By now you have probably heard of the next big vulnerability since Heartbleed. If you are running Microsoft’s Internet Explorer web browser, you are likely vulnerable. According to Microsoft Security Advisory 2963983 (https://technet.microsoft.com/library/security/2963983): “Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.” We have researched this particular bug so as to offer you some practical advice on dealing with the Internet’s latest scare.
What does this mean to you? Are you actually vulnerable? The normal IT response is applicable here, “It depends.” To answer the question, we must first consider the value (and necessity) of a defense in depth strategy. This includes several layered security technologies: perimeter firewall, intrusion detection/prevention systems, content filters, gateway antivirus, spam filtering, network switch security, computer antivirus/firewall and, finally, routine software security patches. Without getting into the weeds on how each of these solutions work, think of them collectively as rings of security like multiple walls and other physical security (moats, gates, etc.) around a castle. When all of these things are in place, one or more systems (generally speaking) can fail without compromising the end-point we are defending. This is why achieving a proper balance of these solutions is an important business strategy. And the cost of implementing each must be weighed against the risk (and cost) associated with a possible leak of intellectual property, competitive business information, and personally identifiable client/patient records (PII/ePHI which have regulatory penalties).
That’s all fine and good if you are a security expert or if you outsource to a trusted technology advisor, but let’s consider some practical strategies you can leverage to mitigate the vulnerability risk:
- First, if you are running Windows XP, it’s past time to ditch it. Microsoft discontinued support for XP on April 8th of this year, so these systems will not be patched when Microsoft releases the security updates to fix the problem.
- Another simple step is to be sure your antivirus software if up-to-date. Computer antivirus is the last line of defense, so maintaining current database subscriptions and updates is essential.
- Always be cautious of suspicious email, especially from unknown (or unexpected) sources and emails containing web links. When in doubt, delete it, and if you know the sender, ask them to resend the email. Clicking on an email web link can allow an attacker to bypass some of the security layers, resulting in a computer infected with viruses, trojans and/or malware. A good spam filter will help in this area.
- Finally, consider using an alternative browser. These include: Firefox, Chrome and Safari. This may or may not be an option depending on whether your company has particular web application dependencies on Internet Explorer. One strategy is to use one of the other browsers for all web browsing, except the application(s) that rely in IE.
- If you must use Internet Explorer for business reasons, disabling the Adobe Flash plugin will prevent the browser exploit from executing, effectively eliminating the threat.
We’ve explored some ways to minimize the vulnerability risk of Internet Explorer. Some of these involve a strategic approach using a defense-in-depth strategy, but we have also offered some simple and practical solutions you can implement now. Unless you are running Windows XP, Microsoft will soon release a security update to resolve the problem. Until then, the recommendations offered here will help keep the Internet bad guys at bay until a proper fix is in place.