Another staple in a series examining the Center for Internet Security's best practices. Our last article looked at applying Critical Security Controls 4, 5, and 6 to your organization, covering vulnerability assessment, administrative privileges, and audit logs. Now it’s time to move on to CSCs 7, 8, and 9.Email programs and web browsers are still the most common points of entry for attackers, too many companies have woefully inadequate malware defenses, and a failure to control ports and limit services is like leaving a window open for cybercriminals.Critical Control 7: Email and Web Browser ProtectionsHuman behavior is still the path of least resistance for cybercriminals, and they often employ social engineering techniques to gain access to systems. Despite the rising profile of phishing, 23% of recipients open phishing messages and 11% click on attachments, according to Verizon’s 2015 Data Breach Investigations Report (DBIR).Dodgy attachments, spoof websites, and vulnerable plug-ins can all be used by attackers to gain a foothold. It’s vital to ensure that web browsers and email programs are kept fully up to date. Don’t allow employees to use unsupported browsers or email programs, and prevent them from installing unnecessary plug-ins or add-ons. All URL requests should be logged, and you should have a filter in place that blocks access to unauthorized websites. All email attachments should be scanned and blocked if they are unnecessary for business.Keeping tight control over web browsers and email like this doesn’t just reduce the risk of phishing, it also reduces spam and helps prevent wasted time. Critical Control 8: Malware DefensesThere are five malware events every second, according to Verizon’s 2015 DBIR report, and malware can come into your system from all sorts of sources, including email, cloud services, web pages, smartphones, or even USB thumb drives.It may not always be possible to detect it at the point of entry, but you can ensure that it’s detected and stopped before it can do too much damage by putting the right defenses in place.Employing automated tools for real-time monitoring and threat assessment should be mandatory. You need malware defenses deployed throughout your system. Sadly, a Ponemon Institute report found that only 41% of respondents had automated tools to capture intelligence and evaluate the true threat of malware, even though organizations with automated tools reported that they can handle 60% of malware containment without human intervention, saving a huge amount of time and resources.It makes sense to limit the use of external devices, use network-based anti-malware tools that can pick malicious content out of the traffic flow, and ensure that updates for your defenses are automated.Bear in mind that the expense of investigating malware incidents is high and inaccurate intelligence is common. Spend money on improving your intelligence and automated containment, and you won’t have to spend as much on security staff investigations.Critical Control 9: Limitation and Control of Network Ports, Protocols, and ServicesConfiguration errors, remote access, and default services in newly installed software can leave a window open for would-be attackers. All of the ports, protocols, and services on all of your networked devices need to be properly managed. That means tracking them, controlling, and correcting them where necessary. Your IT staff needs to have a clear picture of what is and isn’t needed. A clear configuration plan at the outset can save a lot of time spent fixing problems further down the line.Scan ports, review services, and shut down anything that isn’t necessary for business operations. Make sure that you verify servers and put firewalls in place to validate traffic. These are simple vulnerabilities for attackers to exploit, but they’re also easy loopholes to close, so close them!Don’t delayEducate your employees on these issues and put the right systems in place to ensure they aren’t a weak spot for your organization. Remember to measure the effectiveness of your automated systems, and make sure you learn from mistakes and failures.The most effective defense against phishing, malware, and vulnerability exploitations is a multi-pronged strategy that includes security expertise, educated staff, automated real-time systems, and clear, concise policies that are validated. The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies. Related content opinion Diversity in cybersecurity: Barriers and opportunities for women and minorities Increasing the numbers of women and minorities in cybersecurity isn't just good for the individuals involved, it's good for the practice of security. Here's a look at what's holding them back and what can be done about it. By Michelle Drolet Dec 23, 2021 5 mins Diversity and Inclusion Hiring Security opinion 6 steps for third-party cyber risk management If you have third-party partners, you need a third-party cyber risk management program. Here are six key steps to follow. By Michelle Drolet Sep 30, 2021 4 mins Risk Management Security Practices Security opinion 5 open source intrusion detection systems for SMBs If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look. By Michelle Drolet Nov 13, 2020 5 mins Intrusion Detection Software Security feature 6 steps to building a strong breach response plan Cybersecurity resilience depends on having a detailed, thorough, and tested breach response plan in place. Here's how to get started. By Michelle Drolet Oct 07, 2020 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe