Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In Independence Day (1996), Earth isn’t nearly destroyed because the aliens have better weapons—it’s because their technology is allowed to interface freely with human systems. Once malicious code is permitted to run, the damage is already underway. The turning point comes when access is restricted and assumptions are challenged.
That same lesson sits at the heart of CIS Safeguard 9.6: Block Unnecessary File Types.
What Is CIS Safeguard 9.6?
CIS Safeguard 9.6: Block Unnecessary File Types is part of
CIS Critical Security Control 9 – Email and Web Browser Protections.
The safeguard requires organizations to:
- Identify file types that are unnecessary or high-risk
- Block those file types at email gateways, web gateways, and other ingress points
- Allow only file types that are explicitly required for business operations
The objective is simple and preventative:
If a file type isn’t needed to do business, it shouldn’t be allowed to enter the environment.
Why File Types Matter More Than File Names
Attackers rarely rely on exotic exploits. Instead, they abuse perfectly valid file formats that are capable of executing code or triggering dangerous behavior.
Commonly abused file types include:
- Executables (.exe, .msi)
- Script files (.js, .vbs, .ps1)
- Shortcuts (.lnk)
- Macro-enabled documents (.docm, .xlsm)
- Archive formats used to hide payloads (.zip, .iso)
Blocking by file extension is not about aesthetics—it’s about capability. Some file types are simply more dangerous than others.
In Independence Day, the problem wasn’t the computer—it was allowing unknown code to run without restraint. File-type blocking enforces that restraint by default.
The Threats CIS Safeguard 9.6 Directly Reduces
- Malware Delivery via Email Attachments
Email remains one of the most common malware delivery methods. Blocking unnecessary file types:
- Eliminates entire classes of payloads
- Reduces reliance on user judgment
- Stops threats before endpoint defenses engage
If users never receive executable attachments, they can’t accidentally run them.
- Web-Based Malware Downloads
Drive-by downloads and social engineering often rely on convincing users to download “updates,” “invoices,” or “documents” that are actually dangerous file types.
Blocking risky extensions at web gateways:
- Prevents accidental execution
- Reduces infection rates
- Limits attacker options
- Payload Staging and Obfuscation
Attackers frequently hide malware inside archives or container formats. Restricting which archive types are allowed—and where—makes staging attacks harder and noisier.
Why “Unnecessary” Is the Key Word
CIS Safeguard 9.6 does not say “block all risky file types everywhere.” It says block unnecessary ones.
That distinction matters.
Effective programs:
- Identify which file types are truly required
- Limit dangerous formats to specific roles or systems
- Apply stricter controls at ingress points like email and web
Most users do not need to receive scripts or executables via email. Blocking them introduces minimal friction with maximum risk reduction.
File-Type Blocking Is a Preventive Control
Unlike detection-based defenses, file-type blocking:
- Requires no alerting
- Generates no incident response workload
- Stops threats before execution
It’s one of the few controls where nothing happening is success.
In Independence Day, humanity doesn’t win by reacting faster—they win by cutting off the attack’s ability to function. Blocking unnecessary file types applies that same strategy at the security perimeter.
Where File-Type Blocking Should Be Enforced
To meet the intent of Safeguard 9.6, organizations should apply file-type restrictions at:
- Email security gateways
- Secure web gateways
- Cloud email and collaboration platforms
- File upload portals where feasible
Relying solely on endpoint controls is too late in the attack chain.
Common Pitfalls Safeguard 9.6 Avoids
Without structured file-type blocking, organizations often:
- Depend entirely on antivirus signatures
- Assume users can identify “bad” attachments
- Allow high-risk formats by default “just in case”
- React after execution instead of preventing it
Safeguard 9.6 exists to eliminate avoidable exposure.
Practical Implementation Tips
To operationalize CIS Safeguard 9.6:
- Start With a Deny-by-Default Mindset
Allow only what is demonstrably required.
- Differentiate by Delivery Channel
A file type allowed internally may still be blocked from email or the web.
- Pair Blocking With User Messaging
Clear explanations reduce frustration and workarounds.
- Review Allowed File Types Regularly
Business needs evolve—and so do attacker techniques.
How Safeguard 9.6 Fits Into Control 9
CIS Control 9 focuses on reducing exposure through email and web channels:
- 9.1–9.5: Control who can send, receive, and access content
- 9.6: Control what kind of content is allowed to exist at all
Without file-type restrictions, attackers always have a delivery option.
Final Thoughts
CIS Safeguard 9.6 is about acknowledging a hard truth: not every file deserves a chance to run. Many attacks succeed simply because dangerous formats are permitted by default.
Defense isn’t always about stronger weapons—it’s about denying the enemy a viable path forward. Blocking unnecessary file types quietly removes entire attack classes from consideration.
No alerts. No cleanup. No incident.
Just fewer ways for attackers to get in.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more details? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 9 – Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
CIS Safeguard 9.6: Block Unnecessary File Types
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Shameless Marketing Information
Gotham Technology Group offers professional and managed services to protect your organization with technologies such as Secure Email Gateway (SEG), Secure Web Gateway (SWG), Network Security (NGFW, Route, Switch, WAP), Secure Services Edge (SSE) and Secure Access Services Edge (SASE)