CIS Control 7: Email and Web Browser Protections
This article breaks for the seventh CIS Control which represents the first Foundational CIS Control (Controls 7-16).
Web browsers and email clients are common entry points for attackers, primarily phishing attacks with malware attachments or toxic URLs.
Contemporary web services rely on increased power and sophistication within modern browsers to process and run active content. This richer user experience comes with a health warning in that there is far great opportunity for an attacker to misuse and abuse this high-level of functionality. Likewise, for today’s email clients with preview functions, combined with active script processing in ancillary products like Word and Excel. Content can be easily manipulated to spoof users into taking actions that can significantly increase risk and allow malicious code to be introduced and valuable data to be lost or compromised.
That’s why it’s absolutely critical for organizations to secure these environments as web browsers and email clients are increasingly attractive targets for both code exploitation and social engineering.
Let’s dive right into CIS Control 7 and the ten requirements associated with this foundational control.
7.1: Ensure Use of Only Fully Supported Browsers and Email Clients
- Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.
In this sub-control, organizations must ensure that only fully supported web browsers and email clients are allowed to execute and deploy updates. This means that’s organizations must use the most current and up to date version of the browsers that are accessible to the company.
Ideally, updates should happen as soon as they become available, and a formal written policy should be developed to address user behaviors. Doing so will help significantly minimize your attack surface.
7.2: Disable Unnecessary or Unauthorized Browser or Email Client Plugins
- Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
If vulnerabilities are not available within your browser, attackers will often times target common web browser plugins. Browser extensions can have unfettered access to the information a user enters into a web form, including sensitive login credentials. These plugins may enable attackers to hook into the browser or directly into the operating system.
In order to avoid this threat, NNT suggests utilizing NNT Change Tracker which scans browsers for extensions on a regular basis and allows you to uninstall or disable all unauthorized browser plugins or add-on applications running in your environment.
7.3: Limit Use of Scripting Languages in Web Browsers and Email Clients
- Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
In this sub-control, organizations are advised to block unauthorized scripting languages in browsers and in the mail client. Doing so adds an extra layer of protection. To address this requirement, NNT suggests implementing our Change Tracker solution which will ensure that only authorized scripted languages are able to run in web browsers and email clients.
Learn more about Change Trackers capabilities by watching our What’s New With Gen7 R2 Video Overview:
7.4: Maintain and Enforce Network-Based URL Filters
- Enforce network-based URL filters that limit a system’s ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization’s systems, whether they are physically at an organization’s facilities or not.
This sub-control encourages organizations to maintain and enforce network-based URLs that will block and limit the user’s ability to access websites that are not included in the list of approved websites for the company to access. It’s especially important to note the very last sentence – whether they are physically at an organization’s facilities or not. Employees who travel or work remotely can pick up infections anywhere and bring it right into the trusted network.
7.5: Subscribe to URLCategorization Service
- Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.
In this sub-control, organizations are advised to subscribe to URL-categorization services. Doing so will ensure that the regulations are up to date with the most accurate and recent definitions of website categories.
7.6: Log All URL Requests
- Log all URL requests from each of the organization’s systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.
In this sub-control, organizations are encouraged to log all URL requests. This will help organizations spot potentially dangerous activity immediately and help identify compromised systems. NNT suggests utilizing a network security monitoring tool for this requirement that will help identify any weaknesses without collecting the queries from each individual endpoint. Learn more about this requirement here
7.7: Use of DNS Filtering Services
- Use Domain Name System (DNS) filtering services to help block access to known malicious domains
This sub-control encourages organizations to implement Domain Name System (DNS) filtering to block access to known malicious websites, webpages, or IP addresses. With DNA filtering in place, DNS blocking will occur if a specific webpage or IP address is known to be malicious through blacklists or is determined to be possibly malicious by the web filter. Instead of being presented with the webpage, the user will be directed to a local IP address that shows a block page explaining why the website cannot be accessed.
7.8: Implement DMARC and Enable Receiver-Side Verification
- To lower the chance of spoofed or modified emails from valid domains, implement Domainbased Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
In this sub-control, organizations are advised to use a spam filtering tool to help reduce malicious emails that come into the network. Ransomware is primarily delivered through malicious attachments and links sent in an email, often known as malspam. For this reason, organizations must implement filters to block these dangerous emails from being delivered in the first place. NNT provides a Ransomware Mitigation Kit comprising the necessary automated vulnerability checks and Group Policy templates to automatically fix any weaknesses identified.
Deploying a DMARC policy will ensure that legitimate emails are properly authenticated against established SPF standards.
Implementing SPF at a DNS level and on mailer servers will help cut down the volume of spam and malicious traffic that comes into the system. SPF is not an anti-spam solution, but it’s very effective at controlling malicious mail traffic. It’s important to note that the SPF records and implementation must include receiver-side verification.
Spoofed emails pose a significant threat to organizations because they can create a false sense of trust. In fact, just last year the FBI reported that business email compromise (BEC) and email account compromise (EAC) scams reached over $12 billion in losses globally.
Employees are more likely to respond to an email that looks to be from someone they know. The SPF standards help defend against this threat by checking if messages are coming from a mailer server that’s authorized to use the sender’s address.
7.9: Block Unnecessary File Types
- Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business.
In this subcontrol, organizations are encouraged to block any emails from entering the organization’s email system that contain specific file types. The reason is pretty simple – if a user does not receive dangerous attachments, they are not exposed to the dangers inherent in them. By limiting executable files, your organization significantly reduces the exposure that employees have to email-based malware threats. NNT Change Tracker can be configured to block any email attachments with file types that are unnecessary for the business.
7.10: Sandbox All Email Attachments
- Use sandboxing to analyze and block inbound email attachments with malicious behavior.
In this final subcontrol, organizations are encouraged to analyze existing email attachments to check for any malicious behavior. This method helps block attachments that may have malicious behavior connected to them. By leveraging CIS Benchmark guidance, NNT Change Tracker uses sandboxing to block all inbound attachments with potentially malicious behavior.
While email and web access are critical for most everyday operations, they’re also a significant source of cyber-attacks. Properly securing email servers, web browsers, and mail clients, along with good configuration and control of email and web browsers can go a long way in limiting security misfortunes that continue to make today’s news headlines.
This control can be summed up simply - if your browsers and email are not properly secured, you can guarantee your users and your network aren’t either. That’s why you need to make email and browser security as simple and straightforward as possible for your users, or they will misuse privilege or find a way to work around this essential cybersecurity control.
Figure: System Entity Relationship Diagram
You can also learn more about the CIS controls here.
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises