Tips to Stay Safe while Surfing the Web, Part 1: Web Browser Settings

The Bottom Line

Web browsers, such as Google Chrome and Microsoft Edge, are a rich target for threat actors because they collect extensive amounts of personal information. In addition, threat actors often use web browsers to spread malware since people rely on them heavily for access to the internet. To mitigate these risks, you should:

1. Keep your browser up to date and routinely close out of it.
2. Clear cookies and stored data from your browser.
3. Adjust browser settings to prevent it from storing your data and cookies.
4. Properly vet extensions before adding them to your browser.

The Problem

Threat actors often exploit vulnerabilities in web browsers to spread malware.

Web browsers are very attractive targets for cyber threat actors since they are one of the most commonly used apps. If you do not take the proper security precautions, threat actors can exploit vulnerabilities in your web browser and disseminate malware.

Web browsers collect mountains of personal information, which could be lost or exposed in a data breach.

Web browsers include several mechanisms that accumulate and store information that reveals a lot about your interests, habits, work, and identity. Since it can be hard to know who can access this information, surfing the web without taking measures to safeguard your privacy puts you at risk.

 Here are some common ways that web browsers collect information about you:

1. Site permissions. Websites will often request permission from your browser to access several categories of data, including your device’s:
   • Geolocational data
   • Camera
   • Microphone

Malicious websites could abuse access to your location, camera, and microphone to monitor your activity, conversations, and whereabouts.

Websites might also request your permission to send you pop-up notifications. When pop-up notification permissions are enabled on your web browser, a threat actor could use pop-up notifications as part of a phishing campaign or to deliver malware. The intention is to frustrate or overwhelm the user with pop-ups to get them to click on a link they otherwise would not have.

2. Cookies. Cookies instruct your web browser to collect, store, and share information about your browsing habits, including your website history, search history, the links you click on, the content you interact with on social media, etc., and share this information with the cookie owner. Data brokers and advertising networks often use cookies to compile and sell your information. Threat actors can also develop cookies to obtain information about potential targets. In sum, cookies pose risks to your privacy due to the vast amount of intimate information they can obtain and the difficulty of knowing who is receiving information from these cookies.
    
3. Stored data. In addition to cookies, browsers themselves also store your information, including:
   • Browsing history – Your browser can record every website you have ever visited.
   • Saved form data – Your browser saves your personal data to autofill certain information fields on forms for you (e.g., name, email address, date of birth, address, phone number, and credit card information).
   • Locational data – Even without a Global Positioning System (GPS) device, your browser can use your IP address, Wi-Fi, and Bluetooth to collect and share information about your location with websites.
   • Account credentials – Many browsers give you the option to store your account credentials. This makes your credentials vulnerable to leakage if a cyber threat actor successfully exploits vulnerabilities in the browser or your operating system.
   • Download history – Your browser can show every file you have downloaded and the file path to where you have it stored on your device, making it easy for threat actors to find data of interest.
   • Personal data – Your browser can also collect data about your browsing habits and device activity and share it with third parties to deliver targeted advertisements to you.

The Solution

Protect yourself against malware.

• Keep your browser up to date with the latest security patches.
  • If available, turn on automatic updates.
  • Restart your browser regularly to allow the security updates to take effect. (Note: Some browsers may automatically download the newest updates but require the application to be closed and restarted to activate the newest update.)
• If you are logged into an account associated with your web browser (e.g., you’re logged into your Google account while using Google Chrome, or logged into your Microsoft account while using Microsoft Edge), enable multifactor authentication to protect your account. (See Project Upskill Topic 2.2.)  

Limit the amount of personal data that your browser saves and stores.

• Clear stored data from your browser history (including your browsing history, location, and downloads). If possible, update your settings to “never save” or “clear when you close your browser.”
• Do not save payment information in your web browser.
• Be wary of using your browser’s native password manager. (Note: You should store your passwords in a password manager not related to your browser so they are safe even if a threat actor compromises the browser. See Topic 2.1 for more guidance on password managers.)
• Do not allow your browser to save and autofill sensitive data in online forms.
• Manage the ad settings in your browser to turn off ad personalization.

Limit the amount of data that websites and third parties can obtain through your browser.

• Clear cookies from your history. (Most browsers have this option under “Privacy & Security” in Settings.)
• Enable browser settings to automatically clear cookies when you close your browser. (Note: Regularly close your browser.)
• Enable any browser settings that allow you to limit cookies during your browser session. (Note: First-party cookies, or cookies that belong to the website you are visiting, may be required for the website to function properly. As a result, you should allow the first-party cookies and clear them when you exit the website to prevent them from tracking you for longer periods of time.)
• If available, enable browser settings that block third-party cookies to limit tracking from websites and organizations you do not visit.
• Note: See USSOCOM’s Social Media Smart Cards for specific instructions on how to complete these steps for some of the most popular browsers.

Restrict site permissions as much as possible.

• Do not give websites access to your location, camera, or microphone unless these permissions are required for the website to function properly.

Properly vet browser extensions.

• Follow Project Upskill Topic 1.4 to ensure any browser extensions meet your privacy and security needs.
• One extension that CISA recommends is AdBlock. AdBlock can help block advertisements and unwanted pop-ups that carry malware. You can find a link to AdBlock on our webpage Free Cybersecurity Services and Tools | CISA.

Takeaways

Do

• Update your browser regularly.
• Close out of your browser regularly.
• Enable MFA if your browser is connected with an account.
• Clear stored data from your browser history.
• Turn off ad personalization in your browser settings.
• Regularly clear cookies from your history.
• Enable settings to limit cookies.
• Vet your browser extensions before installing them.

Do Not

• Allow your web browser to save and autofill your sensitive information.
• Save payment information in your web browser.
• Use the native password manager associated with your web browser.
• Give websites access to your location, camera, or microphone unless required for website functionality.

Project Upskill is a product of the Joint Cyber Defense Collaborative.

• Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
• Module 2: Protecting Your Accounts from Compromise
• Module 3: Protecting Data Stored on Your Devices
• Module 4: Protecting Your Data in Transit
  • Topic 4.0: How to Communicate Securely on Your Mobile Device