Jul 1 2020
The Govt. Warned You to Protect Office 365 in April – You DID it, Right?
Don’t say you weren’t warned. Back in March and again in April, the US Department of Homeland Security warned of new and terrifying Office 365 security risks due in part to the Coronavirus-driven explosion in remote work.
You’ve had four months. Have you taken steps to protect Microsoft Office 365 against these new threats?
Let’s review. In March, the US government advised taking specific steps to ward off myriad O35-specific threats, including:
- Using multi-factor authentication (MFA). Microsoft says that MFA makes credentials 99.9% harder to crack.
- Protect Global Admins from compromise and use the principle of “Least Privilege.”
- Enable unified audit logging in the Security and Compliance Center.
- Enable Alerting capabilities.
- Integrate with organizational security incident event management solutions.
The Cybersecurity and Infrastructure Security Agency, or CISA also warned of specific threats, including:
- Malicious E-mail, Especially Containing COVID-19 Subject Lines
- Unpatched Obsolete Devices Ripe for Picking
Let’s walk through specific threats, and what you need to do to keep O365 100% safe.
1. Email Safety in Wake of COVID-19
Here are some key CISA tips:
- “Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
- Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.”
How CoreView Enforces O365 Email Safety
E-mail is the most common way hackers breach your systems, so insecure mailboxes and poor e-mail user practices are perhaps your biggest security exposure. Mailboxes are made vulnerable through insecure, weak and never expiring passwords, as well as a lack of multi-factor authentication (MFA).
Meanwhile, monitoring employee activities such as their mailbox practices can identify risky behavior and proactively secure business-critical data. Preventing risky activities such as auto-forwarding to external email addresses and limiting access rights to other user’s mailboxes can prevent the spread of malware and the leakage of data through emails. In addition, being aware of unusual email activity prevents targeted spam or social engineering tactics common among today’s cybersecurity threats.
Key rules applied to mailbox security relate to access rights. CoreView flags user accounts with anomalous permissions such as with access rights to more than five other user mailboxes, accessing mailboxes of other departments, disabled accounts able to access mailboxes and more. These are not for Room, Shared, or Team mailboxes, but rather actual User Mailbox accounts. Users who have this type of advanced access rights to other users’ mailboxes should be investigated to ensure they are being used for acceptable business purposes.
Often, mailbox security can be compromised by spam and malicious malware. CoreView can discover instances of malware sent from your organization via e-mail – and track this spread in minute detail.
2. Ransomware and Malware Explosion
CISA sees ransomware as security enemy number one. “Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike. And that’s only what we’re seeing – many more infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on,” CISA explained. “We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?).”
Here is CISA’s advice:
- “Update and patch systems
- Make sure your security solutions are up to date
- Review and exercise your incident response plan
- Pay attention to ransomware events and apply lessons learned”
CISA offers these further recommendations:
- “Practice good cyber hygiene; backup, update, whitelist apps, limit privilege, and use multifactor authentication
- Segment your networks; make it hard for the bad guy to move around and infect multiple systems”
How CoreView Tackles Ransomware and Malware
To deal with ransomware, you must:
- Implement strong password policy and MFA
- Limit granting of administrative access and privileges
- Perform audit-based forensics on how ransomware and other malware spread
Malware often gets through anti-virus/anti-malware defenses, especially zero day attacks. CoreView provides auditing tools for cloud operations. CoreView shows you every single file accessed, and every single action taken by an administrator or a user since they had a security event on one of their devices. That is how we prevent malware like ransomware from going on, and on, and on, and on – spreading throughout the organization. We proactively see and report on what was touched and then do a deeper dive analysis on those actions.
By speeding up security audits and performing more efficient forensic analysis, IT quickly closes any security issues when they are identified. Finding the audit trail to identify these types of attacks is extremely difficult, and requires assistance from specialized tools that have powerful security auditing and analysis capabilities – like those offered by CoreView.
3. Danger of Unpatched and Out-of-Date Devices
Most successful breaches are against unpatched or legacy computers. Keeping devices updated is critical to proper cybersecurity. “Adversaries operating in cyberspace can make quick work of unpatched Internet-accessible systems,” CISA warned. “Many organizations lack robust patch and configuration management policies and procedures to guide the coordination of vulnerability management-related activities at an operational level.”
“Moreover, the time between an adversary’s discovery of a vulnerability and their exploitation of it (i.e., the ‘time to exploit’) is rapidly decreasing. Industry reports estimate that adversaries are now able to exploit a vulnerability within 15 days (on average) of discovery. After gaining entry into information systems and networks, these adversaries can cause significant harm.”
How CoreView Insures Patched and Up-to-Date Devices
During this crisis, some are working from home, still just miles from the office. In other cases, workers leave the area, going to vacation homes, living with friends or relatives, fleeing the hardest hit zone. There is no telling what devices they use for work, and to connect to the corporate network. While a productivity boost, all these devices are a security nightmare.
IT should know exactly what these devices are for several reasons. Systems are only secure if they are patched and using up-to-date modern software, including operating systems. Windows XP does not rate as a high security platform! What is the OS, what is the patch status? Is tdevice safe?
Mobile devices have the same concerns. What kind of OS is running? Is it up to date?
Keeping software patches and anti-virus tools up to date requires that IT knows, and can validate the configuration of workstations, laptops and mobile devices, and what software is installed. More to the point, how do you know if the device is infected? And if it is, how do you know what that device did to potentially spread malware or other malicious software?
4. Decentralization without Security and Control Leads to Chaos
The way your Office 365 is managed determines how well you can stop attacks, and remediate when they occur. “The decentralization of organizations and their governance processes makes it difficult to coordinate the remediation of vulnerabilities. Network owners should be aware of who is operating their respective networks, if not done in-house,” CISA said.
Did you know that 80% of SaaS breaches involve privileged permissions? And that admins have the most privileges of all?
How CoreView Segregates and Secures Your Tenant
With CoreView, you can segregate your operator responsibility by implementing a granular RBAC – but first ask yourself:
- Why is Segregation of Duty a must-have for your organization?
- What are the regulatory constraints?
- What is the risk if you do not implement it?
- What is the business impact to not implementing it?
CoreView addresses these pain points with our Role-Based Access Control (RBAC) features that give you fine-grained control over what admins can, and cannot do.
Start Protecting Your O365 Tenant and Find Security Holes for FREE
Or sign up for a personalized CoreView demo.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.