May 15, 2019
Office 365 Security: What CISA Wants MSPs to Know
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released their findings on Office 365 Security recommendations. After working with companies that migrated their Exchange services to Office 365 for the past seven months, the CISA uncovered a number of concerns that SMBs and MSPs need to keep top of mind.
The results of their findings? Multi-Factor authentication (of which 2FA is a subset) is without a doubt the simplest and easiest security improvement that every user should have enabled as soon as possible. The value of ‘hacking’ prevention is staggering and it’s easy to see why;
Authentication is considered as 5 Factors: of authentication
- What you know
- Something you have
- Something you are
- Somewhere you are
- Something you do
The CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets through defending against attacks related to their O365 transition and securing their O365 service. Specifically, CISA recommends that administrators implement the following mitigations and best practices:
- Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users.
- Enable unified audit logging in the Security and Compliance Center.
- Enable mailbox auditing for each user.
- Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
- Disable legacy email protocols, if not required, or limit their use to specific users.
Previous solutions to reducing the potential for blackhats to enter a system uninvited have been strengthening passwords, the idea being that adding complexity (in perpetuity) to a single factor will ward off hackers aiming for low hanging fruit. This approach while straightforward in nature substitutes one problem for multiple others;
- Users forgetting passwords due to added complexity
- Users recording passwords insecurely
- Increasing complexity starts an inevitable arms race that only harms the users further
While technologies are on the horizon to offer ever more security to end users (i.e. biometrics) they’re not widely available today, and as such countermeasures have already been developed and proven effective.
Another tooling is becoming increasingly available to administrators in an effort to combat the scourge;
The audit is a limited but useful tool which may help to investigate anomalous and erratic behavior, users are generally predictable (within reason), repeated login failure from a non-operational region at 2 am should correctly so raise suspicion.
Reminders to consistently re-evaluate security measures available to you. Updates and security notices, particularly for Software-as-a-Service vendors, are frequent so remaining aware of the environmental situation is pivotal in ensuring maximum security coverage -- only enabling security protocol after an incident is counterintuitive.
(Vendor backed) Planned deprecation of older tooling is crucial to minimize vulnerability opportunity aka attack surface, our most successful MSPs continually improve their systems and offerings; a large part of this is saying goodbye to the old and hello to the new. The longer a systems lifetime in an environment the greater the chance of vulnerabilities being discovered and exploited; even with consistent patching.
Datto’s SaaS Protection protects over 3.5 million Office 365 users, giving MSPs and their clients a way to recover from devastating data loss, whether it’s from a ransomware attack or accidental deletion of any kind.
In order to shore up your defenses in Office 365 check out our ebook, Defending Office 365 Against Ransomware.