Security in Microsoft 365 (part 2 of 3)

 




To read part 1, please click here
To read part 3, please click here






Account Breach

An account can be considered as breached when a user's account is compromised such that it can be easily used by an attacker to access network resources and if its an administrative account, then the hacker can immediately begin scouring the network to gain access to critical data, but if its a regular user's account, then the hacker can use various techniques to obtain administrator privileges which is called elevation of privilege.

Mitigating an Account Breach

It's recommended to use Multi-factor Authentication (MFA) to mitigate an account breach where the users must perform an additional step to log on to services. Another authentication method can be an SMS text message, key FOB, or a phone call, which makes it much harder for an attacker to steal an identity without the actual account owner knowing about it. Directory controls can also be enabled against multiple failed logon attempts (like disabling the account after three failed attempts) to secure against the password cracking attempts. 

Tip- If you implement either of the solutions after a breach, then, you should also monitor the account for a period to make sure that it hasn't been re-breached. 

Elevation of Privilege

This scenario means that an attacker has already compromised your one or more accounts and is now working to increase his or her power. The target is generally Global Administrator privileges in Microsoft 365, but specific privileges are also desirable if the targeted data is in that product or service. The hacker can also simply create a new account and promote to a global administrator to 'hide in plain sight', i.e. he or she will now have an account that no one else is using and which likely won't be noticed unless the other administrators are regularly reviewing the global administrator's account population. 

Preventing an Elevation of Privilege Attack

Since the account is the main concern of the attack pattern, the same set of protection controls can be used as an account breach. Hence, it is recommended to use MFA specifically with admin accounts or ones with access to sensitive content, you can also keep the number of global administrators small (i.e. a minimum of two and maximum of five global admins for any size of tenant) to keep the target area small and making more difficult for an attacker to hide. 

However, if a breach of this nature still occurs, then you should carefully determine everything that the attacker may have done to your data or further entrench themselves in your tenancy. Generally, once you have successfully regained control of the breached accounts, you can easily reverse the changes made, and then determine what (if any) communication steps must be taken if data was exfiltrated or deleted. It is also recommended to enable MFA on the affected accounts.

Data Exfiltration

It's an unauthorized retrieval of data from a computer or service, which can be stolen in any number of ways such as through the breach of an account with access to the data, or through system and infrastructure attacks that can give the attacker local or system admin privileges o the computers having data outside of Microsoft 365. The data itself comes in  various forms such as email, documents, instant messaging conversations, Yammer threads, and even enumerating your directory information can be useful to an attacker further making it difficult to protect them.   

Preventing Data Exfiltration

Protecting your service from account breaches and elevation of privilege should be your first step in protecting your data, while following are the various methods inherent in the data itself that can be pursued:
  • Access control lists- You should establish standards for determining who should have access to specific kinds of data, and then create processes to monitor as well as maintain those access controls. 

  • External sharing policies- Data leakage to an external endpoint must be prevented by configuring your tenant to restrict certain types of sharing but as these policies are restrictive in nature, then, you might require to strike a balance between risk and productivity.

  • Least privilege- You should always take your time to only grant minimum privilege to the smallest group of users that you can instead of granting permissions to documents and document libraries that exceeds the required access.  

  • Data classification schemes- You can also set up and use data classification metadata especially with the data shared on SharePoint sites and OneDrive. This one requires you to determine a set of risk tiers and then sites as well as documents to tag data in your systems with a proper classification allowing you to monitor very sensitive data, as well as leverage specific technologies to further protect high business impact data.  

  • Data Loss Prevention (DLP)- The above data classification scheme is the most effective when used in combination with the DLP feature of Microsoft 365.It allows you to configure rules about how to handle the data moving in and out of your tenant while also preventing your sensitive document content from being emailed to any external parties as well as your users from social security numbers via email. 

Microsoft 365 administrators can also enable auditing, alerts, and Advanced Security Management to detect any suspicious behaviors or activities in the tenant. 











To read part 1, please click here
To read part 3, please click here















Comments

  1. The Best Casino in Kansas City | JTG Hub
    With over 100 of the hottest 전라남도 출장안마 casino games and the 영주 출장안마 hottest slots and the nicest 울산광역 출장샵 slots in town for the poker, dining, entertainment 밀양 출장마사지 and more, 의왕 출장안마

    ReplyDelete
  2. It is really a helpful blog to find some different source to add my knowledge.
    MS-201T02: Managing Messaging Security, Hygiene and Compliance

    ReplyDelete

Post a Comment

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)