Notes from the Field: Center for Internet Security Control 09 – Email and Web Browser Protections 

by Greg Halpin / August 8th, 2023

A small SaaS (Software as a Service) client I worked with recently mentioned an information security incident they experienced a year ago in which the email account of one of their sales representatives was compromised via a phishing attack. The attackers gained the credentials of the sales rep, obtained email addresses of customers, and sent emails to the company’s customers with false offers to buy discounted services. The attackers had scraped the company’s website and set up an identical site with a similar URL, which tricked customers into believing the website was legitimate. Some customers visited the site and entered their credit card numbers to purchase what they thought were legitimate services. The compromise occurred on a Friday morning. It wasn’t until Monday afternoon that the sales rep began to hear from customers that something was very wrong. Their credit cards were used for many bogus purchases on multiple websites after using their credit cards on what they thought was the company website.   

The IT department was able to block the attackers’ access to the email account of the sales rep. But that was just the beginning. Did the attackers gain access to other accounts and elevate their credentials? Did the attackers now have customer credentials? If so, how many and which ones? As the IT team began to isolate the incident, the senior executive team, including legal counsel and communications, was brought in to determine how to notify customers and what to tell them. 

The company’s reputation was damaged. It lost customers and revenue. Since the incident, the company requires multi-factor authentication for remote access and all email and cloud services. The company also implemented annual information security awareness training for all staff. I suggested additional technical controls the company can put in place to better protect the company and its customers from similar attacks in the future. 

This is the ninth instalment of Greg Halpin’s Center for Internet Security (CIS) Controls series, focusing on CIS Control 09 – Email and Web Browser Protections. As a reminder, the Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with.   
The Overview for Control 09 – Email and Web Browser Protections is – Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement

Why is email and web browser protection critical?  

Attackers continue to successfully target email and web browsers as most people in organizations use the two tools for much of their day-to-day work. Email and web browsers expose employees to untrusted environments, where attackers can use social engineering and malicious code to trick individuals into giving up their company logon credentials and data. Once attackers gain a foothold with user credentials, they can expand to other targets. 

Control 09 includes 7 sub-controls or safeguards. They are: 

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

9.2 Use DNS Filtering Services 
9.3 Maintain and Enforce Network-Based URL Filters 
9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions 
9.5 Implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) 
9.6 Block Unnecessary File Types 
9.7 Deploy and Maintain Email Server Anti-Malware Protections 

The above sub-controls will go a long way to protect your network and users from email and browser related attacks, like that attack on the SaaS company I worked with.   

Using Data Name System (DNS) filtering services, control 9.2, protects your network by blocking DNS queries for malicious websites. For example, if an employee opens a phishing email and clicks on a link for a known malicious site, the DNS filtering does not allow the employee’s browser to go to the site as the site’s domain is listed on a block list.  

Control 9.3 is similar in that URL filtering is done of websites that contain content that is not approved by a company. Filtering databases are used to classify URLs by content. URLs with appropriate content are approved for access. URLs for inappropriate content are blocked. Those URLs marked as phishing are blocked by an employer. The employee’s browser will be redirected to a page notifying the individual that the URL is blocked.     

Implementing DMARC, control 9.5, would have also helped the SaaS company from being compromised. DMARC and related tools can be used and combined for verifying the authenticity of emails. The tools include Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).  

SPF identifies emails that are from trusted sources and those that are from untrusted sources. SPF allows your email administrator to apply rules to untrusted emails, such as blocking them or marking them as spam. This reduces the likelihood of successful phishing attempts via a company’s email system.  

DKIM helps identify spammers and attackers from spoofing legitimate domains. It’s easy for anyone to change the from field of their emails to make them appear as if they are coming from a different domain. Attackers use this to send phishing attack emails. The email recipient believes the email is from an individual at a company they do business with when, in fact, the email is a phishing attempt. DKIM verifies the identity of the email server sending the email by using digital signatures or the email servers.  

CIS Control 9 and its sub-controls will help protect your company from email and web browser attacks. Implement them to reduce the likelihood of incidents at your organization.  

Partner with KirkpatrickPrice to Help Protect Your Environment 

Protecting your organization from email and web attacks can feel intimidating considering evolving attack methods and threats. Following CIS control guidelines can help you secure your environment, but partnering with cybersecurity and compliance experts will give you an added level of assurance. Connect with a KirkpatrickPrice expert today to become unstoppable.  

About the Author

Greg Halpin

Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications. He has experience and additional
certifications in Amazon Web Services, Azure Cloud Services, Linux and Windows systems administration, vulnerability scanning, intrusion detection/prevention, and project management. He enjoys working with people and organizations to help them secure their networks and systems.