Getty Images/iStockphoto
DHS Shares Cloud, Microsoft Office 365 Insights for COVID-19 Telework
DHS shares guidance for Microsoft Office 365 and other cloud services centered around multi-factor authentication and access controls, given the increase in telework amid the COVID-19 pandemic.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released COVID-19 telework guidance for Microsoft Office 365 and other cloud services, given many organizations have rapidly migrated to these platforms during the pandemic.
The guide is just the latest move from federal agencies and security researchers working to shore up critical vulnerabilities amid the COVID-19 pandemic. In the past two months, there have been a vast number of alerts around the increase in hacking attempts against healthcare and other organizations leveraging telework during the pandemic.
Recent insights from the American Medical Association, the National Security Agency, and Microsoft shed light on techniques hackers are using to take advantage of the remote workforce and healthcare vulnerabilities.
To CISA, many of these enterprises may not be fully considering security considerations, given the haste of these implementations. Organizations can leverage the recommendations to ensure their new cloud configurations are protected, along with detection and response mitigations in the event the O365 platform is attacked.
“In recent weeks, organizations have been forced to change their collaboration methods to support a full ‘work from home’ workforce,” officials wrote. “While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.”
“CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks,” they added.
The guide focuses on five key areas, beginning with multi-factor authentication, which Microsoft previously reported blocks 99.9 percent of automated cyberattacks.
The Azure Active Directory global administrators are the first accounts created and have the highest level of privileges at the tenant level. These accounts are used to configure their tenant and eventually migrate users, but MFA is not enabled by default.
Instead, the platform uses “Secure by default, which helps enforce administrators’ use of MFA.” CISA explained that customers must enable this feature, as it’s not a default feature, and these accounts are internet accessible given it’s hosted in the cloud.
As a result, an attacker could compromise the cloud-based account and maintain persistence when the customer migrates to O365, if the accounts are not immediately secured. User accounts should also utilize MFA, as individuals have access to organizational data. And hackers may attempt to compromise these accounts with phishing attacks to gain access to user data.
IT leaders may also consider disabling legacy protocol authentication where appropriate. Specifically,, CISA explained Exchange Online has a number of these protocols that don’t support MFA, such as Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP).
“Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will presumably not be disabled,” CISA explained.
“This leaves email accounts accessible through the internet with only the username and password as the primary authentication method,” they added. “One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols and only grant access to those protocols for those select users.”
Alternatively, IT leaders could leverage Azure AD Conditional Access policies to help limit the number of users allowed to use legacy protocol authentication methods. In doing so, organizations can reduce the risk to their enterprise.
IT leaders must also leverage role-based controls to assign administrator roles due to the high privilege level. And the Global Administrator account should only be used “when absolutely necessary.”
“Instead, using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators,” CISA explained.
“Practicing the principle of ‘least privilege’ can greatly reduce the impact if an administrator account is compromised,” they added. “Always assign administrators only the minimum permissions they need to do conduct their tasks.”
Further, administrators must also enable the audit log within the O365 Security and Compliance Center, which contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other services. By enabling the logs, administrators can investigate and look for suspicious activity.
Alerts for any suspicious activity should also be enabled to increase the ability of identifying malicious activity. At the bare minimum, CISA recommends enabling login alerts from suspicious locations and accounts exceeding sent email thresholds.
Organizations leveraging O65 should incorporate Microsoft’s built-in Secure score tool, which is designed to improve the enterprise security posture on the platform. It provides a centralized dashboard that allows security teams to prioritize security and compliance changes within the platform.
Lastly, logs should be integrated with the organization’s existing security information and event management (SIEM) tool to ensure the IT team “can detect anomalous activity in your environment and correlate it with any potential anomalous activity in O365.”