This post is sponsored by CoreView who offer a wide variety of security solutions for Office 365
Office 365 is one of the most commonly used applications in IT today. According to Microsoft, as of Q1 2020, Office 365 had reached 200 million monthly active users. Office 365 growth has remained constant at about 3 million users per month since 2015.
However, while many businesses are using Office 365 in some capacity, very few of them have taken all the required steps to properly secure Office 365. Many organizations mistakenly believe that since Office 365 is a cloud application, Microsoft handles all the security and they don’t need to do anything else in order to lock it down.
Most of these businesses are actively employing multiple layered on-premises security measures including VPNs, firewalls, VLANs, and anti-virus. However, many of these same organizations using Office 365 do not know where Office 365 specific security vulnerabilities lie – or in many cases even that they exist at all.
According to the McAfee Cloud Adoption and Risk Report 2019, 80% of all organizations experience at least one compromised account threat per month and specific threats targeted toward Office 365 have grown by 63% in the last two years. Just like on-premise assets, securing Office 365 is vital to protect against data loss and breaches of confidentiality as well as to protect yourself and your business from malware and ransomware. Office 365 does provide some security features and configuration options that you should take advantage of. Plus, there are additional areas where cloud security best practices and third-party tools can help to fill in important security gaps.
In this post, we’ll cover five key points for securing Office 365.
Authentication is the first level of defense for your critical Office 365 applications and data. Using weak passwords creates one of the biggest security exposures for all businesses. A 2019 survey by Avast revealed that 83% of the respondents were using weak passwords; weak passwords can significantly reduce the time it takes to brute force access to your tenant. If a user’s password is exposed, then all of the business assets that a specific user can access can be compromised or corrupted. Strong authentication methods can go a long way toward putting up a strong first line of defense for your Office 365 applications and assets.
Two of the best ways of strengthening your authentication are through the use of strong passwords and if possible multi-factor authentication. Strong passwords are achieved by following best practices for character usage and can be enforced through password policies.
There are several key points that you should be sure to avoid when selecting passwords:
Setting a password policy can enforce the use of stronger password security. Password policies can set minimum password lengths — for example, requiring passwords to be eight characters or longer. The policies can require the use of multiple character sets like a mix of uppercase characters, lowercase characters, numbers, and non-alphanumeric characters like $, !,#, or *.
Multi-factor authentication (MFA) is one of the most effective ways to increase the authentication security for your Office 365 resources. Using MFA to authenticate, you need to combine your standard login ID and password with an additional piece of information — typically like texting a code from your phone, notifications from a mobile app or a verification code from a hardware token. MFA can prevent hackers from accessing your accounts – even if they have your password. While not every organization can use it, MFA can definitely increase your Office 365 authentication security.
E-mail is the most common way hackers break into your systems. Insecure mailboxes and poor end-user practices can create some of your biggest security exposures.
Of course, end-users are often the weakest link in email security. According to Microsoft, 71% of SMB’s feel they are vulnerable to a cyberattack and their biggest concerns are phishing, comprised passwords, ransomware, and leaks of sensitive data by employees. Opening dangerous email attachments or clicking on various email links can expose your entire organization to malware and ransomware attacks, end-user training is absolutely vital – especially in these times when this type of attack is definitely on the rise.
Office 365 mailboxes can also be vulnerable through weak authentication and there are other poor practices like auto-forwarding to external email accounts and allowing access rights to other user’s mailboxes.
Weak passwords can allow hackers to access private and confidential email contents. Implementing strong authentication procedures like the ones discussed in the first point can reduce this risk.
With auto-forwarding, if a hacker gains access to a user’s mailbox, they can use auto-forwarding to send the user’s email to an outside address and gain access to any proprietary information on those emails.
Likewise, permissions to another user’s mailbox can allow you to have read and write access to another user’s content. This can have legitimate uses like when a manager needs an assistant to monitor incoming emails. However, these permissions can also be misused to allow unintended access to different mailboxes.
In addition, monitoring and mailbox auditing can help to identify risky behavior and secure business-critical data. Office 365 mailboxes can contain high-impact sensitive information and auditing enables you to track who logs on to the mailboxes in your organization and the actions that were taken. Office 365 mailbox audit logging should be enabled and specific actions performed by mailbox owners, delegates, and admins are all automatically logged.
As reported by Forbes, Forrester Research estimates 80% of today’s security breaches involve privileged credentials. Office 365 administrators have the highest security privileges of all Office 365 users and can be a source of insider threats as well as a target for credential hacks.
