Why Your Company Needs to Block Browser Extensions
By: Omer Kaan Aslim
July 29, 2020
Browser extensions can increase productivity, however, left unmanaged they can create security risks for your organization.
Browser extensions can increase productivity but they also increase cyber risk. Companies should take advantage of browser extensions to advance their business goals. This can be accomplished while preserving security. In this post, I will discuss some of the benefits of browser extensions. I will also give three reasons why your company should implement a deny-all-allow-by-exception policy towards browser extensions. I will also discuss how your company can implement that policy.
What is a Browser Extension?
According to Google browser extensions are “small programs that add new features to your browser and personalize your browsing experience.”.
Benefits of Browser Extensions
Browser extensions can provide employees with increased productivity. Examples include Grammarly, an extension that helps with spelling and grammar, Adblock that blocks internet advertisements, Cisco Webex, and zoom extensions that are used for video conferencing. The extensions I listed provide value to organizations and may have associated business needs. They may even provide security benefits. Companies should leverage browser extensions to advance their business goals while mitigating security risks.
3 Reasons Your Company Needs to Control Browser Extensions
Browser Extensions Increase Your Attack Surface
In a report titled "Protecting Browsers from Extension Vulnerabilities ”, Google researches said that “because extensions interact directly with untrusted web content, extensions are at risk of attack from malicious web site operators and active network attackers.” The report goes on to say “browser extensions are often not written by security experts, and many extensions contain security vulnerabilities”.
Malicious Browser Extensions Are Not Uncommon
Earlier this year both Google Chrome and Mozilla Firefox teams banned hundreds of browser extensions “that steal user data and execute remote code”.
Browsers Extensions Can Potentially Access Your Sensitive Data
In a report by Awake “browser extensions downloaded almost 33 million times from Google’s Chrome Web Store covertly downloaded highly sensitive user information”. This isn’t the first time this has happened. An article titled "My browser, the spy: How extensions slurped up browsing histories from 4M users ”, Dan Goodin, Security Editor at Ars Technica goes into detail about how “your tax returns, Nest videos, and medical info may have been made public” thanks to browser extensions.
Implement a Deny-All-Allow-By-Exception-Policy
As I stated earlier, browser extensions can be beneficial. Using group policy you can implement a Deny-All-Allow-By-Exception-Policy towards browser extensions/add ons. Before implementing it, determine which browser extensions your organization needs to be using or wants end users to have access to. This may include allowing cisco webex extensions, adblock, grammarly, and any extensions associated with your antivirus suite.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance