Google Chrome is about as common in office spaces as a water cooler or a coffeemaker.
Chrome is also becoming king elsewhere, unless the systems are Macs, and Safari is the browser of choice. With its minimalist, crisp interface and Google brand, most people are quickly satisfied. Even MSPs, with too many other things to handle and not enough people to handle them, can also be sometimes lulled into Chrome complacency.
“Google is great for its ease of use, but that very ease can also apply to hackers – whether they be outside or even inside jobs,” says Parker Hodges, an independent cybersecurity consultant in Seattle.
That’s why MSPs and their clients must ensure that passwords don’t get saved in the Google browser. While it may be a convenience for the home user that supersedes the security risks, it’s just not worth it in an office environment. “Someone may innocently use a terminal, but when they poke around and see passwords stored, the temptation to do something bad is there,” Hodges explains.
New security update from Google
Chrome is not a static product, Hodges points out. People install Chrome on their computers and think it is a one-and-done exercise, but it is not. The algorithms and behind-the-scenes ecosystem are constantly in flux, creating openings for bad actors. Recently, Google attempted to tamp down on one discovered opening. They released a security update with an urgent patch on February 14 for Chrome, with the goal of fixing several security issues.
According to Google, “This new Chrome version fixes several security issues, one of which is being exploited actively.” Google did not mention how widespread the attacks are, but Chrome users are highly encouraged to update to the latest version as soon as possible. The security issue is only found on versions of Chrome earlier than 98.0.4758.102.
“MSPs and CISOs need to have a regular patching regimen anyway, and vulnerabilities in Chrome should be part of that,” Hodges advises.
A hotspot for security vulnerabilities
Though, most recently, an alert was part of a slew of vulnerabilities discovered. Chrome announced earlier in February that it found 27 issues, eight being “high risk”: meaning hackers could exploit to load malware, steal data, or unleash ransomware. The problems could impact Windows, Linux, or Mac users. These issues come on the heels of a slew of Chrome vulnerabilities discovered last fall, making zero-day attacks more likely.
Tech Times says that “the Chrome browser has recently become a hotspot of different vulnerabilities,” in an article that outlines the specific vulnerabilities and their fixes.
Hodges recommends that MSPs do an annual “Chrome Audit” to see who is using it as the main browser on their workstations. Once an inventory is made, those Chrome stations should be put on monthly maintenance to fix vulnerabilities and ensure that saved passwords are cleared, and fixes are implemented.
MSPs can make Chrome a safer place
Another ongoing challenge for MSPs, according to Hodges, is the need to work towards is user training. “Even though Chrome is not infallible, it still falls upon the user to make smart decisions and not make it even for a hacker to get hands-on information,” he says.
Other actions MSPs can take to make Chrome safer include using Chrome’s Enhanced Protection. Chrome’s default is the standard browsing experience, but MSPs can switch to the enhanced protection setting, which offers many more security features such as:
- Blacklisting: If employees visit certain sites prone to problems, then block them.
- Two-Step Verification on Google Accounts: This adds another layer of built-in security. This can be especially valuable when battling internal office threats, says, a rogue employee trying to access a unit that they shouldn’t be.
- Extensions: As part of a Chrome audit and maintenance program, make sure unnecessary and unwanted extensions are removed.
- Script-Blocking: This is a handy feature that will prevent ad-loading and malware-laced video programs from loading.
- Set Chrome to Default: When in doubt, do a full reset to get rid of unwanted extensions.
A combination of actions by the MSP and better education for end-users is a potent mix. Videos, malware, advertising, streaming, and other potentially threatening elements from outside, can converge to make Chrome a very dangerous place without some basic precautions. MSPs are in a good spot to implement these safeguards.
“The thing with Chrome is that it is so universal, so widely accepted, that people just get too comfortable. Hackers know that and exploit the comfort,” Hodges concludes.
Photo: Nathana Rebouças / Unsplash
This is a great reminder that we need to stay on top of all of these possible vulnerabilities as well as have line of sight on all of the daily tools end users have on their PCs.
there is no defacto bullet proof broswer but getting people onto chrome does help, especially when there are extensions that are required for popular apps that are needed for functionality. Great Tips here
Great article
Good recommendations. Thanks for sharing.
Great recommendations. Many of our users prefer Chrome over the others.
All browser need to be protected on all devices. Good ideas
Great reminder! Use a password manager to store, and audit password use. The MSP should be providing a tool to share credential information with the client.