CIS CSC #7 – Email and Web Browser Protections

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

This control includes ten (10) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there is one (1) IG1 controls and seven (7) IG2 controls. This means that, at a minimum, we want to:

  • Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

As you likely already know, the human at the keyboard is often where a breach takes place. Attackers have a much higher success rate of breaching a network when they can get an employee to click on a link or divulge information instead of hacking through a public-facing device outright.

These controls can be implemented at the device level, as well as at the network level. You may consider both if you have a large user base with mobile devices such as laptops. Those devices are more likely to be on untrusted networks, meaning the device will use a DNS server provided by the network they are on. Many enterprise grade solutions will allow you to configure DNS settings to always use a trusted source, regardless of what network the device is on.

This control has several really interested technologies to help with implementation, so I wanted to share a few demonstrations. The first is a guide for installing Pi-hole on an Ubuntu host, which could be a virtual machine. This acts as a central blacklist for DNS lookups on your network.

The second video I wanted to highlight covers OpenDNS since this tool has more focus on the enterprise environment, though they do have a home license available. This video is a few years old, but I enjoyed how Eli broke down the configuration on the whiteboard, as well as a tour through the web GUI itself.

Related News Stories

Relevant Tools

CommercialOpen-Source & “Freemium”
GFI MailEssentialsMailScanner
ForcePoint URL FilteringSquid
Symantec (Bluecoat) WebFilterDansGuardian
Palo Alto Networks URL FilteringPi-hole
Cisco Web SecuritySecurity Onion
OpenDNS (Cisco)Zeek
Email Security (FireEye)pfsense
ProofPoint Email Filtering
Google Apps Email Filtering

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #7 page here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s