NSS Labs Conducts First Cross-Platform Test of Leading Web Browsers (CDSA)

NSS Labs today announced the release of its Web Browser Security Comparative Reports. The reports reveal how effective web browsers are at protecting users from socially engineered malware (SEM) and phishing attacks. To minimize exposure to emerging threats, enterprise have begun to limit the use of legacy browsers to internal and legacy applications. This has necessitated the adoption of other more modern browsers, resulting in a dual-browser strategy. For enterprises implementing this strategy, the NSS Labs Web Browser Comparative Reports provide insights regarding which modern browsers offer a secure browsing experience.

“Web browsers are the primary interface used to consume information and are among the most common entry point for attackers,” said Jason Brvenik, Chief Technology Officer at NSS Labs. “Enterprises are increasingly adopting a bifurcated browser strategy to reduce exposure to emerging threats. Our test findings provide valuable insights that empower informed decision making and help both enterprises and users minimize risk for a secure browser experience.”

Web browsers are the first line of defense against web-based attacks, and according to the Verizon 2017 Data Breach Investigations Report, they are the second most common entry point for ransomware—one of the most common forms of malware plaguing users and enterprises. To measure browser effectiveness, NSS Labs conducted a series of tests focused on block rate, consistency of protection, and early protection against new threats. For 2017, cross-platform tests on desktops and tablets were added to verify security efficacy and consistency across devices. Test results indicate that regardless of platform, browsers are more effective at blocking SEM than phishing attacks.

For many years, the use of social engineering has accounted for the majority of cyberattacks targeting both consumers and enterprises. SEM attacks use a dynamic combination of social media, hijacked email accounts, false notification of computer problems, and other deceptions to encourage users to download malware. Industry experts estimate that 97% of malware is trying to trick a user through some type of social engineering scheme, and 93% of phishing emails are ransomware.

Phishing attacks are forms of fraud that gain the trust of users by masquerading as reputable entities to steal login credentials or sensitive account information. Examples of common approaches include an email designed to look like the sender is a credible organization or a disguise that makes the email appear as if it is from someone trusted inside a company, such as the IT department. In the last year alone, more than 1.2 million phishing attacks were reported—a 65% increase over the previous year.

To protect against malware, leading browser vendors provide cloud-based reputation services, which scour the Internet for malicious websites and then categorize content accordingly, either by adding it to blacklists or whitelists, or by assigning it a score. The time taken for these cloud-based reputation service updates are an integral part of the test.