Today, I will be going over Control 7 from version 7 of the CIS top 20 Critical Security Controls – Email and Web Browser Protections. I will go through the 10 requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 7

  • Why not block images from emails? Embedded single pixel tracking images can be a way for attackers (or at the very least marketing teams) to gain information into employee’s activity. Malicious images embedded or loaded from external sites can also be an attack vector. Consider disabling auto-loading images in emails and requiring users to click a button to see the fancy graphics.
  • Leverage hardening benchmarks. Since CIS has hardening guidelines for Exchange and Office Suites, I am surprised leveraging those isn’t called out in control 7. Even though “software” is covered under Control 5, be aware that Exchange and Office both have hardening templates available from CIS and DISA.
  • This control will take time. There are a lot of ambiguous requirements in control 7 that will require the implementer to create their own list of what is good versus bad. Start with baselines and work towards validating them as you are also monitoring for change.

Requirement Listing for Control 7

1. Ensure Use of Only Fully Supported Browsers and Email Clients

Description: Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

Notes: Just because Internet Explorer is approved doesn’t mean IE 5 should still be used. This will rely heavily on Controls 2.1 and 2.2 but focused on browsers and email clients.

2. Disable Unnecessary or Unauthorized Browser or Email Client Plugins

Description: Uninstall or disable (Read more...)