CIS Control 09: Email and Web Browser Protections


Web browsers and email clients are used to interact with external and internal assets. Both applications can be used as a point of entry within an organization. Users of these applications can be manipulated using social engineering attacks. A successful social engineering attack needs to convince users to interact with malicious content. A successful attack could give an attacker an entry point within an organization. CIS Control 9 provides several safeguards to ensure the safety of external information.

Key Takeaways for Control 9

Web Browsers

Web browsers can be protected by the following: updating the browser, enabling pop-up blockers, enabling DNS filtering, and managing plugins. Always update web browsers to the latest version to fix known issues. Enable pop-up blockers to block malicious pop-up messages from being displayed to users. DNS filtering blocks access to malicious domains and protects users from navigating to them. Managing plugins can protect users from potentially installing malicious plugins.

Email

Email security can be increased by proper social engineering training, spam filtering/malware scanning, domain-based message authentication, encryption, and file type filtering. Increasing the frequency of social engineering training allows users to successfully spot phishing and business email compromise (BEC). Spam filtering and malware scanning can be used to reduce malicious emails. Another way to reduce malicious emails is to use domain-based message authentication, reporting, and conformance (DMARC). DMARC filters email based on the alignment of policies and removes any that do not conform. Encryption can be used to ensure that the contents remain private. File type filtering can be enabled to protect users from receiving malicious content.

Safeguards for Control 9

9.1) Ensure Use of Only Fully Supported Browsers and Email Clients

Description: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise. Use only the latest version of browsers and email clients.

Notes: The security function associated with this safeguard is Protect. Success with this control provides users with supported browser and email clients. Using the latest browser and email clients provides protection against patch vulnerabilities.

9.2) Use DNS Filtering Services

Description: Use DNS filtering services on all enterprise assets to block access to known malicious domains.

Notes: The security function associated with this safeguard is Protect. Success with this control provides users with protection against known malicious domains.

9.3) Maintain and Enforce Network-Based URL Filters

Description: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or block lists filtering. Enforce filters for all enterprise assets.

Notes: The security function associated with this safeguard is Protect. Success with this control provides the benefit of blocking malicious or unapproved websites. This restricts users from accessing malicious or unapproved URLs on enterprise systems.

9.4) Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Description: Restrict any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications either through uninstalling or disabling them.

Notes: The security function associated with this safeguard is Protect. Success with this control means that no plugins can be installed without approval. This stops potential malicious plugins from running on a system.

9.5) Implement DMARC Network

Description: Implement DMARC policies to lower the chance of receiving spoofed or modified emails from valid domains. Begin by implementing the Sender Policy Framework (SPF) and the DomainKey Identified Mail (DKIM) standards.

Notes: The security function associated with this safeguard is Protect. Success with this control provides users with fewer spam and phishing emails. However, training is necessary to ensure users do not click on malicious emails that make it through the filter.

9.6) Block Unnecessary File Types

Description: Block unnecessary file types from entering the enterprise’s email gateway.

Notes: The security function associated with this safeguard is Protect. Success with this control blocks all file types that are not necessary for the organization to function. This protects the organization from malicious files entering the enterprise’s email gateway.

9.7) Deploy and Maintain Email Server Anti-Malware Protections

Description: Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.

Notes: The security function associated with this safeguard is Protect. Success with this control protects users from detected malicious attachments. Ensure that the anti-malware protection is updated with the latest definitions.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading the CIS Controls guide here.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skill Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

CIS Control 18: Penetration Testing



Source link

Leave a Comment