CIS Control 7

By
3 Minutes Read

The IT Company has walked you through CIS Controls 1 through 6. Today, we have chosen to narrow in on Control 7- Email and Web Browser Protections. 

CIS Control 7 focuses on the vulnerability of email clients and web browsers due to the amount of end-user interaction.  Organizations should ensure they are running fully supported and updated email clients and web browsers in order to minimize their vulnerability.

We’ve said it once, we will say it again- your security is critical to us at The IT Company. So we feel it is important for you to know that both email and web browsers are commonly attacked entry points in the technical world. As we have talked about in many different blog posts highlight topics such as how emails can be created to look almost identical to real emails, but in actuality, may be malicious emails that can cause a plethora of different security problems. Websites have the same dangers.

CIS Control is in place to protect people and businesses from these dangers. By having CIS Control 7 in place and being executed, it monitors and ensures that only fully supported and secure web browsers are able to be accessed within the company. Coinciding with monitoring what web browsers are able to access, CIS Control 7 works “to lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM) standards.”

Hackers are constantly advancing and creating new ways to harm businesses and people for their own gain. So nothing is ever a guarantee to fully protect you from these dangers, however CIS Control 7’s intention is to give you the strongest defense against them as possible.

With that being said, it is important to understand that CIS Control 7 is not a quick fix solution. It takes time and work on the implementers end of creating a precedence of what is considered secure verses unsecure within the company’s standards and regulations.

There are ten noted requirements for CIS Control 7.

  • Ensuring use of only fully supported browsers and email clients.
  • Disabling unnecessary or unauthorized browser or email client plugins.
  • Limiting use of scripting in languages in web browsers and email clients. 
  • Maintaining and enforcing network-based URL filters.
  • Subscribing to URL-Categorization service.
  • Logging all URL requests.
  • Using DNS filtering services. 
  • Implementing DMARC and enabling receiver-side verification.
  • Blocking unnecessary file types.
  • Sandboxing all email attachments.

Each of these noted requirements for CIS Control 7 is effective alone, however your strongest defense is in executing each of them. The IT Company has included a brief description of each of these requirements below, however as always, we’d love to provide more information on each of them to those who need it. Do not hesitate to reach out.

  1. Ensuring use of only fully supported browsers and email clients. The most important thing to remember when executing this, is to consider using the most current and updated versions of the browsers that are accessible to the company.
  2. Disabling unnecessary or unauthorized browser or email client plugins. Often times, browser extensions can have unfettered access to whatever a user enters into a web form. This can make it extremely dangerous for users. Things including credentials can be at risk. By uninstalling unauthorized browser and email plugins, it can protect you.
  3. Limiting use of scripting in languages in web browsers and email clients. By only allowing authorized scripting languages in browsers and email, it again adds a layer of protection. This step can coincide with requirement 7.
  4. Maintaining and enforcing network-based URL filters. A network-based URL should be enforced that blocks and limits users ability to access websites in which have not be included on the list of approved websites for the company specifically.
  5. Subscribing to URL-Categorization service. The sole purpose of this requirement is to ensure that the regulations are up to date with the most recent and accurate definitions of website categories.
  6. Logging all URL requests. By doing so, it helps identify potentially dangerous activity immediately.
  7. Using DNS filtering services. The strongest benefit from this requirement is that it can help block malicious domains.
  8. Implementing DMARC and enabling receiver-side verification. By implementing this, it automatically reduces the chance of spoofed emails from valid domains- which is extremely beneficial in your security.
  9. Blocking unnecessary file types. This requirement filters and blocks any emails from entering the company’s email system that contain specific file types andcould potentially be spam or malicious.
  10. Sandboxing all email attachments. This method helps block any attachments that may have malicious behavior connected to them

CIS Control 7 is one that can highly influence and protect your company’s security.  The IT Company believes this is one that companies should truly pay attention to and implement. Every CIS Control is in place in order to benefit your company’s security- so keep an eye out as The IT Company continues to highlight on each of them as a part of our blog series.