Phishing

Anti-Phishing: Browser Security Features

Infosec Institute
June 27, 2017 by
Infosec Institute

For a common internet user, a web browser is one of the regularly used programs on the computer. Web browsers were once only used for displaying text documents, but have now transformed into multi-purpose tools. We can now search for information, view and edit documents, view videos and make use of many more features. But the very tool that is used frequently by users is also a common target of hackers and cybercriminals who try to silently install malware onto their systems and access critical files saved on the machine.

Users can also be scammed into visiting unsecured websites by making them click on malicious links through phishing emails, either infecting them with malware or asking them for sensitive information. A deceptive site, for instance, impersonates a legitimate site and tricks users into giving their confidential information like account details or passwords.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

What web browser security features are most important?

Browsers come with different security features that provide maximum protection against cyber-attacks. Some of the important features are malicious site detection, malware protection, sandboxing and anti-phishing plugins and extensions.

Malicious Site Detection

This feature allows web browsers to warn users against malware-leading URLs by fetching data from a constantly updated database of fraudulent websites. Safe Browsing Service by Google is one of the most well-known databases which is used by Firefox and Chrome for desktop and Safari for desktop and iOS. According to Google, the Safe Browsing Service can warn users before they click on a link that can lead to a malicious website.

Google detects two types of malicious websites: the ones infected with malware and those with phishing hooks. The websites that serve as phishing hooks usually duplicate popular e-commerce websites or bank sites and attempt to trick you into entering your sensitive information such as username, password or financial card information. Visiting such phishing websites will harvest your data and use it to access your personal account. Safe browsing provides phishing protection against such forged websites.

Malware Protection

Well-known browsers such as Firefox and Chrome now include phishing and malware protection as a part of their privacy settings. It helps to block popups, stops you from downloading potentially harmful files and also blocks malicious websites from showing up in a web search.

Sandboxing

Sandboxing is a kind of software virtualization and allows processes and programs to run in an isolated virtual environment. Programs that run in the sandbox have limited access to your system and cannot make permanent changes. Thus whatever happens in the sandbox stays there.

There are various programs dedicated to sandboxing, but some of the antivirus programs are also featuring it. Some of the common uses of sandboxing are that it can:

  • Run malicious programs containing viruses or spyware automatically or manually in the sandbox.
  • Run your web browser in the sandbox so that it can stay protected from the damage of infections picked up during browsing.
  • Run the web browser in the sandbox to prevent the existing malware in your system from getting your login and other critical information details.

Browser sandboxing works in a similar fashion by putting the browser in a virtual container that prevents any malware downloaded through the browser from infecting the computer system. Applications running in such an environment have limited access to the system files and facilitate a thick layered security protocol. This sandbox analyzes untrusted programs and codes and monitors applications. Any code originating from an unverified source is verified by the sandbox before execution.

Anti-Phishing Plugins/Extensions/Add-ons

Phishing scams are one of the easiest and widely used mechanisms for cyber frauds. Many websites secretly design features that can steal user information. Though with a little education users can learn to browse safely and prevent a potential phishing attack, anti-phishing plugins designed especially for phishing protection can also come in handy. Because it is not always possible for users to detect a phishing site, anti-phishing plugins can ensure their safety when browsing.

These threats can be malvertisements or scripts embedded in the websites to collect your browsing habits data.

Other add-ons designed to improve your browser security include those that block ads, online activity tracking, visited web pages tracking and also block scripts.

Tips for secure browsing using IE, Firefox, Chrome, and Microsoft Edge

To ensure secure and private use of internet, it is vital to optimize your browser’s settings. All well-known browsers of today come with built-in security features, but users mostly do not make use of those features by not setting them up on installation. Failing to set up browser security settings optimally can put you at a higher risk of malicious attacks and malware infections. Though it is not possible to attain complete protection from cyber threats against browser security, the following tips for each of the well-known browsers will help increase the security of these web browsers.

