Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: software update)
Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
Backup 7.4: Perform automated application patch management: Perform application updates to enterprise assets via automated patch management on a monthly or more frequent basis.
Backup 7.7: Fix Detected Vulnerabilities: Fix detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
Backup 9.1: Ensure only fully supported browsers and email clients are used: Ensure that only fully supported browsers and email clients are allowed to run in the enterprise, using only the latest version of browsers and email clients provided by the provider.
Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Management of privileged accounts)
Backup 4.7: Manage default accounts on enterprise assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
Backup 5.4: Restrict admin privileges to dedicated admin accounts: Restrict admin privileges to dedicated admin accounts on company assets. Conduct general computing activities, such as browsing the Internet, emailing, and using the Productivity Suite, from the user's primary, non-privileged account.
Restrict code execution to a virtual environment on or in transit to an endpoint system. (M1048: Application isolation and sandboxing)
Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
Safeguard 10.5: Enable anti-exploit features: Enable anti-exploit features on enterprise assets and software, where possible, such as Microsoft Data Execution Prevention (DEP), Windows Defender Exploit Guard (WDEG), or Apple System Integrity Protection (SIP) and Doorman.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict web content)
Backup 9.2: Use DNS Filtering Services: Use DNS filtering services on all company assets to block access to known malicious domains.
Backup 9.3: Maintain and enforce network-based URL filters: Apply and update network-based URL filters to prevent a company asset from connecting to potentially malicious or untrusted websites . Example implementations include category-based filtering, reputation-based filtering, or the use of blocklists. Apply filters for all company assets.
Backup 9.6: Block unnecessary file types: Block unnecessary file types that attempt to access the corporate email gateway.
Inform and educate users about the threats posed by hyperlinks contained in emails or attachments, especially from untrusted sources. Remind users not to visit untrustworthy websites or follow links provided by unknown or untrustworthy sources. (M1017: User training)
Safeguarding 14.1: Establish and maintain a security awareness program: Establish and maintain a security awareness program. The goal of a security awareness program is to educate company personnel on how to interact with company assets and data securely. Organize training upon hiring and, at a minimum, once a year. Review and update the content annually or when significant changes within the business occur that could impact this protection.
Safeguard 14.2: Train staff members to recognize social engineering attacks: Train staff members to recognize social engineering attacks, such as phishing, pretexting, and tailgating.
