CIS Control 7: Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
7.1: Ensure Use of Only Fully Supported Browsers and Email Clients
- Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.
Disable Unnecessary or Unauthorized Browser or Email Client Plugins
- Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
7.3: Limit Use of Scripting Languages in Web Browsers and Email Clients
- Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
7.4: Maintain and Enforce Network-Based URL Filters
- Enforce network-based URL filters that limit a system’s ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization’s systems, whether they are physically at an organization’s facilities or not.
7.5: Subscribe to URLCategorization Service
- Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.
7.6: Log All URL Requests
- Log all URL requests from each of the organization’s systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.
7.7: Use of DNS Filtering Services
- Use Domain Name System (DNS) filtering services to help block access to known malicious domains
7.8: Implement DMARC and Enable Receiver-Side Verification
- To lower the chance of spoofed or modified emails from valid domains, implement Domainbased Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
7.9: Block Unnecessary File Types
- Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business.
7.10: Sandbox All Email Attachments
- Use sandboxing to analyze and block inbound email attachments with malicious behavior.
Figure: System Entity Relationship Diagram
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises