Category: Security and Compliance

Posted on

How to quickly prevent 99.9% of attacks on your users’ accounts

Cyber-attacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology.

For even the largest, most security averse company, all it takes is one compromised credential or one legacy application to cause a data breach.

This underscores how critical it is to ensure password security and strong authentication across your organisation and whilst there are many many solutions out there that can protect networks, applications and data, there is one simple thing that organisations can do, regardless of size and sector that can have a significant impact on protecting cyber-attacks and breach through compromised credentials.

Where are organisations most vulnerable?

A recent report from the SANS Software Security Institute, the most common vulnerabilities include:

  • Corporate email compromise: Where an attacker (often called bad-actor) gains access to a corporate email account, such as through a phishing or spoofing attack (emails that look like they are from IT or a trusted source that get users to “handover” their log on credentials), and uses it to exploit the system, and steal data or compromise your business. Accounts that are protected with only a user id and password are easy targets.
  • Legacy protocols: Old email clients and many “stock smartphone email clients” can create a major vulnerability since applications that use these old basic protocols, such as SMTP, were not designed to leverage or use modern security technologies such as Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, if legacy protocols are enabled, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
  • Password reuse: This is where attacks such as as “password spray” and “credential stuffing attacks” come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. It is considered that more than 70% percent of passwords are duplicates and used on other public sites such as shopping or consumer sites, this has been a successful strategy for many attackers for years and it’s easy to do. Most users re-use passwords because many believe that complex passwords (a mix of letters, numbers and symbols) make passwords and accounts secure  – but it can actually have a counter affect since passwords are more likely to be re-used. 

What you can do to protect your company

There’s loads of simple steps than can and should be undertaken to provide some basic account and security hygiene.

Administrators can quickly help prevent many of these attacks by banning the use of bad passwords (Azure AD can do this naively), blocking legacy authentication, and through basic awareness and training to staff on how to spot common phishing attacks.

Whilst all this will help – by far the most effective step you can take as a business is to turn on and require Multi Factor Authentication (MFA). This  extra layer of user account protection, creates a very effective barrier and layer of security that makes it incredibly difficult for attackers to log on or use stolen/compromised credentials even if a user “hands the over” as a result of a successful phishing attack.

Simply put, MFA can block over 99.9% percent of account compromise attacks. With MFA, knowing or cracking the password isn’t enough to gain access since the user will be challenged to enter a code, respond to a text sent to their phone or approve logon via an app on a device that they have in their possession. To learn more, read Your Pa$$word doesn’t matter.

MFA is easy to enable and use

According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:

  • Misconception that MFA requires external hardware devices.
  • Concern about potential user disruption or concern over what may break.

When we have these kind of conversations with customers, the 2nd point is usually the most common – “the owner wont like it” or “what if stops person x from logging on and they cant talk to IT?”

No banking app allows their customers to access their services these days without some form of MFA and we all (as we have to) simply accept this so why should accessing your company’s data be any different?

Depending on your organisations choice of MFA technology and the level of licensing they have in place, services such as MFA can be used in conjunction with Risk Based Conditional Access – which is a feature included within Azure Active Directory. 

Risk Based Conditional Access

Risk Based Conditional Access is essentially adaptive authentication which looks at a number of different risk factors to determine what and how to allow a user to gain access to resources. In the MFA example, RBCA can be configured to now need MFA to be used when on a corporate device when in the office but enforced when ever users are remote or on an non-corporate or non encrypted device.

Need some help – the organisation I work for @cisilion can help – get in touch via twitter or visit our website. For more click here: 

 

Note: Aspects of this information are taken from a blog by 
Melanie Maynes | Senior Product Marketing Manager | Microsoft Security

 

 

Posted on

Why you should be using Azure Identity Protection

Why?

The move from traditional on-premises IT solutions to cloud services has seen a dramatic change in the way that systems are managed and controlled. The access to services from any location and using any device means that a lot of the traditional management methods are not feasible.

Identity (not the firewall) is the modern control pane. Your user identity (and how ever its protected) is typically the key to your applications, devices and data within the modern workplace so keeping it safe should be paramount.

The UK National Security Agency, any reputable security company or agency will advise you not to use the same password in multiple places, to make it complex, and to not make it simple like Password123 or Comanyname2019 for example.

What is Azure Identity Protection?

Aslong as your organisation uses Microsoft Azure AD – which it will if you use Office 365 (and have Azure AD Premium P1 or P2), Microsoft provides a nifty service (known as Azure Active Directory Identity Protection) that can go a long way in helping organisations guarantee that their users are follow industry (and your) security guidance and that they aren’t using common passwords or passwords that are known to be included in recent data attacks and breaches.

In addition to the automatic protection provided by Microsoft’s Threat Intelligent, Azure Identity Protection also allows you to manually specify up to 1,000 custom passwords. I’d strongly recommend adding (or using) the top 1,000 common passwords which is available on GitHub as a starter and then adding your own organisation’s name, and any common terms used in your company or industry to the list.

If you haven’t used the service before, you can run this in “Audit” mode to allow you to review the number of “hits” against the new policy before enforcing it. Once enforced, when any user tries to set/reset their password, their password is “scored” based on a combination of risks including use of known and common /custom passwords or known breach credential/password. 

