaning web browsers like Google Chrome, Firefox, or Microsoft Edge, has become an essential and critical part of the learning process. The browser allows us to do things like virtual classrooms, multimedia learning, attendance tracking, grading, studying, researching learning topics, and so much more. Over the last few years, it has become the backbone of how we teach and interact with students in a digital age. For this reason, it has also become our greatest attack surface across our districts. From our pre-k to high school classrooms, all students interact with a browser at some point during their school day, making browser security our number one priority for our districts.
But how do we secure a browser for our district? After all, browser development and browser security development require specialized knowledge and understanding of how browsers work and function. Believe it or not, the best way to secure browsers in our districts is to simply keep them updated. It’s as easy as that. Browser updates not only contain new features and bug fixes, but also any additional security updates for an easier end-user experience. These security updates are created by the browser’s security development team from either finding a security vulnerability or misconfiguration, internally by their own team or externally from security researchers outside of the organization.
While it may seem strange to have people outside of the organization working on a browser’s security, it is actually a major benefit when leveraged properly. These external security researchers are participating in what’s called Bug Bounties. Bug Bounties have defined scopes of what is able to be tested and then if a bug is found in that scope and is reported correctly and able to be reproduced by the internal security team, that researcher will get credit for discovering the vulnerability and receive a cash reward. These rewards can be anything from $10 – $10,000,000 depending on the vulnerability’s severity, complexity, and use. Some of these researchers even get offered jobs because of the vulnerability they found. Google itself has a security team dedicated to finding Zero-Day Exploits (exploits and vulnerabilities that exist and are actively being used by attackers before the software vendor can patch the exploit or vulnerability) in chrome and other browsers, that is made up of some previously external security researchers that now work directly for Google. This team is called Project Zero.
These bug bounties and security researchers are a critical part of our browser’s security development because browsers are built on top of frameworks that get re-used and re-purposed for multiple different browsers. The best way to understand this is by thinking about how a house is built. While most houses look different when completely built, all houses are essentially made up of the same materials. Every house has a foundation, a frame, a door, and a roof but how they are assembled, arranged, and decorated is up to the builder. The same thing is true about browsers. Each browser has a similar underlying framework and then is built by the designers as they see fit. The security updates that are then released for the framework of a particular browser can then trickle down to all of the browsers using that framework, allowing the browser’s developers to build a more secure browser by using the updated framework.
The best example of this is the Google Chrome Web Browser. The browser was first released in 2008 and was a new and improved version of a web browser that took the best aspects of the Internet Explorer browser and the Firefox browser and created something new. Then year over year it became better and better essentially becoming the most widely used browser around the world. It became so widely used that other people wanted to use chrome to make their own browser for their own purposes instead of just creating a brand new browser from scratch. Now there are many different browsers all based on chrome and these browsers are called chromium-based browsers, Some popular chromium-based browsers are Vivaldi, Brave, Epic Privacy Browser, SlimBrowser, Torch, Comodo Dragon, and even the new version of the Microsoft Edge browser that was released in 2020. So when the chromium framework fixes a security vulnerability or misconfiguration all of the previously listed browsers and many many more also get security updates to their browsers.
Another way that we can protect our browsers is by implementing DNS filtering. DNS filtering is the process of using the Domain Name System (DNS) to block malicious websites and filter out harmful or inappropriate content. This is done by setting up DNS filtering services either on the firewall or using additional services like Cloudflare or OpenDNS. To understand how this works, we must first understand how DNS works. When you type a domain name into your browser, like www.google.com, your device creates a DNS query and sends it to a specialized web server called a DNS resolver. This resolver then matches the domain name with an IP and then that IP is sent back to the device, with which your device then opens a connection and starts loading the content. DNS filtering works by maintaining a list of blocked domains and then refusing to resolve any DNS query that contains a domain on the blocked domains list. By using DNS filtering we are able to stop connections with known malicious domains and IP addresses in a meaningful way without any end-user interaction or education.
These blocked domain lists are usually maintained by the vendor of the product it’s implemented on. This allows for an easy toggle on or off of the service, which makes it easier for more people to use this feature rather than having to build a list from scratch. With that said, you do also have the option of adding new domains to the block list as well as adding domains to an allow list, that bypasses the blocked list, to better customize the filtering to fit your district. By implementing DNS filtering in our districts, we are able to stop many threats before they can even get a chance to get a foothold in our environment, allowing for uninterrupted learning throughout our district.
The browser has become the undeniable way of learning in the 21st century and as it evolves we continue to innovate and create new ways for our students to engage in learning. For this reason, it is of utmost importance that we take every reasonable action we can to secure the browser in our district’s environment. By continuously updating and using DNS filtering we are able to take some first steps in better protecting our students, teachers, staff, and everyone else in our district.
To learn more about our comprehensive Cybersecurity Solution, click the link below.