At the forefront of any IT infrastructure is security. But rather surprisingly (or unsurprisingly, because maybe they aren’t aware), some organisations aren’t utilising the full set of security features available within Office / Microsoft 365. In this article I go into some detail about the key tools that we highly recommend having in place to ensure that your businesses data is being best protected.
3 Key areas that see attackers managing to compromise user accounts
Business Email Compromises – Attackers gaining access to user credentials, potentially via phishing or spoofing attacks.
Legacy Protocols – MFA can be used to combat compromised credentials but applications that use legacy protocols for authentication may still be vulnerable.
Simple / Re-used Passwords – Users are notorious for using weak passwords and reusing the same passwords. Considering up to 73% of all passwords are duplicates, a successful strategy for attackers has been to attempt to gain access to corporate accounts using common password and credentials that have been compromised by attackers in public breaches.
One of the simplest yet most effective security features available on your Microsoft 365 tenant is Multi-Factor Authentication (MFA). A basic, free version of Office 365 MFA is available with any Office 365 Business Subscription and an improved version with Azure AD Premium P1 licensing.
Enforcing MFA alone can prevent over 99.9% of compromise attacks. So even if a user’s credentials get compromised, the attacker should still be prevented from accessing your environment.
There are over 300 million fraudulent sign-in attempts to cloud services every day, and this number continues to grow, year on year. It can only take one compromised credential to cause a data breach.
Enforcing MFA alone doesn’t completely secure your organisation due to legacy protocols. Applications that use basic protocols (e.g. STMP) were not designed to manage MFA – so by default, even with MFA enforced, attackers would still be able to search for opportunities to use these less secure protocols to access your environment.
This issue can be resolved by implementing Conditional Access policies, also available with an Azure AD Premium P1 subscription.
A conditional access policy can be created to block legacy authentication from accessing your Microsoft 365 Environment which once again increases the effectiveness of your environment’s security.
This is not all Conditional Access is capable of. With the large number of fraudulent sign-in attempts mentioned above, we used to see trends that a lot of these attacks were coming from regions outside of the countries where companies are operating. For example, as a UK-based company, we would see a lot of failed sign-in attempts come from countries such as North Korea, China, Russia. And with the use of Conditional Access policies, we could completely block any authentication originating from these regions or outside of the UK.
More recently however, we have seen that these similar attacks have grown more sophisticated and are now originating from the UK, and so the above solution isn’t necessarily enough. It is now recommended that you use conditional access to further lock-down your environment to your Office IPs, and any remote workers require MFA to sign in when not coming from within your office IP ranges. Again, this just improves the overall effectiveness of the security you have at your disposal and decreases the risk of a potential compromise or breach.
Another feature available with Azure AD Premium P1 licensing is the configuration of Custom Banned Passwords under the Password Protection section of Azure. Once again, increasing security in your environment by making it harder for attackers to compromise user credentials.
The custom banned password list is case insensitive and will block users from using passwords that include specific terms and potential variations of these key terms.
The recommendation from Microsoft on what terms to add to the list are primarily focused around organisation-specific terms:
- Brand names
- Product names
- Locations (e.g. Company HQ)
- Company-specific internal terms
- Abbreviations that have specific company meaning.
Not only are the terms case insensitive, there are additional features that enhance this process to make it more secure.
Passwords will go through a normalisation process, and so not only will uppercase / lowercase be blocked if matching a banned term but also common character substitutions such as “o” being changed to “0”, or “a” being changed to “@”.
Other features and checks that are considered when a password is chosen are:
Fuzzy Matching Behaviour – If the normalised password has a single character changed, added, or removed, it will not be accepted.
Substring Matching – The normalised password is checked to ensure the user’s first name, last name, or tenant name is not included.