Gartner Blog Network


Identifying Browsers and Plugins That Might Represent a Risk

by Neil MacDonald  |  January 21, 2011  |  Comments Off on Identifying Browsers and Plugins That Might Represent a Risk

In my kick off post for 2011, I talked about the need for IT to expand the depth and breadth of patching. In the follow-on post, I talked about the need to migrate more users to run with standard user (and not administrative level) privileges.

One of the challenges to both of these actions is getting a handle on the number of browsers in use and the plugins in use in your organization. For example, even though your policy might state that Internet Explorer is the only supported browser the reality is that many browsers may be installed without the official support of enterprise IT.

The same is true of plugins (toolbars, browser helper objects, ActiveX controls and browser extensions). IT may officially support a core set of these (Flash, PDF, Webex, and so on) but aren’t aware of the rest.

Allowing users to choose alternative browsers and customize their work environment isn’t inherently bad. In fact, I coauthored this research note for clients explaining Gartner’s official position that organizations shouldn’t standardize on a single browser and lays out a strategy for this. The risk is that this expanded set of browsers and plugins aren’t kept up to date from a security perspective and present hackers with opportunities to target your users.

A good PC lifecycle management tool should provide the detailed inventory information you are looking for. However, some clients have indicated to me that they were having difficulty identifying plugins.

Last week, Microsoft updated its free Microsoft Assessment and Planning Toolkit. By using credentialed access (thus it doesn’t require an agent), the tool is able to query each machine and obtain inventory information including the browsers in use and the versions (including non-Microsoft browsers):

image

And, for Internet Explorer, the toolkit identifies all of the plugins:

image

Part of managing risk is understanding where risk resides.

I was talking to a client yesterday and used this analogy: It’s like when you know you have skeletons in the closet but you don’t quite know how many — so you get a stronger flashlight.

More visibility leads to more informed decision making.

Category: application-security  information-security  microsoft  microsoft-security  windows-7  

Tags: application-security  best-practices  browser-security  information-security  microsoft  microsoft-security  windows  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.