Back

Establish, implement, and maintain whitelists and blacklists of domain names.


CONTROL ID
07097
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services., CC ID: 13104

This Control has the following implementation support Control(s):
  • Revoke membership in the whitelist, as necessary., CC ID: 13827
  • Deploy sender policy framework records in the organization's Domain Name Servers., CC ID: 12183
  • Block uncategorized sites using URL filtering., CC ID: 12140
  • Subscribe to a URL categorization service to maintain website category definitions in the URL filter list., CC ID: 12139


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Software and information processing facilities are vulnerable to attacks by computer viruses and other malicious software. Procedures and responsibilities should be established to detect and prevent attacks. AIs should put in place adequate controls such as: - prohibiting the download and use of un… (3.5.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • With a clear understanding of network connectivity, banks can avoid introducing security vulnerabilities by minimizing access to less-trusted domains and employing encryption and other controls for less secure connections. Banks can then determine the most effective deployment of protocols, filterin… (Critical components of information security 24) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Use network proxies to restrict employee access to known malicious websites. (Annex A2: Computer Network Security 12, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Dynamic domains and other domains where domain names can be registered anonymously for free are blocked. (Security Control: 1236; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Client-side active content, such as Java, is restricted to a list of allowed websites. (Security Control: 0961; Revision: 7, Australian Government Information Security Manual, March 2021)
  • a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls. (Security Control: 0263; Revision: 7; Bullet 2, Australian Government Information Security Manual, March 2021)
  • If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective. (Security Control: 0960; Revision: 6, Australian Government Information Security Manual, March 2021)
  • If a list of allowed websites is not implemented, a list of blocked websites is implemented instead. (Security Control: 0959; Revision: 6, Australian Government Information Security Manual, March 2021)
  • A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways. (Security Control: 0958; Revision: 7, Australian Government Information Security Manual, March 2021)
  • An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways. (Control: ISM-0958; Revision: 8, Australian Government Information Security Manual, June 2023)
  • Client-side active content is restricted by web content filters to an organisation-approved list of domain names. (Control: ISM-0961; Revision: 8, Australian Government Information Security Manual, June 2023)
  • Malicious domain names, dynamic domain names and domain names that can be registered anonymously for free are blocked by web content filters. (Control: ISM-1236; Revision: 2, Australian Government Information Security Manual, June 2023)
  • A protective DNS service is used to block access to known malicious domain names. (Control: ISM-1782; Revision: 1, Australian Government Information Security Manual, June 2023)
  • An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways. (Control: ISM-0958; Revision: 8, Australian Government Information Security Manual, September 2023)
  • Client-side active content is restricted by web content filters to an organisation-approved list of domain names. (Control: ISM-0961; Revision: 8, Australian Government Information Security Manual, September 2023)
  • Malicious domain names, dynamic domain names and domain names that can be registered anonymously for free are blocked by web content filters. (Control: ISM-1236; Revision: 2, Australian Government Information Security Manual, September 2023)
  • A protective DNS service is used to block access to known malicious domain names. (Control: ISM-1782; Revision: 1, Australian Government Information Security Manual, September 2023)
  • The organization should implement a solution that decrypts and inspects the Secure Sockets Layer and Transport Layer Security traffic in accordance with the content filtering requirements or a whitelist that specifies the addresses that encrypted connections are allowed and all other addresses block… (Control: 0263, Australian Government Information Security Manual: Controls)
  • The organization should implement a whitelist for all HyperText Transfer Protocol traffic that is communicated through the gateway. (Control: 0958, Australian Government Information Security Manual: Controls)
  • The organization should specify the whitelist addresses by Internet Protocol address or Domain Name, when it uses a whitelist on the gateway for the allowed external connections. (Control: 0995, Australian Government Information Security Manual: Controls)
  • The organization should implement categories for all websites and block any prohibited categories and uncategorized websites, if it chooses not to use a whitelist. (Control: 1170, Australian Government Information Security Manual: Controls)
