take this course
to supplemental content are provided, should you wish
to read more about a particular topic. This
extra material is optional. It is not covered on
the associated course quiz. The supplemental content
will usually be presented in a new browser window, which you
may close at any time.
For the recommended reading sequence for these materials,
see the HIPS Series Overview.
Approximate reading time for this course is 10 minutes (exclusive
of linked content). The quiz for this course is here.
• • • •
1. Why are you here?
As you learned in the introductory courses, security
training is usually required for everyone in an organization's
workforce who has access to its information systems.
Learning to surf the Web appropriately and safely is an important
part of that training.
The World Wide Web (WWW or Web) provides access to billions
of pages of content. It's an easy and convenient way
to get information for a range of purposes. But the
Web is not a completely secure place -- indeed, some
parts of it are very dangerous. It poses large security
risks if used unsafely.
The average worker today spends hundreds of hours a year
surfing the Web at work, and hundreds more doing so at home.
Take the time to learn how to do it right.
2. What is "browsing"?
A Web browser is a relatively simple piece of software.
Given a unique Web address -- formally called a "uniform resource
locator" or URL -- it coordinates communication between your
computer and the server computer where a particular Web site's
content is stored.
When you open your browser and type in a URL, the browser translates
the address (using a system called DNS), contacts the particular server,
and requests the page you asked for.
When the server sends the page contents, the browser translates
the codes for the text, images and other elements
(written in a language like HTML or XML), formats all
that for your computer screen and displays the result.
Web sites may also offer the opportunity to "stream"
audio and video, or download files containing documents, images,
software or other content. While the vast majority of
Web content is benign, it's possible for it to contain harmful
elements like viruses
or data-harvesting spyware.
Web pages may be "static" (the same for everyone) or dynamically
created, such as when a search engine constructs a page of
results for a particular query.
Powerful "active" elements in a page may be used to enhance
the visual experience -- in effect, running small programs
on your computer. Unfortunately, these active elements
can also be used for malicious purposes. If you
follow safe practices however, you'll generally be just fine.
3. Watch where you go
In the physical world, not all locations are equally safe.
The same is true of the virtual world. The difference
in the virtual world is that you are only one click away from
a potentially dangerous location -- and the signs of danger
will rarely be obvious.
What do we mean by dangerous? If your Internet browser
is not up to date and configured with appropriate security
settings, even a short visit at a web site can result
in infestation with malicious software. (We discuss
browser updating and security settings below.)
Be sure you are going where you think you are.
Particularly when you visit a Web site where you'll be exchanging
sensitive information -- such a bank or credit card web
site -- type the URL into the browser address bar,
or use a bookmark you created after typing in the URL.
When you place your cursor over a link, most browsers will
display the link's actual URL in the "status bar" at the bottom
of the window. Get in the habit of looking at the address
to be sure it matches where you think you're going.
Get URLs from trusted sources. Rely
on a physical (paper) document that you know is authentic,
or a Web search engine utility you trust (using a URL for that search
utility that you know is authentic).
Do not rely on links in an email message unless
you are absolutely confident of the source.
You could fall victim to a phishing
scam that directs you to a phony Web site, where
you'll be tricked into disclosing personal information for
identity theft. This is a very common crime, with millions
of victims every year.
Note that in most email systems, senders' email addresses
can be easily faked. Just because an email appears
to come from someone in your organization, or even someone
you know, does not necessarily guarantee authenticity.
4. Watch what you do
Use caution whenever you click. Clicking
on the links of a Web page -- formally, they're called
"hyperlinks" -- usually just takes you to a different
page. But links can also initiate downloading/running
software on your system. That's fine if you intended
to do that, and the site is trustworthy. (This
is another reason to get in the habit of looking at the browser
status bar to check what a link is "really" going to do.)
Be particularly cautious about clicking on links in pop-up
windows and advertisements.
Use even more caution whenever you download.
Downloaded software can be infected. Having up-to-date
anti-virus and anti-spyware on your system is an essential
protection, but it doesn't guarantee that downloading is safe.
Be sure you're using a trusted source.
Freeware and shareware sites are risky. Peer-to-peer
(P2P) downloads are particularly risky. Malicious software
is endemic to such services. That's why most organizations
prohibit downloading from such sites/services onto workplace
Use the greatest caution whenever you initiate
the execution of a program. Some web-based
utilities require installation/execution of a (small) program
on your system -- called a "client." But unless you
are absolutely confident in the source, allowing programs
to be installed and executed on your computer is very
Make sure the connection is "secure" (encrypted)
whenever you are exchanging sensitive data.
