Earlier this week, the US Government’s Cyber and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security (DHS), issued AR19-133A. This analysis report describes some of the common security holes exposed by a “mix of configurations that lowered their overall security posture.” Here are the main points discussed:
Multi-Factor Authentication (MFA)
Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is thankfully now available in more and more applications. Strong passwords/passphrases go a long way to secure access, but humans are notoriously bad at creating strong, random passwords. Even if a long password is randomly generated using software, it is most likely stored on a spreadsheet somewhere. Or, it’s stored in a password manager tool like the ones built into most modern browsers. If the user’s computer or their browser’s account is compromised, then the strong random password can easily be recovered.
Adding a second factor of authentication involving something you have (like your phone) protects your account even if your password is compromised or cracked. MFA is an absolute must for any administrator accounts accessible over the internet. Unfortunately, MFA is NOT required for new Office 365 Global Administrators. If these accounts aren’t secured, it “could allow an attacker to maintain persistence as a customer migrates users to O365.” GlobalCerts recommends the following:
- Create separate administrator accounts for all privileged access. These accounts should be different from your normal email mailbox account. For instance, if Bob is your IT admin, he should have his normal account ‘firstname.lastname@example.org’, and a seperate Global Admin user ‘email@example.com’ should be created with a separate login and MFA required.
- Secure commonly targeted non-admin accounts with MFA. Certain high-value email accounts (such as payroll/HR, accounting, etc.) should use MFA. Encourage all users to enable MFA if possible/practical.
- Turn on the policy “Baseline policy: Require MFA for admins” in Azure AD’s conditional access section. This policy will be enforced by default in the near future by Microsoft.
- Also, if you have an app that cannot authenticate with MFA, then generate and utilize an ‘app password’ when configuring MFA. Copy the password and enter it into the app. Do NOT copy it anywhere else as a backup.
Prior to January 2019, Office 365 tenants did NOT have audit logging enabled by default. Audit logging needed to be enabled manually through Powershell commands on a per-mailbox basis. Audit logging records important security events like logins to user accounts, email and file creation/edit events, deletion events, etc. All of this information is vital in both monitoring your instance for suspicious events or compromise, but also in determining how a breach occurred by tracing the attacker’s steps.
GlobalCerts recommends checking to ensure Unified Audit Logging is enabled in your tenant by checking here in the Security and Compliance center.
Poor Password Management
When migrating from on premise Exchange and Active Directory (AD) to Office 365, Microsoft offers many helpful synchronization tools in a suite called Azure AD Connect. However, a feature call Password Sync can allow for compromises in an organization’s on premise AD system to make their way into the cloud. This feature allows for on premise account passwords to automatically replace the same user’s password in the cloud (Azure AD). If the organization’s AD is compromised locally, then the account on the cloud will also be compromised. Best practice is to disable this password sync feature for all privileged/admin accounts.
Outdated Email Protocols
Also, Office 365 tenants have older non-MFA enabled protocols turned on by default. Protocols like IMAP or SMTP authentication are sometimes needed for certain apps to authenticate, or for older client software like Outlook 2013. GlobalCerts recommends that POP and IMAP be disabled for all accounts that it is not needed, especially those that are high-value targets such as administrators, HR, Accounting, etc. Unfortunately the only way to enable or disable the protocols is via Powershell. More information can be found here.
How GlobalCerts Can Help
Microsoft Office 365 is an amazing productivity suite and can be an extremely secure way to communicate and collaborate, if properly configured to maximize security. However, by default there are many settings designed for usability and compatibility, not security. These should be addressed when first configuring the tenant, and periodically as users, devices and other services are added and removed. Microsoft outlines some of the steps you can take here. GlobalCerts provides our Fast&Secure customers with the expert knowledge and assistance to secure their Office 365 instances and take advantage of the myriad security features available, and the new ones continuously being added by Microsoft. We then automatically combine Office 365 with our simple to use, elegant email encryption solution and advanced data leak prevention capabilities to keep your data secure in transit.