logo

CIS Control 9: Email and Web Browser Protections

The Center for Internet Security (CIS) publishes Critical Security Controls that help organization improve cybersecurity. CIS Control 9 covers protections for email and web browsers.

Attackers target email and web browsers with several types of attacks. Some of the most popular are social engineering attacks, such as phishing. Social engineering attempts to manipulate people into exposing sensitive data, providing access to restricted systems or spreading malware. Techniques include attaching a file containing ransomware to an email that purports to be from a reputable source, or including a link that appears to be for a legitimate websites but actually points to a malicious site that enables the hacker to collect valuable information, such as the user’s account credentials. Certain features of email clients can leave them particularly vulnerable, and successful attacks can enable hackers to breach your network and compromise your systems, applications and data.

Note that CIS renumbered its controls in version 8. In previous versions, email and web browser protections were covered in Control 7; they are now in Control 9.

This article explains the seven safeguards in CIS Control 9.

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

To reduce the risk of security incidents, ensure that only fully supported browsers and email clients are used throughout the organization. In addition, both browsers and email client software should promptly be updated to the latest version, since older versions can have security gaps that increase the risk of breaches. Moreover, make sure browsers and email clients have secure configuration designed for maximum protection.

These practices should be included in your security and technology policy.

9.2 Use DNS Filtering Services

The Domain Name System (DNS) enables web users to specify a friendly domain name (www.name.com) instead of a complex numeric IP address. DNS filtering services help prevent your users from locating and accessing malicious domains or websites that could infect your network with viruses and malware. One example of the protection it provides relates to malicious links in phishing emails or in blog posts people read in their browsers — the filtering service will automatically block any website on the filtering list to protect your business.

DNS filtering can also block websites that are inappropriate for work, helping you improve productivity, avoid storing useless or dangerous files that users might download, and reduce legal liability.

DNS filtering can happen at the router level, through an ISP or through a third-party web filtering service like a cloud service provider. DNS filtering can be applied to individual IP addresses or entire blocks of IP addresses.

9.3 Maintain and Enforce Network-Based URL Filters

Supplement DNS filtering with network-based URL filters to further prevent enterprise assets from connecting to malicious or otherwise unwanted websites. Be sure to implement filters on all enterprise assets for maximum protection.

Network-based URL filtering takes place between the server and the device. Organizations can implement this control by creating URL profiles or categories according to which traffic will be allowed or blocked. Most commonly used filters are based on website category, reputation or blocklists.

9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Prevent users from installing any unnecessary or unauthorized extension, plugin or add-on for their browsers or email clients, since these are often used by cybercriminals to get access to corporate systems. In addition, regularly look for any of these items in your network and promptly uninstall or disable them.

9.5 Implement DMARC

Domain-based message authentication reporting and conformance (DMARC) helps email senders and receivers determine whether an email message actually originated from the purported sender and can provide instructions for handling fraudulent emails.

DMARC protects your organization by ensuring that email is properly authenticated using the DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) standards. In particular, it helps prevents spoofing of the From address in the email header to protect users from receiving malicious emails.

DMARC is particularly valuable in sectors hard-hit by phishing attacks, such as financial institutions. It can help with increasing consumer trust, since email recipients can better trust the sender. And organizations that rely on email for marketing and communication can see better delivery rates.

9.6 Block Unnecessary File Types

Blocking file types that your organization does not use can further protect your business. The file types you should block depend on what type of files your teams typically use. Executable files are the riskiest because they can contain harmful code; file types include exe, xml, js, docm and xps.

Using an allowlist that lists approved filetypes will block any file type that isn’t on the list. For the best protection, use blocking techniques that prevent emails with attachments that have unwanted file types from even reaching the inbox, so users don’t even have the chance to open the file and allow malicious code to execute.

9.7 Deploy and Maintain Email Server Anti-Malware Protections

Deploy email server anti-malware protections to add a security layer on the server side for emails — if any malicious attachments somehow make it through your file type blocking and domain filtering, they can be stopped at the server.

There are multiple email server anti-malware protections enterprises can deploy. For instance, attachment scanning, which is often provided by anti-virus and anti-malware software, scans every email file attachment and notifies the user if the file has any malicious content. Sandboxing involves creating a test environment to see if a URL or file is safe; this strategy is particularly valuable for protecting against new threats. Other protection measures include solutions provided by web hosts and internet service providers (ISP).

Of course, organizations should keep their email server protection solutions patched and updated.

Summary

Email clients and web browsers are essential to many business operations, but they are quite vulnerable to cyber threats. CIS Control 9 outlines safeguards that any organization can implement to protect themselves against the increasing flood of malicious attacks targeting websites and emails. The main steps involve securing email servers and web browsers with filters that block malicious URLs, file types and so on, and managing those controls effectively. Implementation of these measures can help ensure better cybersecurity.

In addition, users should receive training on security best practices. With phishing attacks becoming more frequent and sophisticated, organization-wide education can help increase protection significantly.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.