ControlsInsight measures how well critical security controls are deployed and configured in the environment. Web browsers up-to-date is one of the 11 critical security controls that ControlsInsight monitors, measures and provides deployment guidance for.

What is the Web browsers up-to-date control?

This control indicates how many assets monitored by ControlsInsight have Web browsers with the latest updates installed.

Which Web browsers are currently  supported by ControlsInsight?

Currently, ControlsInsight monitors Internet Explorer from version 9 onwards, as well as the latest versions of Google Chrome and Firefox.

Why do we need to have the Web browsers up-to-date?

Web browsers are extremely common and are present in nearly every system. They are frequently used and are a commonly used entry point for attackers. Therefore, having the web browsers secured becomes extremely important.  Each user tends to have different third-party plug-ins or software installed on their Web browsers for their convenience, which again becomes an important point of vulnerability. The third-party plug-in may not have any mechanism for security updates.

Cookies are files placed on the system to store data for specific websites and hence may contain critical information such as credentials stored in them. If a website uses cookies for authentication then an attacker may be able to access the credentials stored in them. As a result, web browsers could very easily be viable for attack. The impact of an attack can vary from just credentials being stolen all the way to the attacker taking control of the system.

Each new release version of a web browser will contain patches for different vulnerabilities found along with new browser features. Hence having the web browser up to date with all the latest version minimizes the risk of getting compromised.

The following screen shot shows an assessment of a high-risk environment that is prone to attacks because very few assets are fully updated:

ControlsInsight's intelligent threat model identifies those assets that require browser updates specific to the browser and reports them with their current risk level. Any asset that has no browser update applied will have a very high risk, an asset with a few updates missing will have medium risk, and assets with fully updates browser will have a low risk associated with them. ControlsInsight also provides guidance on how to apply the latest updates on these assets with outdated browsers. Once the updates are applied, we can see the risk level of these assets going down and also the overall threat grade going up, indicating the current environment has a diminished risk of compromise.

The following  screenshot shows the assets that need to have browsers updated:


In the threats page, ControlsInsight also reports the asset coverage summary with respect to this security control, indicating the percentage of assets with all their latest updates applied to their browsers. The asset coverage summary contributes to the overall threat grade displayed. If this asset coverage summary has a very low percentage, it is an indication that the web browsers must be immediately updated on those assets.

We hope that this blog post shows the importance of having the web browsers up to date and how ControlsInsight helps in monitoring and accomplishing that.