Budgetless CIS Top 20 Control 7: Email and Web Browser Protections

Summary: Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

Obviously, web browsers and email clients are very common points of attack and network entry. They are basically the means for users to communicate with untrusted environments. For this, since there are 10 subcontrols, I’ll go through them individually for this control.

7.1 – Ensure Use of Only Fully Supported Browsers and Email Clients – So, this is far easier if you have a good handle on Control 2, the software inventory. An up to date software inventory will ensure you have the latest version of both, and if you are using one of the ones I referenced in Control 2, they will alert you if someone is using an unsupported one.

7.2 – Disable Unnecessary or Unauthorized Browser or Email Client Plugins – Same as above, make sure your Control 2 software inventory picks up browser and email plugins too and set it to alert on unauthorized ones.

7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients – Notice it says limit and not disable. Disabling would break a ton of sites, my recommendation is to use Group Policy, you can download the ADM files from Google so you can set group policy settings for Chrome and mirror those settings for IE11 (if you have to use that) and/or Edge.

7.4/7.5 – Maintain and Enforce Network-Based URL Filters / Subscribe to URL-Categorization Service – I’m grouping these together because from a first-pass, good start for most organizations these are probably going to be handled by the same tool. Not budgetless, but hopefully this is an included service that can be configured on your firewall. If you don’t use split-brain VPN, then at least they will still be filtered when on VPN. To do this fully, you’d need a host-based firewall, so that’s why I say for now, start with just configuring it on your firewall. If you can’t do it on the firewall, I’ve used Untangle in the past and it was fine and I know a couple people using PfSense with some success.

7.6 – Log all URL requests from every system – Again, all these should go through your firewall, and as a first pass, be sure you log all of them there and ship those logs to your syslog server.

7.7 – Use of DNS Filtering Services – Hopefully this is also included in your firewall services like web filtering. If not, Comodo Dome and Quad9 can help you fulfill this one.

7.8 – Implement DMARC and Enable ReceiverSide Verification – This is pretty simple, basically just setting up DMARC, SPF, and DKIM for your domains. This is a good article detailing what they do and how to implement them.

7.9 – Block Unnecessary File Types in email – Outlook blocks several bad ones by default, otherwise, your firewall or email filter should be able to block alot more, this is just ensuring you do the best practice of turning that feature on and configuring it. If neither of those are options, your AV software might be able to do this as well.

7.10 Sandbox All Email Attachments – Unless this is included in your spam filtering software, then this is the biggest item in this control that you’ll have to shelf until you get some budget. But odds are, if you are using a good firewall, group policies and software inventory, and have DNS set up properly for email, then you’ve met 9/10 of these and are pretty secure in this control.

Onto to Control 8…