⭐ G7 Email and Browser Protection
🏁 7-1 Ensure that only fully supported web browsers and email clients are
allowed to execute in the organization
ideally only using the latest version of the browsers provided by the vendor
in order to take advantage of the latest security functions and fixes.
🏁 7-2 Uninstall or disable any unnecessary or unauthorized
browser
or email client plugins
or add-on applications.
Each plugin shall utilize application / URL whitelisting
and only allow the use of the application for pre-approved domains.
🏁 7-3 Limit the use of unnecessary scripting languages
in all web browsers and email clients.
This includes the use of languages such as
Active X and JavaScript on systems where it is unnecessary to support such capabilities.
🏁 7-4 Log all URL requests from each of the organization's systems
whether onsite or a mobile device
in order to identify potentially malicious activity
and assist incident handlers with identifying potentially compromised systems.
🏁 7-5 Deploy two separate browser configurations to each system.
One configuration should disable the use of all plugins, unnecessary scripting languages
The other configuration shall allow for more browser functionality
and generally be configured with limited functionality
and be used for general web browsing.
but should only be used to access specific websites
that require the use of such functionality.
🏁 7-6 The organization shall maintain and enforce network based URL filters
that limit a system's ability to connect to websites not approved by the organization.
The organization shall subscribe to URL categorization services
to ensure that they are up-to-date
with the most recent website category definitions available.
Uncategorized sites shall be blocked by default.
This filtering shall be enforced for each of the organization's systems
whether they are physically at an organization's facilities or not.
🏁 7-7 To lower the chance of spoofed e-mail messages
implement the Sender Policy Framework (SPF)
by deploying SPF records in DNS and enabling receiver-side verification in mail servers.
🏁 7-8 Scan and block all e-mail attachments entering the organization's e-mail gateway
if they contain malicious code
or file types that are unnecessary for the organization's business.
This scanningshould be done before
the e-mail is placed in the user's inbox.
This includes e-mail content filtering and web content filtering.