CIS Control 9: Email and Web Browser Protections

Control Summary

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

Why is it needed?

Web browsers and email clients serve as exceedingly common entry points for attackers due to their direct engagement with users within an enterprise. Crafted content can be employed to allure or deceive users into revealing their credentials, sharing sensitive information, or establishing an unhindered pathway for attackers to infiltrate, thereby elevating the overall risk to the enterprise.

Given that email and web platforms constitute the primary avenues through which users interact with external and untrusted environments, they stand as prime targets for malicious code and social engineering tactics. Moreover, as enterprises increasingly shift toward web-based email solutions or embrace mobile email access, users are gradually moving away from traditional full-featured email clients. These full-featured clients offer embedded security controls such as connection encryption, robust authentication mechanisms, and phishing reporting mechanisms. Consequently, the absence of these security features heightens the vulnerability of email and web platforms to cyber threats.

Implementing Control

CIS control 9 focuses on implementing safeguards against email and web browser attacks.

Implementation Group 1 requires the following two safeguards:

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

Permit only fully supported web browsers and email clients to operate within the enterprise, utilising the most recent versions provided directly by the vendor.

9.2 Use DNS Filtering Services

Browsers and email clients should be from a trusted vendor, with DNS filtering in place to block malicious domains. A more advanced safeguard that follows DNS filtering is the maintenance and enforcement of network-based URL filters. These can be configured in various ways, such as category-based filtering or through block lists allowing businesses to decide what is relevant for them.

Additional safeguards at level 2 or 3:

9.3 Maintain and Enforce Network-Based URL Filters
9.4 Restrict Unnecessary or Unauthorised Browser and Email Client Extensions
9.5 Implement DMARC
9.6 Block Unnecessary File Types
9.7 Deploy and Maintain Email Server Anti-Malware Protections

Back to CIS Controls Main Page