CIS Control 7

CIS Control 7: Email and Web Browser Protections

Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

7.1: Ensure Use of Only Fully Supported Browsers and Email Clients

  • Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

Disable Unnecessary or Unauthorized Browser or Email Client Plugins

  • Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

7.3: Limit Use of Scripting Languages in Web Browsers and Email Clients

  • Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

7.4: Maintain and Enforce Network-Based URL Filters

  • Enforce network-based URL filters that limit a system’s ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization’s systems, whether they are physically at an organization’s facilities or not.

7.5: Subscribe to URLCategorization Service

  • Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.

7.6: Log All URL Requests

  • Log all URL requests from each of the organization’s systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.

7.7: Use of DNS Filtering Services

  • Use Domain Name System (DNS) filtering services to help block access to known malicious domains

7.8: Implement DMARC and Enable Receiver-Side Verification

  • To lower the chance of spoofed or modified emails from valid domains, implement Domainbased Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.

7.9: Block Unnecessary File Types

  • Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business.

7.10: Sandbox All Email Attachments

  • Use sandboxing to analyze and block inbound email attachments with malicious behavior.

Figure: System Entity Relationship Diagram

CIS Control 7
USA Offices
New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2020, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.