CIS Controls v8 Overview- Control 09
What are the email and web browser protections that organizations should have in place? What does the acronym SPAM mean? For the answers, let’s look at Control 09 of the CIS Controls Version 8.
Control 09: Email and Web Browser Protections - Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
Why is this Control Important?
Email and web are the main methods that users interact with external and untrusted users and environments, as such they are prime targets for malicious code and social engineering. Attackers like to focus on web browsers and email clients since these are used directly by with users within an organization. Content can be cleverly crafted to entice or spoof users into disclosing credentials, providing sensitive data, or providing a direct channel to allow attackers to gain access.
In addition, with the move to to web-based or mobile email access, the built-in security controls of a traditional full-features email client (i.e., Outlook) are sometimes reduced in areas such as encryption, strong authentication, and phishing reporting buttons.
And its Safeguards?
The control has seven (7) Safeguards that cover the key actions to establish and maintain secure configurations. The Safeguards include limited use to fully supported browsers/email clients, DNS filtering, URL filtering, restricting unauthorized extensions on browsers/email clients, DMARC, non-business file blocking by type, and email server anti-malware protections.
How is this Control implemented?
Email remains a core interaction tool of team members within most organizations. Organizations use SPAM (Something Posing as Mail) and malware protections at the email gateway to reduce the number of malicious emails and attachments associated with phishing. Use of Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps reduce spam and phishing activities. Encryption is also used to secure email avoiding any “man-in-the-middle” attacks. Attachments may also introduce malware within an organization so it is common to allow only certain file types that are required for business processes.
Web Browsers - Attacker are able to exploit web browsers in multiple ways including developing malicious webpages, targeting common third party plugins, and seeking browsers that have not been patched or updated. Organization should harden browsers to reduce the ability of users to install untrusted add-ons/plugins/extensions and to prevent specific types of content from automatically executing.
Fortunately, most popular browsers reference a database of phishing and malware sites to protect against the most common threats. Organizations must enable these content filters and turn on the pop-up blockers which can also host embedded malware. DNS filtering services should also be used to block access to known malicious sites and domains at the network level.
Key Reminder(s)
Email and web browsing have benefited organizations with the ability to communicate with entities outside of the organization. Organizations MUST put safeguards into place against attackers who focus on gaining unauthorized access with malicious code and social engineering. In addition to the tools and configurations mentioned, Security Awareness and Skills Training covered in CIS Control 14 is just as important as the technical safeguards.
In the next post, we will look at Control 10: Malware Defenses. If you enjoyed this post, please 𝙇𝙞𝙠𝙚 and 𝙎𝙝𝙖𝙧𝙚!
Contact Temples Consulting (a CIS SecureSuite Partner) to schedule a no-cost consultation for Email and Web Browser Protections using the latest CIS Benchmarks.
#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC #implementations #dataprotection #datasecurity #phishing #vishing #smishing
