7: Email and Web Browser Protections

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.

Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM) standards.

Block all email attachments entering the organization's email gateway if the file types are unnecessary for the organization's business.

Use sandboxing to analyze and block inbound email attachments with malicious behavior.