7: Email and Web Browser Protections

PF v1.0 References:

Control Statement

Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]


7.4: Maintain and Enforce Network-Based URL Filters

Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.

7.5: Subscribe to URL-Categorization Service

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.

7.6: Log All URL requester

Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.

7.8: Implement DMARC and Enable Receiver-Side Verification

To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM) standards.

7.9: Block Unnecessary File Types

Block all email attachments entering the organization's email gateway if the file types are unnecessary for the organization's business.