Control 7.1: Ensure Use of Only Fully Supported Browsers and Email Clients¶

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

Category¶

Procedural

Purpose¶

Web browsers and email clients are some of the most common applications that employees use to access the Internet. This means that browsers and email clients are on the front line of an organization’s IT infrastructure and are regularly exposed to a variety of digital threats. In fact, they are arguably the most exposed applications within an enterprise. Because of this, browsers and email systems should be kept up-to-date since the most recent version of a software application includes the most recent security patches.

Attacks on email clients and browsers can lead to a variety of cybersecurity problems. One such example is the installation of browser extensions, which are small applications that can extend a browser’s functionality. These can be helpful and provide security benefits (e.g., managing passwords). Unfortunately, if an attacker is able to install a malicious browser extension, they can often severely compromise the security of a browser by viewing all web activity and potentially reading information that would normally be inaccessible.

Automation¶

Some browsers update automatically by default, like Chrome, whereas others will require an additional configuration. Email clients can be similarly setup to receive automated updates. Security tools can be utilized to understand when browsers, email clients, and other programs are out of date.

Guidance and Tools¶

Keeping browsers and email clients up to date is generally a fairly simple task. Besides using supported software in the first place, it is important to take the extra step to make sure that browsers and clients regularly receive the security updates and patches that are made available. These updates are not installed by default on all browsers and email clients, meaning the browsers and clients need to be manually configured. Once browsers and email clients are properly configured, only require period monitoring is required.

US-CERT: Per-browser configuration instructions are provided by US-CERT (https://www.us-cert.gov/publications/securing-your-web-browser).

CIS Benchmarks: CIS offers free PDFs with configuration guidelines for common browsers (https://www.cisecurity.org/cis-benchmarks).