How are passwords evaluated?

Whenever a user changes or resets their password, the new password is checked for strength and complexity by validating it against both the global and the custom banned password list (if the latter is configured).

Even if a user’s password contains a banned password, the password may still be accepted if the overall password is strong enough otherwise. A newly configured password will go through the following steps to assess its overall strength to determine if it should be accepted or rejected.

An invalid password reset attempt which is poorly scored as secured, will be rejected and the user will receive an error message similar to the below:

Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”

Reviewing the effectiveness

As well as users being informed (and prevented) to setting a password that is “banned”, admins can also see this activity in the Security Logs.

Read more from Microsoft

Microsoft provides a lot more detail and examples on how this works here:

Posted on

New WannaCry-type exploit threatens XP, Server 2003 and Windows 7… What do you need to do?

Microsoft has started warning users of older versions of Windows desktop and Sever to urgently apply a Windows Update today to protect against a potential widespread attack similar to the infamous WannaCry attack.

“Windows 7 users are still vast.. Make sure you are patched..”

Microsoft have yet again issues patched to close the critical remote code execution vulnerability that can be exploited in Remote Desktop Services that exists in Windows XP, Windows 7, and server versions including Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008.

Microsoft seems to be continually “doing the right thing” of still releasing critical patches for Windows XP and Windows Server 2003 even though both operating systems have been out of support for some time.

Anyone still running Windows XP, (yes I know) will need to manually download the update from Microsoft’s website.

As you know Windows 7 reaches end of extended support in just 7 months. #Windows10 offers more than 30 odd significant advances in security and OS hardening compared to its older siblings and whilst many organisations are rapidly migrating to #Windows10 there are still many organisations that have not.

Microsoft did announce yesterday extended support for Windows10E5 subscribers for another 12 months as a benefit to their “commitment” to move to Windows 10.

Posted on

Reducing the SecOps ‘noise’ with Microsoft Threat Experts

St George’s Day…

Today’s tip…

Two new cloud-based technologies, Microsoft Azure Sentinel and Microsoft Threat Experts, have recently been unveiled in efforts to reduce the “…noise, false alarms, time consuming tasks and complexity…” to empower security operations teams. Check out the articles below to find out more information.

https://blogs.technet.microsoft.com/tip_of_the_day/2019/04/08/tip-of-the-day-microsoft-sentinel-and-microsoft-threat-experts/

#microsoft #microsoft #microsoftazure #cybersecurity

Posted on

Microsoft Officially unifies labeling across Office 365 and Azure IP

Yesterday, after months of “preview testing”, Microsoft announced the “General Availability” (GA) of their Azure Information Protection (AIP) unified labeling client.

Sorry remind me – what is AIP?

Azure Information Protection (AIP) is a Microsoft 365 cloud-based solution that helps organisations to protect their data and information through the classification, labeling and (optionally), encryption of the data. AIP applies to a vast range of document types and emails data.  Labels can be applied automatically by administrators or SecOps who define rules and conditions, manually by your users, or a combination where users are given recommendations as to what labels to apply.

Example of recommended classification for Azure Information Protection

So what has changed in this update?

If you’ve been using labelling in Office 365 for things like DLP in the past you’ll know that this labelling has always been different to the labelling and classification service which is part of Azure Information Protection causing some pain and potential conflict between deifferent data and information labelling across the two services.

This GA release has now brought these together resulting in a completely integrated and unified labeling platform to eliminate managing labels in both the Azure portal and the Office 365 Security & Compliance Center.

The AIP unified labeling client gets its configuration (labels and polices) from the Office 365 Security & Compliance Center like all other Microsoft Information Protection workloads, including built in labeling in across the Office applications for Mac, iOS, and Android.

Microsoft say that this new release contains substantial new features from the original AIP client, including the manual and automatic labeling and exciting new features that are supported only for unified labeling, such as custom sensitive information types, dictionaries and complex conditions (AND/OR) that dramatically improve automation capabilities and reduce false positive rates.

Moving forward….

Microsoft’s advice is that for any organisation just starting their deployment and use of AIP are advised to start with the new unified labeling client and the Office 365 Security & Compliance Center to “enjoy” the unified client and admin experience.

From here on, new features will only be made available in the AIP unified labeling client.

But there is a but….. Since the new Unfied Client is not currently at full “feature parity” with old AIP client, organisations that require any of the features that are still not supported in the new AIP unified labeling client, for example “user defined permissions”, should start with the AIP client and upgrade these clients to the unified labeling client once the required features are released.

Microsoft does support “mixed environments” on the same environment which means you can run the AIP client and scanner, and the AIP unified labeling client on different devices at the same time. Additionally, Microsoft promises that the AIP unified labeling supports a seamless upgrade from the old AIP client.

How do I get it?

Complete release information for these two clients are available from Mcirosoft here: AIP client version history and the AIP unified labeling client version history.

More information about the AIP unified labeling client can be found in this Mcirosoft blog post.

You can download both AIP client versions from here.

Proudly powered by WordPress