9: Email and Web Browser Protections
Threats Addressed:
Control Statement
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Subcontrols
9.1: Ensure Use of Only Fully Supported Browsers and Email Clients
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
9.2: Use DNS Filtering Services
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
9.3: Maintain and Enforce Network-Based URL Filters
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
9.4: Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications.
9.5: Implement DMARC
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
9.6: Block Unnecessary File Types
Block unnecessary file types attempting to enter the enterprise's email gateway.
9.7: Deploy and Maintain Email Server Anti-Malware Protections
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.