Security+ SY0-501 Domain 2 Technologies and Tools: a look into weak security configurations

By Guy Nguyen-Phuoc on October 15, 2020

(By: Guy Nguyen-Phuoc on October 16, 2020)

Introduction

CISA (Cybersecurity & Infrastructure Security Agency) released an alert from their National Cyber Awareness System on April 29, 2020 for, “Microsoft Office 365 Security Recommendations”. This response is due to a massive surge in a “work from home” workforce. Such an abrupt change demanded rapid deployment of cloud collaboration services, hastily put together with oversights in security configurations. In this introspective look on SY0-501’s, “Given a scenario, troubleshoot common security issues”, we will see the challenges of implementing security configurations and mitigations for Office 365 (O365) CISA’s alert AA20-120A.

Enable multi-factor authentication for administrator accounts

Azure Active Directory (AD) Global Administrators are at the highest levels of administrator privileges in O365. Azure AD global Administrators are the first accounts created in an Azure environment. However, multi-factor authentication (MFA) is not enabled by default on these accounts. CISA warns, “If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365”. MFA is defined as, by SY0-501, as two or more factors of authentications. Factors such as:

  • Something you know, such as a password or personal identification number (PIN)
  • Something you have, such as a smart card or USB token
  • Something you are, such as fingerprints or other biometric identification
  • Somewhere you are, such as your location using geolocation technologies
  • Something you do, such as gestures on touch screen

MFA statistics have shown a dramatic increase in preventing hijacking [2][3].

Assign Administrator roles using role-based access control (RBAC)

Use a model of “Least Privilege”, “A security principle that specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more”, we can limit the impact of compromised administrator accounts.

Enable Unified Audit Log (UAL)

O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other 0365 services. You can enable UAL in the Security and Compliance Center. This allows administrators the, “ability to investigate and search for actions within 0365 that could be potentially malicious or not within organizational policy.”
 

Logs are especially important for administrators and security professionals for identifying what happened and when. However, logging in itself is not very useful, you need to review your logs at regular intervals to take advantage of this process. In addition, you must strike a balance between how much to log, as your logs grow so does the disk space, review time and the amount of employees needed to fulfil the task of reviewing.

Enable multi-factor authentication for all users

While normal users do not have elevated privileges, users have access to data that could be harmful to an organization if accessed by unauthorized users. Additionally, threat actors target normal user accounts all the time to send phishing emails and attacker other organizations with the compromised devices.

Disable legacy protocol authentication when appropriate

Some clients may have a reason to maintain a legacy protocol such as: pop3, smtp or imap which contain no MFA support. If such a case arises, CISA recommends having only the needed users / clients have access to legacy protocols, a sort of segregation  limiting the attack surface.

Enable alerts for suspicious activity

Along with logging, enabling alerts speeds up the process of identifying malicious activity occurring within the environment and mitigation of said activity. CISA recommends at minimum, “enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds.”

Incorporate Microsoft Secure Score

A built in tool to help provide a baseline recommendation for O365 security. The tool does not give an all encompassing security configuration list, however using the tool helps with a centralized dashboard for tracking and prioritizing security and compliance changes within O365.

Integrate Logs with your existing SIEM

Logging with UAL can be improved by connecting it with log management and monitoring solutions. Allowing cross references between your environment and O365.

References

[1] US-Cert, “Microsoft Office 365 Security Recommendations” April 29, 2020. https://www.us-cert.gov/ncas/alerts/aa20-120a

[2] Google Security Blog, “New research: How effective is basic account hygiene at preventing hijacking” May 17, 2019. https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

[3] Microsoft Security, “One simple action you can take to prevent 99.9 percent of attacks on your accounts” August 2019. https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/