The US Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency (CISA) has become the lat­est gov­ern­ment body to plead with admins to imple­ment secu­ri­ty best prac­tices on Microsoft­’s Office 365 plat­form.

The UK’s Nation­al Cyber Secu­ri­ty Cen­tre (NCSC) made a sim­i­lar appeal in Decem­ber 2018. The evi­dence, though, is that most users are not tak­ing their tablets.

How many, for exam­ple, enable mul­ti-fac­tor authen­ti­ca­tion (MFA) on Office 365? MFA is where not only a pass­word is required, but also a sec­ond fac­tor, such as a text mes­sage sent to a mobile phone (frowned upon as vul­ner­a­ble to inter­cep­tion) or a code from an authen­ti­ca­tor app. MFA is top of the list when it comes to basic secu­ri­ty advice for Office 365.

Exact fig­ures are hard to come by, but it turns out that Microsoft pub­lish­es infor­ma­tion about the secu­ri­ty prac­tices of its users, via a secu­ri­ty dash­board avail­able to Office 365 admin­is­tra­tors.

The max­i­mum “secu­ri­ty score” is cur­rent­ly 707, though this should not be tak­en too seri­ous­ly since it assumes use of oth­er Microsoft ser­vices like InTune. The aver­age Office 365 score is just 37, though, and that is a con­cern.

Look­ing at the Secure Score table, you would get 100 points sim­ply by enabling all the MFA options. In fact, even by fling­ing a doc­u­ment or two into OneDrive, Microsoft will reward you with 10 points. You also get 10 points for non-expir­ing pass­words, a rever­sal of for­mer advice. Con­clu­sion: the typ­i­cal Office 365 account is miles behind in terms of secu­ri­ty best prac­tice.

Typical Office 365 security settings are very low

Typ­i­cal Office 365 secu­ri­ty set­tings are very low

This glob­al aver­age is no doubt pulled down by mil­lions of tiny accounts and will improve as seat count increas­es. For a seat count of six to 99 the aver­age increas­es to a mas­sive… 46. It is fair to say that there is a great deal of noth­ing being done about adopt­ing the vast array of secu­ri­ty options on offer.

Last month, Col­labTalk pub­lished a sur­vey com­mis­sioned by Microsoft and four oth­er groups on the sub­ject of secu­ri­ty and com­pli­ance prac­tices in Office 365. Those sur­veyed were IT pro­fes­sion­als, C‑level exec­u­tives and com­pli­ance offi­cers glob­al­ly. It also ref­er­ences an ear­li­er 2017 sur­vey of con­sul­tants and small busi­ness­es.

Accord­ing to this ear­li­er sur­vey:

Most of the com­ments point­ed to gen­er­al con­fu­sion around cyber­se­cu­ri­ty with Office 365 prod­ucts. In oth­er words, they did not know what was avail­able through the plat­form, whether these fea­tures were all (or in part) in use, or whether the fea­tures pro­vid­ed exceed­ed, met, or missed their indus­try and orga­ni­za­tion­al require­ments.

Amus­ing­ly, though:

100 per cent of respon­dents who had expe­ri­enced a secu­ri­ty breach did not think Microsoft secu­ri­ty was suf­fi­cient, regard­less of the cause of the breach.

The report con­clud­ed that “the over­all gov­er­nance of your Office 365 envi­ron­ment has less to do with the tech­nol­o­gy and more to do with the prac­tices and pro­ce­dures you put in place.”

While true up to a point, the com­plex­i­ty of what is on offer and the fact that most peo­ple accept the defaults is part of the prob­lem. These defaults are also con­stant­ly chang­ing, and some valu­able fea­tures, like mail­box audit­ing, are enabled by default for new cus­tomers but not turned out auto­mat­i­cal­ly for exist­ing ones.

Cost is anoth­er prob­lem. Want Office 365 Advanced Threat Pro­tec­tion (ATP), for exam­ple? This ser­vice checks email attach­ments and links for mal­ware, blocks mali­cious files in Share­Point online, and attempts to detect phish­ing attacks. ATP comes with the high-end E5, Edu­ca­tion A5 or Microsoft 365 Busi­ness plans. Oth­er­wise, it is $2.00 (£1.51) per user/month for Plan 1 or $5.00 (£3.80) for Plan 2, which adds auto­mat­ed inves­ti­ga­tion and response.


Microsoft goes to great lengths to polish Azure Active Directory’s password policies


It is a sim­i­lar sto­ry with Azure Active Direc­to­ry (AAD), the iden­ti­ty sys­tem used by Office 365. The bun­dled ver­sion does include MFA, so no excus­es. If you want addi­tion­al fea­tures such as con­di­tion­al access based on device state, for exam­ple, you will need Pre­mi­um P1 at extra cost; or Pre­mi­um P2 for addi­tion­al iden­ti­ty pro­tec­tion. In oth­er words, Office 365 secu­ri­ty is a prod­uct as well as a fea­ture, and the desire to upsell plans for prof­it lim­its the extent of the built-in secu­ri­ty.

Anoth­er issue with MFA is that users wor­ry about being locked out of their account if they lose their phone, for exam­ple, and find the process of sign­ing up, con­fig­ur­ing an authen­ti­ca­tor app, and respond­ing to addi­tion­al secu­ri­ty prompts com­plex and annoy­ing.

These are small incon­ve­niences com­pared to the poten­tial impact of a secu­ri­ty breach. Users can and do yield login infor­ma­tion eas­i­ly by click­ing a link in a con­vinc­ing email. MFA, you would think, is a no-brain­er unless you are real­ly con­fi­dent that every phish­ing email will be caught by email fil­ters; and such faith is mis­guid­ed. Some of those mali­cious emails may come from gen­uine con­tacts who have them­selves been hacked.

The best way to improve Office 365 secu­ri­ty? Dili­gent admins, yes, but that will always leave a large group of less for­tu­nate users. The most effec­tive change would be to improve the defaults, though this also has com­pli­ca­tions espe­cial­ly with some­thing intru­sive like MFA.®

Source link