Google Chrome

  • Enable phishing and malware protection under the “privacy” section. This will warn you in case a site you are trying to visit contains malware or is a phishing site.
  • Turn off Instant Search. Though this feature exists for the convenience of users, having it enabled also means that whatever you type in the address bar is immediately sent to Google.
  • Do not sync your email account with the browser. Doing so will store all your personal information such as autofill data, passwords, preferences and more on the Google servers. If you have no other choice but to use sync, select the option where it says “Encrypt all synced data” and create a unique code for encryption.
  • Configure content settings for security. Under the “privacy” section, click the “content settings” and do the following:
    • Select the option “Do not allow any site to run JavaScript”
    • Select “Do not allow any site to show pop-ups”
    • Select “Do not allow any site to track my physical location.”
    • Select “Keep local data only until I quit my browser” and “Block third-party cookies and site data.” This will help ensure that your cookies get deleted as soon as your quit using Chrome and advertisers will not be able to track you by using third-party cookies”
    • Configure form settings and passwords. Deselect the option “Offer to save passwords I enter on the web” and also disable Autofill. This step will help prevent Chrome from saving your passwords and login information

Mozilla Firefox

Secure browsing settings for Mozilla Firefox can be accessed from the “options” menu.

  • Configure privacy settings. On the “Privacy” tab, follow these steps to ensure that Firefox stores only the information needed for it to function normally. Go to history and open the “Firefox will use custom settings for history”.
    • Uncheck “remember my browsing and download history”
    • Uncheck “Remember search and form history”
    • Uncheck “Accept third-party cookies”
    • Check the option in cookie storage to “ Keep until I close Firefox”
    • Check “Clear history when Firefox closes”
  • Do not allow Firefox to save passwords and also ensure that it keeps you from visiting websites that are potentially harmful
    • Deselect the option of “Remember passwords for sites”
    • Select the options of “Block reported attack sites”, “Warn me when sites try to install add-ons” and “Block reported web forgeries”
  • Disable JavaScript from the browser. Go to the “Content” tab and Uncheck the “Enable JavaScript” option. This is important because JavaScript is known for having security vulnerabilities and it is better to enable it only for trusted websites.
  • Block popups. Select the “Block pop-up windows” option under the “Content” tab.
  • Do not allow Firefox to sync. This will not let Firefox save your logins and passwords.
  • Turn on automatic updates by selecting “Automatically install updates”. You can do this by going to the “Advanced” tab and then to “Update”. This will allow the browser to stay updated with all the security features. This option is selected by default in the browser. Also verify that the “Automatically update Search Engines” option is also selected.
  • Verify that security protocols like SSL and TLS are selected under the “Encryption” tab.

Internet Explorer

Secure browsing with Internet Explorer can be set up from the Internet Options.

  • Under the “Security” tab, disable JavaScript by going to Custom Level>Active Scripting>Disable
  • Clear browsing history automatically by selecting “Delete browser history on exit” under “General” tab. This limits your information saved by Internet Explorer as you browse.
  • Configure the browser privacy settings. Under the “Privacy” tab, enable popup blocker and set internet zone privacy to “medium high” or a higher level. Also select the option of “Never allow websites to request your physical location”
  • Under the “Advanced” tab, scroll down to “Security” section and do the following steps:
    • Check “Do not save encrypted pages to disk” to ensure that cached files from https links are deleted when browser is closed.
    • Also check “Empty Temporary Internet files when browser is closed”
    • Turn off Autocomplete to ensure that your sensitive information is not being unnecessarily stored.

Microsoft Edge

For secure browsing on Microsoft Edge, go to the top right corner of the browser and press the three dotted menu. Select “Settings” and then go to “View advanced settings”. Disable the Flash Player, and select the “Ask me what to do with each download” option to avoid malware from being downloaded automatically.

Next, go to the “Privacy and security” section and uncheck the options of “Offer to save Passwords” and “Save form entries”. Also turn on the option of “Send Do Not Track Requests” so that your browser notifies third-party websites to not to track you.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

General Tips for Secure Browsing

Now that we know how to set up all widely known web browsers for security, here are some basic guidelines that can help us ensure a securing browsing experience.

  • Always keep your browser updated. Since vulnerabilities are discovered in browsers every other day, it is important to keep them updated in order to avoid zero day attacks.
  • Choose an antivirus with real time scanning. This way, the antivirus will analyze a file as soon as it is downloaded and minimize the time for the virus to take effect.
  • Educate yourself and stay away from phishing scams to get maximum phishing protection. These are easy to fall prey to, since the attacker tricks individuals to click links infected with malware by posing as legitimate entity.
  • Do not use same password for all critical online accounts to avoid cybercriminals from taking advantage of using the same password on all your accounts.
  • Avoid free public wireless networks. Cybercriminals use unprotected networks to access and retrieve critical data by using wireless sniffers.

 

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.