CIS Control 7: Email and Web Browser Protections

The focus of this control is to minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

The CIS states this Control is critical:

“Web browsers and email clients are very common points of entry and attack because of their technical complexity, flexibility, and their direct interaction with users and with other systems and websites. Content can be crafted to entice or spoof users into taking actions that greatly increase risk and allow introduction of malicious code, loss of valuable data, and other attacks. Since these applications are the main means that users interact with untrusted environments, these are potential targets for both code exploitation and social engineering.”

The journey of implementing the CIS Controls with CIS Control 7 moves from Basic to Foundational controls, and begins with Email and Web Browser Protections. Organizations are directed to ensure that only fully supported web browsers and email clients are used. Ideally, only the latest version of these fully supported web browsers and email clients should be used. Organizations are also directed to use Domain Name System (DNS) filtering services to assist in the identification and blocking of malicious domains. The specific sub-controls that are part of Implementation Group 1 (IG1) are:

• 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients Software

• 7.7: Use of DNS Filtering Services