  • The organization should blacklist websites, if it does not use whitelists, in order to prevent accessing known malicious websites. (Control: 0959, Australian Government Information Security Manual: Controls)
  • The organization should update the blacklist daily, if it is using blacklists for websites. (Control: 0960, Australian Government Information Security Manual: Controls)
  • The organization should use the Internet Protocol address instead of the Domain Name in the blacklist for blocking attempts to Access a website. (Control: 1171, Australian Government Information Security Manual: Controls)
  • The organization should block dynamic domains and other domains in the blacklist, when the Domain Name can be registered anonymously for free. (Control: 1236, Australian Government Information Security Manual: Controls)
  • The organization should identify, create, and enforce a whitelist for unclassified systems and sensitive systems that lists the allowed content types based on business requirements and the results of a Security Risk Assessment. (Control: 0649, Australian Government Information Security Manual: Controls)
  • The organization must identify, create, and enforce a whitelist for classified systems that lists the allowed content types based on business requirements and the results of a Security Risk Assessment. (Control: 0650, Australian Government Information Security Manual: Controls)
  • The organization should develop a web domain whitelist for each domain. (Mitigation Strategy Effectiveness Ranking 10, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should develop a web domain whitelist for each HyperText Transfer Protocol Secure domain and Secure Socket Layer domain. (Mitigation Strategy Effectiveness Ranking 11, Strategies to Mitigate Targeted Cyber Intrusions)
  • Information leakage protection mechanisms should include the monitoring of network traffic leaving the organization's network to identify network traffic destined for known malicious servers or network domains on the Internet (e.g., those included on a blacklist). (CF.08.07.05c, The Standard of Good Practice for Information Security, 2013)
  • Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. (5.1.5, Application Security Verification Standard 4.0.3, 4.0.3)
  • Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists). Tests can be periodically carried out by sending packets from bogon source IP addresses (non-routable or otherwise unused IP addresses) into the network to… (Control 12.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The proxy should support decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP add… (Control 12.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Block access to known file transfer and e-mail exfiltration websites. (Control 13.8, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications. Each plugin shall utilize application / URL whitelisting and only allow the use of the application for pre-approved domains. (Control 7.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization shall maintain and enforce network based URL filters that limit a system's ability to connect to websites not approved by the organization. The organization shall subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category defini… (Control 7.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. (CIS Control 12: Sub-Control 12.9 Deploy Application Layer Filtering Proxy Server, CIS Controls, 7.1)
  • Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. (CIS Control 12: Sub-Control 12.10 Decrypt Network Traffic at Proxy, CIS Controls, 7.1)
  • Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. (CIS Control 12: Sub-Control 12.9 Deploy Application Layer Filtering Proxy Server, CIS Controls, V7)
  • Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. (CIS Control 12: Sub-Control 12.10 Decrypt Network Traffic at Proxy, CIS Controls, V7)
  • Access to external websites should be managed to reduce exposure to malicious content. (§ 8.23 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Restricting access to unapproved shareware sites. (App A Objective 13:6g Bullet 2 Sub-Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • RPs MAY establish whitelists of IdPs that the RP will accept authentication and attributes from without a runtime decision from the subscriber. All IdPs in an RP's whitelist SHALL abide by the provisions and requirements in the 800-63 suite. RPs MAY also establish blacklists of IdPs that the RP will… (4.2 ¶ 3, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • IdPs MAY establish whitelists of RPs authorized to receive authentication and attributes from the IdP without a runtime decision from the subscriber. All RPs in an IdP's whitelist SHALL abide by the provisions and requirements in the SP 800-63 suite. IdPs SHALL make whitelists available to subscribe… (4.2 ¶ 2, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • In the manual registration model, the IdP and RP manually provision configuration information about parties with which they expect to interoperate. IdPs MAY configure RPs using an explicit whitelist, allowing these RPs to receive authentication and attribute information as part of the authentication… (5.1.1 ¶ 1, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)