BrowserScan with HD Moore - Whiteboard Wednesday

December 12, 2012

Today's Whiteboard Wednesday features HD Moore who will talk about BrowserScan, Rapid7's latest free tool that checks for browser based risks.

Browsers are one of the biggest threats to all internet users. By not updating your browsers and plug-ins, you are putting both yourself and your company at risk of a data breach. Now you can use BrowserScan to see your organization's browser-based risks and even identify and notify your at-risk users.

BrowserScan is free, try it now!

Video Transcript

Hi. My name is HD Moore, Chief Security Officer for Rapid7. Today, I want to talk to you about BrowserScan, which is the topic of this week's Whiteboard Wednesday. Browser Scan is a new tool provided by Rapid7. It's free to use; there's no subscription, no charge. The way it works is a hosting service that you integrate with your internal websites.

Show more Show less

In this scenario, we've got two internal users, and we've got our IT administrator, and the IT administrator wants them to understand what vulnerabilities his users have, and make sure that a drive-by attack or a malicious website can't take over his system and eventually infect the rest of the network. The way to do that would be to log into BrowserScan, through Rapid7com, register for an account, and create a new tracking code. Take that tracking code and insert that tracking code into the footers of things like Outlook Web Access, SharePoint, or your intranet website. Once you've got the tracking code installed, you can then change what the tracking code does.

For example, if you're just trying to capture information about what versions of what browsers people are using, what plug-ins they've got installed, or how vulnerable those particular versions of those programs are, you can run in transparent mode. In that case, nothing will happen: The user will visit the website, everything just looks like normal. If there's a problem with our site or you're losing internet activity, it won't make any impact to the availability of that particular website. Has no detrimental impact if things go wrong, basically.

Over time, you can start seeing trends. For example, if a new vulnerability comes out on Java, immediately, you'll see your exploitable risk shoot straight up in the graphs, saying, "We really need to take care of Java this month. We're too far behind on patches. This is a real risk to our organization." It's a great way to keep track with what your desktop vulnerabilities look like over time. However, we just had to go a couple of steps further and say, "Instead of just identifying what your risks are, and identifying what percent of your users are vulnerable to a particular type of attack, we want to make sure that you can provide tools to create awareness of those vulnerabilities to those users, as well."

Let's say User1 connects to a Outlook Web Access site, and we've changed the BrowserScan setting to not just track the information, but also to throw up an alert and say, "Your browser's out of date, or your plug-ins are out of date. You need to go talk to security about it because there's something wrong with your system, and we want to keep you safe." They will immediately a pop-up saying, "Stop. Take a look at your system. [inaudible: 02:00]. Do something else. Click through to get to the website, and done. Then go to the website and browse as normal."

If you want to take that a step further and say, instead of just informing users that something's wrong and make them click through a warning dialogue, you can instead say, "I don't want this user to have access to a particular website unless they're secure." For example, we have User2, and they're trying to log into SharePoint. The administrator's configured the SharePoint cookie, so instead of just tracking data during a pop-up, if the user's out of date or they've got any exploitable vulnerabilities whatsoever in their browser, it'll actually redirect them to the intranet website, to a landing page that says, "Contact IT. Your system's out of date. Your system is too insecure to access our internal resources right now."

It's a great way to do light weight network access control. It's not fool proof by any means, you can always bypass it, but it's a good way for an IT administrator to really keep track of desktop security overall, be able to enforce some level of control and some level of awareness across the organization, and generally get more insight into what's going on at the desktop level.

That's it for this Whiteboard Wednesday. Thank you.