Web browsers and email clients are used to interact with external and internal assets. Both applications can be used as a point of entry within an organization. Users of these applications can be manipulated using social engineering attacks. A successful social engineering attack needs to convince users to interact with malicious content. A successful attack could give an attacker an entry point within an organization. CIS Control 9 provides several safeguards to ensure safety of external information.
Key Takeaways for Control 9
Web browsers can be protected by the following: updating the browser, enabling pop-up blockers, enabling DNS filtering, and managing plugins. Always update web browsers to the latest version to fix known issues. Enable pop-up blockers to block malicious pop-up messages from being displayed to users. DNS filtering blocks access to malicious domains and protects users from navigating to them. Managing plugins can protect users from potentially installing malicious plugins.
Email security can be increased by proper social engineering training, spam-filtering/malware scanning, domain-based message authentication, encryption, and file type filtering. Increasing the frequency of social engineering training allows users to successfully spot phishing and business email compromise (BEC). Spam-filtering and malware scanning can be used to reduce malicious emails. Another way to reduce malicious emails is to use domain-based message authentication, reporting, and conformance (DMARC). DMARC filters email based on the alignment of policies and removes any that do not conform. Encryption can be used to ensure that the contents remain private. File type filtering can be enabled to protect users from receiving malicious content.
Safeguards for Control 9
9.1) Ensure Use of Only Fully Supported Browsers and Email Clients
Description: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise. Use only the latest version of browsers and email clients.
Notes: The security function associated with this safeguard is Protect. Success with this control provides users with supported browser and email clients. Using the latest browser and email clients provides protection against patch vulnerabilities.
9.2) Use DNS Filtering Services
Description: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Notes: The security function associated with this safeguard is Protect. Success with this control provides users with protection against known malicious domains.
9.3) Maintain and Enforce Network-Based URL Filters
Description: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or block lists filtering. Enforce filters for all enterprise assets.
Notes: The security function associated with this safeguard is Protect. Success with this control provides the benefit of blocking malicious or unapproved websites. This restricts users from accessing malicious or unapproved URLs on enterprise systems.
9.4) Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
Description: Restrict any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications either through uninstalling or disabling them.
Notes: The security function associated with this safeguard is Protect. Success with this control means that no plugins can be installed without approval. This stops potential malicious plugins from running on a system.
9.5) Implement DMARC Network
Description: Implement DMARC polices to lower the chance of receiving spoofed or modified emails from valid domains. Begin by implementing the Sender Policy Framework (SPF) and the DomainKey Identified Mail (DKIM) standards.
Notes: The security function associated with this safeguard is Protect. Success with this control provides users with less spam and phishing emails. However, training is necessary to ensure users do not to click on malicious emails that make it through the filter.
9.6) Block Unnecessary File Types
Description: Block unnecessary file types from entering the enterprise’s email gateway.
Notes: The security function associated with this safeguard is Protect. Success with this control blocks all file types that are not necessary for the organization to function. This protects the organization from malicious files entering the enterprise’s email gateway.
9.7) Deploy and Maintain Email Server Anti-Malware Protections
Description: Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Notes: The security function associated with this safeguard is Protect. Success with this control protects users from detected malicious attachments. Ensure that the anti-malware protection is updated with the latest definitions.
Read more about the 18 CIS Controls here:
CIS Control 9: Email and Web Browser Protections