Preface on Sub-Controls 7.1 and 7.7

The CIS recommends that content filters, popup blockers, and blocking of known malicious domains be employed to reduce the number of threats available to web browsers and email clients. In addition, spam filtering, restricting the types of files that can be sent/received (blocking attachments that are not required), and email encryption add additional layers of security.

For CIS Control 7, Tenable products allow security operations teams to use Tenable Security Center Continuous View to analyze endpoint browser and email client configurations. Using a variety of active and passive plugins paired with Tenable Security Center, the organization can verify established configuration policies are followed. Tenable Security Center provides an on-premise solution for organizations to better understand vulnerability management. As an example, Tenable Nessus Network Monitor can passively detect and enumerate web browsers that are being utilized, as well as any potential vulnerabilities present in the versions detected. Active credentialed scanning by Nessus can provide detailed information on web browsers that are installed via the same methods of software enumeration described in CIS Control 2. Analysts can easily produce tables and matrices utilizing this information, such as the sample matrix below, which presents Chrome vulnerabilities. Many other browser clients such as Firefox, Internet Explorer, and Safari, are part of the Browser Vulnerabilities Dashboard located in the Tenable.sc feed.

For more information about the browser vulnerabilities dashboard, see Browser Vulnerabilities Dashboard.

In most environments that use the Microsoft Office system, Outlook is often already the default program for email, contacts, and calendaring. Compliance checks exist to ensure that group policies are set which make Outlook the default program for email. Installed web browsers and email clients which were enumerated in Control 2, can easily be searched for vulnerabilities using vulnerability text filters within the Analysis tab of Tenable Security Center.

Just as with previous sub-controls, the goal of this sub-control is to have a score (or ratio) of zero (all endpoints having up to date/supported web browsers and email clients).