The centralized administrative model used by Office 365 can be inefficient and can create security problems. Under the Office 365 centralized administrative model, all administrators have global credentials. This means that administrators have access to all user accounts. The basic Office 365 admin center does not enable you to easily set up customized permissions based on country, business unit, or for remote offices. A security breach that involves Office 365 administrative privileges can potentially open up access to all of the organization’s private data as well as enabling the hacker to modify files, settings, and to view and delete users and data.
Implementing a system of least privileged access and role-based security access can help control Office 365 administrative and end-user access. A privileged account, like a typical Office 365 administrative account, refers to having the authority to access other accounts and resources. Least privileged access is the practice of restricting access rights for users and accounts to only those resources that are absolutely required to only perform the actual activities required by your role in the organization.
For instance, users should not typically be allowed to access other user accounts and administrators at branch offices should not typically have access to accounts at other branches or in the corporate offices. Implementing role-based access control (RBAC) for Office 365 allows organizations to better delegate permissions based on job function. This results in far fewer globally permissioned administrators.
Using RBAC, users can only perform the tasks that they have been explicitly granted access to. The Office 365 Security & Compliance Center lets you grant permissions to people in your organization by adding them to roles. A role essentially grants permissions to perform a set of tasks. You can learn more about implementing RBAC for Office 365 at Permissions in the Office 365 Security & Compliance Center. Keep in mind that while RBAC can assign role-based rights, it’s not granular as many would expect and these rights still come with global credentials so those admins can reach out and touch every user across the entire tenant
Setting up RBAC with Office 365 can be difficult. Fortunately, some third-party tools are able to enhance the built-in capabilities of Office 365 – making it far easier to implement RBAC throughout your Office 365 installation and reduce the risk of exposing global administrative permissions.
The theft of user credentials is another significant Office 365 security problem. According to a survey conducted by Cyren and Osterman Research, of 300 companies with more than 5,000 employees in the US and UK, 40% of enterprise respondents indicated that Office 365 login credentials have been compromised.
Stolen Office 365 credentials enable the attacker to sign in as the user and perform illicit actions. The attacker can use the stolen credentials to access the user’s Office 365 mailbox, SharePoint folders, or files in the user’s OneDrive. One of the most common consequences is that the attacker will begin sending emails as the original user to recipients that are both inside and outside of the organization.
Credential theft occurs in a number of different ways. Phishing attacks are one of the most common ways that attackers attempt to steal Office 365 credentials.
For example, security researchers have recently uncovered a new phishing campaign that leverages fake voicemail messages to trick recipients into revealing their Office 365 email credentials. Another common tactic to steal credentials is for hackers to impersonate alerts from enterprise cloud platforms like Microsoft Azure or Amazon AWS that trick workers into using their credentials to log in to a malicious domain. In addition, the use of legacy email protocols such as IMAP/SMTP/POP3 can expose user credentials as well.
In fact, the majority of all compromised email exploits come from using legacy authentication which can be open to brute force attacks. In addition, legacy email authentication does not support strong authentication using MFA.
It’s important to remember that stolen Office 365 credentials can affect more than just the compromised account. Breaches can also impact other Office 365 users and on-premise operations as well. Technologies used by Office 365 like Azure AD Connect integrate on-premises Active Directory with Azure Active Directory enabling a comprised cloud account to potentially perform on-premises authentication as well.
Preventing credential theft begins with the use of strong authentication but it also goes beyond that. You need to avoid easily hacked legacy email protocols and provide end-user training to help users identify and avoid questionable emails.
Auditing is a vital security activity that is often overlooked in Office 365 implementations. Auditing can enable you to track both administrative and end-user actions.
You can see who, when, and where various Office 365 activities are being performed. In addition to recording user activities, you can use auditing to generate alerts for specific events.
For example, a couple of the most common alert conditions are for too many failed authentication attempts or for authentication attempts from other countries. Other common security alerts that can be generated from auditing include alerts for downloading multiple files in a short period of time or for multiple file deletions in SharePoint.
However, Office 365 audit logs are not always enabled by default. You can turn on Office 365 auditing by using the Office 365 Security & Compliance Center. After auditing is enabled, it typically takes a couple of hours for the audit log to be prepared. After the log has been prepared, you can start searching the audit log using the Office 365 Security & Compliance Center.
For Office 365 E3 or Microsoft 365 E3, audit records are retained for 90 days. For Office 365 E5 or Microsoft 365 E5 or users with a Microsoft 365 E5 Compliance add-on license, audit records are retained for one year.
Third-party tools, like the solution offered by CoreView, can extend the built-in logging capabilities of Office 365 by adding the ability to track different Office 365 objects like messages or files and show all of the different users and actions that have touched those objects.