3:45 min read |
Web browsers and email clients are very common points of entry for malicious code due to their daily usage by users. Content can be manipulated to entice users into taking actions that can greatly increase risk resulting in loss of data and other attacks. Controlling the use of browsers and having a defined list is critical. The CIS’ Control #7 addresses several key points in protecting an organization’s environment as well as provides recommendations to mitigate risks. While some of the controls may seem too restrictive for an organization’s needs, most are clearly necessary and implementing them will ensure a more robust cybersecurity blueprint.

Web browsers

An organization’s browser, the portal to the internet, is also the first line of defense against malware threats. Minimizing attack vectors should be the number one goal– ensuring only fully supported web browsers are allowed to execute and deploy updates. Obviously, as much as possible, updates should happen as soon as they become available, and a formal written policy should be developed addressing user behavior.
At times it can be difficult to control the sites users access. Enforcing a network-based URL filter that limits the system’s ability to connect to websites not approved by the organization will help to monitor this vulnerability.
Keep in mind that if vulnerabilities within the browser are not available, attackers also target common web browser plugins that may allow them to hook into the browser or directly into the operating system. To mitigate this risk, uninstall or disable any unauthorized browser plugins or add-on applications.

Email

An e-mail security program needs to provide confidentiality, data origin authentication, message integrity, and nonrepudiation of origin. CSC # 7 provides several recommendations to help ensure email security. Using a spam filtering tool will aid in reducing malicious emails that come into the network. Deploying a Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol will ensure that legitimate email is properly authenticated against established SPF (Sender Policy Framework) standards. Fraudulent activity appearing to come from the organization’s domains are blocked. Installing an encryption tool to secure email and communication adds another layer of security for users and the network.
JavaScript is not necessary in email, and it is riskier than it is in browsers, since it will run as soon as the user opens a message. All scripting languages should be disabled in the mail client. The Control also recommends a specific form of mail filtering: scanning attachments for malicious code and unnecessary file types (such as .EXE). If end users do not even receive dangerous attachments in their mailboxes, they are not exposed to the dangers inherent in them.
Spoofed messages are dangerous because they can create a false sense of trust.  Employees are more likely to respond to a message that seems to come from someone they know. The SPF standards guard against this by checking if messages are coming from a mail server that is authorized to use the sender’s address. While the CIS specifically recommends SPF, other protocols such as DKIM work well with it, and implementing both is advisable.

Organizational issues

Implementing this control should be neither very disruptive nor very difficult. In a security-focused organization, end users are typically not allowed to install their own software, and updates are deployed as soon as they are available by the authorized department. Software needs to be kept up to date in general, and Web browsers and mail clients will be part of this practice. Administrators should also restrict and monitor the use of plugins. At times there might be special work requirements that involve a plugin–such requests should go through the administrator for approval.
The simple rule to follow when implementing this control is, “Make it simple for the users or they will find a way around it.” Increasing complexity or the effort users have to put in often leads to privilege misuse or other methods to defeat the controls. It is worth mentioning that human error is still the major cause of most breaches and incidents. Overall, implementing this control provides a large improvement in safety for relatively little effort.