7.1: Ensure Use of Only Fully Supported Browsers and Email Clients

Sub-control 7.1 states that you must ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

Asset Type Security Function Implementation Groups
Application Protect 1, 2, 3

Dependencies

  • Sub-control 2.1: Maintain Inventory of Authorized Software

Inputs

  1. Software Inventory: From the authorized software list (ASL: sub-control 2.1), the inventory of web browser and email client software. Each entry should have a notation indicating whether the software is “supported” or “unsupported”.

  2. Authoritative source of information: Access to an authoritative source of information indicating supported/unsupported details by product.

Operations

  1. For each entry in I1, perform a lookup in I2 to verify.

  2. For each entry in I1 labeled “supported”, perform a lookup in I2. From these lookups, note the list of authorized software labeled “supported” but are actually not supported based on the authoritative source lookup.

  3. For each entry in I1 labeled “unsupported”, perform a lookup in I2. From these lookups, note the list of authorized software labeled “unsupported” but are actually supported based on the authoritative source lookup.

  4. (Optional) Organizations can utilize Tenable Security Center to identify specific details about applications utilizing the same techniques that were previously used in sub-control 2. For example, If we wanted to identify endpoints which had Firefox installed, we would filter on pluginID = 20811, with a Vulnerability Text = Firefox and we would get results similar to the screenshot below, which shows results for all the hosts which have Firefox installed.

    If we wanted to drill down into these results further, and specifically identify Firefox vulnerabilities, we could simply use a filter of Vulnerability Text = Firefox and set either No Severity, or chose a specific Severity to filter on as shown in the example below.

Measures

Measure Definition
M1 = List of unsupported items in I1

A combination of Operation 1 results and the software initially marked as unsupported in I1. This can be pulled from the list of applications/software in sub-control 2.1 that are identified as email or web browsers.

M2 = Count of items in M1

A count of the total number of items in M1.
M3 = List of authorized web browser/email client software An organizational list of supported/authorized web browsers/email clients.
M4 = Count of items in M3 A count of the total number of items in M3.
M5 = List of items from I1 labeled as “supported” that are not actually supported A list of items from I1 labeled as “supported” but that are not actually supported. This can be pulled from sub-control 2.1.
M6 = Count of items in M5 A count of the total number of items in M5.
M7 = List of items from Input 1 labeled as “unsupported” but are actually supported A list of items from I1 labeled as “unsupported” but that are actually supported. This can be pulled from sub-control 2.1.
M8 = Count of items in M7 A count of the total number of items in M7.

Metrics

Percentage of Unsupported Web Browser/Email Client Software in Use

Metric Calculation
The calculation of this metric is determined by the ratio of unsupported web browser/email client software to the total authorized web browser/email client software in use. (M4 - M2) / M4

Rate of False Positives

Metric Calculation
The calculation of this metric is determined by the ratio of web browser/email client software labeled “supported” but found to be unsupported, to the total authorized web browser/email client software in use. (M4 - M6) / M4

Rate of False Negatives

Metric Calculation
The calculation of this metric is determined by the ratio of web browser/email client software labeled “unsupported” but found to be supported, to the total authorized web browser/email client software in use. (M4 - M8) / M4