CIS Control 09: Email and web browser protections
Web browsers and email clients are used to interact with external and internal assets. Both applications can be used as an entry point within an organization. The users of these applications can be manipulated with the help of social engineering attacks. A successful social engineering attack must convince users to interact with malicious content. A successful attack could give an attacker an entry point into an organization. CIS 9 control provides several guarantees to ensure the security of external information.
Key takeaways for Control 9
Web browsers can be protected by the following: updating the browser, enabling pop-up blockers, enabling DNS filtering, and managing plugins. Always update web browsers to the latest version to resolve known issues. Enable pop-up blockers to prevent malicious pop-up messages from showing to users. DNS filtering blocks access to malicious domains and prevents users from accessing them. Plug-in management can protect users from the potential installation of malicious plug-ins.
Email security can be enhanced with appropriate training in social engineering, spam filtering / malware analysis, domain-based message authentication, file type encryption and filtering. Increasing the frequency of social engineering training enables users to successfully detect phishing and business email compromise (BEC). Spam filtering and malware analysis can be used to reduce malicious emails. Another way to reduce malicious email is to use Domain-Based Message Authentication, Reporting, and Compliance (DMARC). DMARC filters emails based on policy alignment and removes non-compliant ones. Encryption can be used to ensure that content remains private. File type filtering can be enabled to protect users from receiving malicious content.
Safeguards for control 9
1. Make sure that only fully supported browsers and email clients are used.
The description: Make sure that only fully supported browsers and email clients are allowed to run in the enterprise. Use only the latest version of browsers and email clients.
Remarks: The security function associated with this backup is Protect. Successful completion of this check provides users with a supported browser and email clients. Using the latest browsers and email clients provides protection against patch vulnerabilities.
2. Use DNS filtering services
The description: Use DNS filtering services on all corporate assets to block access to known malicious domains.
Remarks: The security function associated with this backup is Protect. Successful completion of this check provides users with protection against known malicious domains.
3. Maintain and apply network-based URL filters
The description: Apply and update network-based URL filters to prevent a corporate asset from connecting to potentially malicious or untrusted websites. Example implementations include category-based filtering, reputation-based filtering, or blocklist filtering. Apply filters for all company assets.
Remarks: The security function associated with this backup is Protect. Passing this check has the advantage of blocking malicious or untrusted websites. This prevents users from accessing malicious or untrusted URLs on corporate systems.
4. Restrict unnecessary or unauthorized browser and email client extensions
The description: Limit unauthorized or unnecessary browser or email client plug-ins, extensions, and add-ons by uninstalling or disabling them.
Remarks: The security function associated with this backup is Protect. The success of this check means that no plugin can be installed without approval. This prevents potential malicious plugins from running on a system.
5. Implement the DMARC network
The description: Implement DMARC policies to reduce the risk of receiving spoofed or modified emails from valid domains. Start by implementing the Sender Policy Framework (SPF) and DomainKey Identified Mail (DKIM) standards.
Remarks: The security function associated with this backup is Protect. The success of this check allows users to receive fewer spam and phishing emails. However, training is required to ensure that users do not click on malicious emails that pass through the filter.
6. Block unnecessary file types
The description: Prevent unnecessary file types from entering the corporate email gateway.
Remarks: The security function associated with this backup is Protect. Successful completion of this check blocks all types of files that are not necessary for the organization to function. This protects the organization from malicious files entering the corporate email gateway.
7. Deploy and maintain email server anti-malware protections
The description: Deploy and maintain mail server anti-malware protections, such as email attachment scanning and / or sandboxing.
Remarks: The security function associated with this backup is Protect. Successful completion of this check protects users from detected malicious attachments. Make sure your anti-malware protection is up to date with the latest definitions.
Find out how simple and effective security controls can create a framework that helps you protect your organization and your data against known cyberattack vectors by download the CIS Controls guide here.
Learn more about the 18 CIS controls here:
CIS Control 1: Inventory and control of company assets
CIS Control 2: Inventory and control of software assets
CIS 3 check: Data protection
CIS Control 4: Secure configuration of company assets and software
CIS 5 control: Account management
CIS Control 6: Access control management
CIS Control 7: Continuous vulnerability management
CIS Control 08: Management of audit logs
CIS Control 09: Email and web browser protections