Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Test Thoughts Before

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

“First off, do not allow yourself to be carried away by intensity [of your impression]: but say, ‘Impression, wait for me a little. Let me see what you are, and what you represent. Let me test you’.”

-Epictetus, Discourses, 2.18.24

We should build a break in our internal processes that keeps us from falling into ingrained reactions. Consciously pausing to take that birds-eye view of the situation. Evaluate our thoughts and emotions, then determine what actions we’ll take based on that evaluation. As the stoics would say, are you in charge with the “ruling reason” or are our passions in charge? Are others in charge of our actions?

I spent last week as the boss. My boss (everyone’s boss in the organization) was out of the country and I’m his second. That meant I chaired and sat in on both of our engagements, made the decisions that didn’t need to wait; but all from his perspective. It was a great learning experience as well as a perspective-altering one.

I’m not just the guy in charge of the organization; I set the tone of the culture, of the vector we travel, and the impetus for immediate and lasting perceptions of the organization. I took much longer than normal (uncomfortably so) to make my decisions. I asked many, many more questions. I evaluated my thoughts on matters before I gave voice to a decision.

And no one noticed the time difference.

If you can do this, you’re going to make better decisions than most people. You’ll be wiser than I am most of the time.

Big goal #2 for me this year.

Reflection on Control 8

Responding effectively and investigations rely on understanding where the attacker is in their operation, what they’ve done so far, and how they compromised our enterprise. Sometimes, the only evidence is audit logs.

CIS Critical Security Control #9

Email and Web Browser Protections

Enabling the user while minimizing the human factor.

What is it?

Email and web browser clients are essential to business operations. However, they are vulnerable to malicious actors. Control 9 articulates safeguards for us to implement by securing email servers, filtering web browsers to block malicious URLs, file types, etc., and managing controls effectively.

I’m going to try something different; rather than being verbose (-v), I’ll run down the bullets on how to implement. Let me know if you like this version or the more in-depth version!

Web Browsers

Protect our web browsers by updating the browser, enabling pop-up blockers, enabling DNS filtering, and managing plugins. Always update web browsers to the latest version. Pop-up blockers block malicious pop-up messages from being displayed to users. DNS filtering blocks access to malicious domains and prevents users from navigating to them. Plugin management protects users from potentially installing malign plugins.

Email

Phishing is still the #1 vector for business breaches. Increase email security with effective social engineering training, spam-filtering and malware scanning, domain-based message authentication, encryption, and file type filtering. Increasing the frequency of social engineering training allows users to successfully spot phishing and business email compromise. Spam-filtering and malware scanning reduces malicious email reception (decreased clicks). DMARC filters email based on our policies and removes any that nonconformists. Encryption ensures our messaging remains private. Lastly, file type filtering protects users from even seeing our prohibited file-types (no one should be receiving and opening .exe).

There are seven safeguards to this control, here’s how to comply and implement it:

  1. Make sure we only use web browsers and email programs that are fully supported (the vendor or open-source team are updating regularly).

  2. Implement services that filter and block harmful websites through the Domain Name System (DNS).

  3. Maintain and enforce filters that block access to suspicious or unsafe URLs. Better yet, use a whitelist and block all but the approved sites for the organization.

  4. Limit unnecessary and unauthorized browser and email extensions.

  5. Enhance our email security by setting up and enforcing DMARC (Domain-based Message Authentication, Reporting, and Conformance).

  6. Prevent users and applications from downloading or opening unnecessary or unapproved file types.

  7. Set up and maintain protections like attachment scanning and/or sandboxing to defend against malware attacks.

Why Should We Care About Control #9?

Web browsers and email clients are your trusty sidekicks, but sometimes, they can be a bit like that one friend who always forgets to lock their front door. Web browsers and email clients are the gateways to the enterprise, both inside and outside our organization. They're handy for almost everything but they’re also the Achilles' heel of our cybersecurity fortress.

Imagine: we’re guarding the gates of our castle, but the enemy slips in disguised as a friend. That's what happens when users of these applications are targeted with social engineering attacks. Social engineering is cyber-illusionism. It's about tricking folks into clicking where they shouldn't.

Why would anyone want to do that? Well, because gaining unauthorized access to an organization is like finding the golden ticket to Willy Wonka's chocolate factory. It's a hacker's dream come true.

So, a successful social engineering attack gets users to dance with the devil, or in this case, interact with malicious content. If they take the bait, it's like giving hackers an all-access pass to our organization's secrets, cat videos, and IP.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.