You can identify a secure connection by the "https" at the
leftmost part of the site's address (URL) in the browser's
address bar, and by a "lock" icon somewhere in the browser's
status bar (usually on the right bottom corner).
If a browser window looks right but does not have a secure
connection when it is supposed to -- anytime you're
asked for sensitive information like user-IDs, passwords,
account numbers -- do not enter information into that
window. Browser windows can be faked. (It's a
classic phishing trick to put a fake window in front of a
genuine one.) If the window doesn't have an address
bar, so you can see where you are, do not enter any information.
5. Which browser should you use?
Personal computers come with a Web browser installed -- Internet
Explorer (IE) for Windows systems, and Safari
for Macs. Alternative browsers can offer additional
features, a different look and feel, and, sometimes, better
security. (Because, IE is the dominant browser for Windows,
it tends to be the dominant target for hacker attacks.)
Popular alternatives to Internet Explorer include Firefox,
Netscape and Opera.
All are free. Firefox, Netscape and Opera also are available
in Max OS (as well as Linux) versions.
Note that some Web services and sites are designed to make
use of features found only in Internet Explorer; they will
look/behave differently, if they work at all, using
other browsers. If you are a Windows user, you can
use an alternative to IE for much of your browsing, but probably
not all of it.
Note that you will need to pick a "default" browser -- that
will automatically open any time you click on a link
(such as in an email). The other browsers you'll need
to start up manually.
6. Use appropriate security settings
Whichever browser you use, it is critical that you use appropriate
security settings. This is much more important than
the particular browser you choose.
Security is increased by disabling "active" components that run
programs on your computer. This can make your browsing
much safer, but also less enjoyable and functional.
If you set a high security level you may have to periodically
reduce it (e.g., to download or execute a file from a trusted
For Internet Explorer, use the Tools > Internet Options
> Security menu. Set at least a medium level of security
for general browsing. Or set the security level to high,
and put regularly-used web sites in the Trusted Zone.
For other browsers, the Tools menu will have different options
7. Keep your software updated
Whichever browser you decide to use, it is critical to keep it
updated. This is also more important than the particular
browser you choose. Internet Explorer, Firefox, Netscape,
Opera and Safari all can be set to update themselves automatically
(without your intervention) or to prompt you when updated
versions are available.
It is also critical that you keep the rest of your software
updated, including the anti-virus and anti-spyware you use,
as well as your operating system as a whole. Vulnerabilities
in software that is not up to date are always targeted by
Remember that even the newest software cannot assure 100%
security. If you don't browse safely, using the
guidelines above, you're likely to encounter problems sooner
8. Keep in mind what you leave behind
For your convenience, most browsers keep a "history"
of all the sites you have visited. The number of days, weeks
or months of history is usually something you can set.
When you type in a part of an address, the browser can help
you find it again by filling in the remainder of the URL.
When you forget the address entirely, but have at least some
memory of when you visited, you can search the history for
If you use a shared computer, you may not want others to
be able to see where you've been. So you will need to flush
(delete) the history records.
Most browsers also keep a "cache" of temporary
copies of recently-visited pages, to allow you to view them
faster if you return. They can also keep copies of things
you've entered in online forms (like names, addresses and
telephone numbers), online passwords, downloads, and so on.
As with histories, this record may not be something you wish
to shared with other users of a shared computer.
9. Keep in mind what the Web sites have left behind
Web sites regularly use "cookies" and "session
variables" to keep track of where you have been on the
site. This can enhance your experience -- e.g., to remember
the particular pages you've visited, so you can quickly return
Not coincidentally, cookies also helps the site's designers
figure out how to make it more attractive, which can help
their business. You'll have to decide if the cost in
privacy is worth the convenience to you
Cookies that sites use to do this are called "first-party
cookies" -- because the company that produces the site generates
and uses them. (In a report from an anti-spyware product,
they will typically reveal their affiliation by including
the name of the company in the file name.)
Cookies that track your behavior across many sites, typically
tracked by a marketing organization, are called "third-party
cookies." Most likely, you'll want to get rid
of those using anti-spyware or anti-adware tools. For more
information, see the entry on spyware
You can set your browser to reject all cookies, but that
will cause some Web sites to perform in a limited way, and
others will not perform at all.
10. If you remember nothing else
(1) Keep your browser software up to date.
(2) Use appropriate security settings.
(3) Rely on trusted sources for Web addresses.
(4) Remember that all destinations on the Web are not equally
safe. Adjust your behavior while surfing in accordance
with the risk.
• • • •
Help us make
this course better -- take the online
The quiz for this course is here.
• • • •