Today, I will be going over Control 7 from version 7 of the top 20 CIS Controls – Email and Web Browser Protections. I will go through the 10 requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 7
- Why not block images from emails? Embedded single pixel tracking images can be a way for attackers (or at the very least marketing teams) to gain information into employee’s activity. Malicious images embedded or loaded from external sites can also be an attack vector. Consider disabling auto-loading images in emails and requiring users to click a button to see the fancy graphics.
- Leverage hardening benchmarks. Since CIS has hardening guidelines for Exchange and Office Suites, I am surprised leveraging those isn’t called out in control 7. Even though “software” is covered under Control 5, be aware that Exchange and Office both have hardening templates available from CIS and DISA.
- This control will take time. There are a lot of ambiguous requirements in control 7 that will require the implementer to create their own list of what is good versus bad. Start with baselines and work towards validating them as you are also monitoring for change.
Requirement Listing for Control 7
1. Ensure Use of Only Fully Supported Browsers and Email Clients
Description: Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.
Notes: Just because Internet Explorer is approved doesn’t mean IE 5 should still be used. This will rely heavily on Controls 2.1 and 2.2 but focused on browsers and email clients.
2. Disable Unnecessary or Unauthorized Browser or Email Client Plugins
Description: Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Notes: Browser extensions can have unfettered access to whatever a user is entering into a web form, including login credentials. Some browsers can even maintain persistence. (Who really closes their web browser these days, anyways?) Scan for browser extensions on a regular basis. Tripwire Enterprise can help do this across your entire enterprise.
3. Limit Use of Scripting Languages in Web Browsers and Email Clients
Description: Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Notes: Putting a blanket policy to disable scripting on the browser would cripple a lot of websites, so that’s not an option. Another option is to install ad-blockers and rely on requirement 7 below to prevent scripts from being loaded from malicious websites.
4. Maintain and Enforce Network-Based URL Filters
Description: Enforce network-based URL filters that limit a system’s ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization’s systems, whether or not they are physically at an organization’s facilities or not.
Notes: I’m glad the last sentence has been placed in this requirement, as roaming laptops can pick up an infection anywhere and bring it back into the trusted network. However, you’re going to need to rely on a host-based firewall and ensure that it cannot be bypassed by the user. An easier option for a first pass win is to ignore the traveling users and rely on the perimeter firewalls to provide this functionality. If you train your users to VPN into the corporate network when traveling, you may reduce the likelihood of them picking up an infection.
5. Subscribe to URL-Categorization service
Description: Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.
Notes: As with the previous requirement, a perimeter or host-based firewall available from many vendors today will have this already built in. Think of this requirement the same way you would Control 8.2 (Ensure Anti-Malware Software and Signatures are Updated), as the same tool may be performing both functions.
6. Log all URL Requests
Description: Log all RUL requests from each of the organization’s systems, whether onsite or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.
Notes: This is nearly the same as Control 8.7 (Enable DNS Query Logging) except this will catch every request rather than the first query. As with 8.7, using a network security monitoring tool can help identify this without having to collect and centralize the queries from every endpoint.
7. Use of DNS Filtering Services
Description: Use DNS filtering services to help block access to known malicious domains.
Notes: If the malware cannot resolve its C2 domain name, then it will be rendered ineffective. Larger organizations can look towards enterprise class tools to leverage this internally. Whereas smaller organizations can use an external DNS provider which accomplishes the same thing.
8. Implement DMARC and Enable Receiver-Side Verification
Description: To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification by implementing the Sender Policy Framework (SPF) and the Domain Keys Identified Mail (DKIM) standards.
Notes: I tried to get some insightful thoughts put together to talk about this one, but instead I am going to refer to this great TechNet article on the subject of DMARC, SPF, and DKIM.
9. Block Unnecessary File Types
Description: Block all email attachments entering the organization’s e-mail gateway if the file types are unnecessary for the organization’s business.
Notes: Limiting executable (including script) files is going to reduce the exposure that employees have to email based malware. Consider doing this for internal emails as well, not just inbound emails entering the organization.
10. Sandbox All Email Attachments
Description: Use sandboxing to analyze and block inbound email attachments with malicious behavior.
Notes: Step one is to block unwanted extensions, as seen in the previous requirement. Next, you need to analyze the existing ones to check for malicious behavior. Ideally, a sandbox which opens attachments and visits links can be used over a static analysis of the files. Zip files should be expanded and the compressed files run through the sandbox, as well.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.