Organizations’ rush to build up remote work programs and deploy cloud-based collaboration solutions may have jeopardized their cybersecurity, says a new alert from the U.S. Department of Homeland Security.
In an advisory through the department’s Cybersecurity and Infrastructure Agency, the government warns that quick rollouts of cloud services like Microsoft 365 – with applications like Microsoft Teams – can lead to oversights in security configurations.
Because of COVID-19 shutting down most of the U.S. and parts of the world, companies were forced to work from home and quickly shift to remote work. They may not have been prepared enough for the cybersecurity issues that follow, the U.S. government says.
“CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks,” the alert says.
CISA recommends organizations follow several steps to maintain security for organizations that are working remotely:
Enable multi-factor authentication for administrator accounts. Azure Active Directory Global Administrators are the first accounts created so admins can begin configuration, but multi-factor authentication is not enabled by default for those accounts. A “secure by default” model has to b enabled by the customer.
Assign administrator roles using Role-Based Access Control: Since Global Administrators have the highest level of default privilege, organizations should only use it when absolutely necessary. Azure has other numerous built-in less-powerful administrator roles to use that can help limit organizational exposure if an account were to be compromised. Administrators should be assigned the minimum permissions they need to do their job.
Enable Unified Audit Log: Office 365’s logging feature allows administrators to investigate and search for potentially malicious or prohibited actions from Exchange, SharePoint, OneDrive, Azure AD, Microsoft Teams, PowerBI and other 365 services.
Multi-factor authentication for all users: Rank-and-file users of Office 365 don’t have administrator permissions, but they still have access to company data that bad actors may want to access. Compromising these accounts could lead to a more harmful effect on an organization and lead to more phishing attacks.
Disable legacy protocol authentications when appropriate: According to CISA, a number of legacy protocols associated with Exchange Online don’t support MFA features, like Post Office Protocol, Internet Message Acceess Protocol and Simple Mail Transport Protocol. These legacy protocols are often used with older email clients that don’t support modern authentication.
They can be disabled at the tenant or user levels. If your business requires an older email client, the protocols will not be disabled, leaving email accounts accessible through the internet with only the username and password for authentication. CISA recommends taking inventory of users who still need legacy clients and email protocols and only grant access to those protocols for select users. Azure AD Conditional Access policies can help limit the number of users with the ability to use legacy protocol authentication.
Alerts for suspicious activity: Admins can enable activity logging within Azure/Office 365 to help identify malicious activity. Alerts can be enabled to keep users admins aware of abnormal events and reduce the time needed to identify and mitigate those events. At a minimum, CISA recommends alerts for logins from suspicious locations and accounts exceeding sent email thresholds.
Microsoft Secure Score: This built-in tool can measure your security posture with respect to Office 365 and offer recommendations to help provide a centralized dashboard for tracking and prioritizing security and compliance changes.
Integrate Office 365 logs with existing monitoring solutions: Even with Microsoft’s logging solutions, you should still integrate and correlate your Office 365 logs with your other solutions to help ensure you can detect malicious activity across all platforms.