Browser Extensions

Why Your Company Needs to Block Browser Extensions

Omer Aslim selfie
By: Omer Kaan Aslim
July 29, 2020
Browser extensions can increase productivity, however, left unmanaged they can create security risks for your organization.

Browser extensions can increase productivity but they also increase cyber risk. Companies should take advantage of browser extensions to advance their business goals. This can be accomplished while preserving security. In this post, I will discuss some of the benefits of browser extensions. I will also give three reasons why your company should implement a deny-all-allow-by-exception policy towards browser extensions. I will also discuss how your company can implement that policy.

What is a Browser Extension?

Browser Extensions
According to Google browser extensions are “small programs that add new features to your browser and personalize your browsing experience.”.

Benefits of Browser Extensions

Browser extensions can provide employees with increased productivity. Examples include Grammarly, an extension that helps with spelling and grammar, Adblock that blocks internet advertisements, Cisco Webex, and zoom extensions that are used for video conferencing. The extensions I listed provide value to organizations and may have associated business needs. They may even provide security benefits. Companies should leverage browser extensions to advance their business goals while mitigating security risks.

3 Reasons Your Company Needs to Control Browser Extensions

Browser Extensions Increase Your Attack Surface

In a report titled "Protecting Browsers from Extension Vulnerabilities ”, Google researches said that “because extensions interact directly with untrusted web content, extensions are at risk of attack from malicious web site operators and active network attackers.” The report goes on to say “browser extensions are often not written by security experts, and many extensions contain security vulnerabilities”.

Malicious Browser Extensions Are Not Uncommon

Earlier this year both Google Chrome and Mozilla Firefox teams banned hundreds of browser extensions “that steal user data and execute remote code”.

Browsers Extensions Can Potentially Access Your Sensitive Data

In a report by Awake “browser extensions downloaded almost 33 million times from Google’s Chrome Web Store covertly downloaded highly sensitive user information”. This isn’t the first time this has happened. An article titled "My browser, the spy: How extensions slurped up browsing histories from 4M users ”, Dan Goodin, Security Editor at Ars Technica goes into detail about how “your tax returns, Nest videos, and medical info may have been made public” thanks to browser extensions.

Implement a Deny-All-Allow-By-Exception-Policy

As I stated earlier, browser extensions can be beneficial. Using group policy you can implement a Deny-All-Allow-By-Exception-Policy towards browser extensions/add ons. Before implementing it, determine which browser extensions your organization needs to be using or wants end users to have access to. This may include allowing cisco webex extensions, adblock, grammarly, and any extensions associated with your antivirus suite.

Enable and disable add-ons using administrative templates and group policy

Set Chrome app and extension policies (Windows)

Internet Explorer ADMX Templates for Group Policy

 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance