Don’t Leave Securing Email to End Users

Regardless of who you vote for on November 8^th, one occurrence in the campaign has shaken every email administrator to their core, namely the WikiLeaks dump of John Podesta’s emails. While  the details of how the hack occurred are scarce, clearly Podesta’s entire mailbox was accessed and subsequently dumped. The only detail known is that hillaryclinton.com’s email is hosted at Google (it appears donaldjtrump.com is fronted by Microsoft services).

Now, we’re not going to get into political leanings here, just taking note.

While October is Cybersecurity Month, I noticed an unrelated trend this past week. There has been an uptick in the number of articles providing helpful information to secure your email, but there are two problems with many of them. First, they are all to highly generic and cover all email platforms. Second, they rely on the end user too much to take action. Most end users are like Hillary Clinton herself in that they can’t explain how their email is secured in the first place. How can you rely on your end users to know when or what security to leverage?

Microsoft’s security portfolio is massive. If you aren’t already thinking of Microsoft as a security company, you need to. Consider how the boundary has shifted towards the cloud for your data and mobile access. Perimeter and network protection are no longer remotely enough, as the Podesta hack shows. There are a number of tools built in to Office 365 to help any administrator provide non-intrusive security measures to their end users.

Two Factor, More Secure

For most of us, two factor authentication with a text message PIN is likely enough. For those that might be targets of attacks, like your financial or HR groups, that might not be enough. Did you know how easy it is for your text messages to be hijacked?

In August, 2016, someone hijacked FTC Lead Technologist Lorrie Cranor’s mobile accounts by simply taking some basic information into a store. This, in effect, allowed the person to gain access to her text messages. If they already knew her email address, that’s all they would need to gain access.

Microsoft has multi-factor authentication in Office 365 with voice calls and text messages, but another way, too. A third option to provide the second factor is through the Microsoft Authenticator app.

You can’t easily bypass the authenticator application. You have to enroll your device through a QR Code. Once enrolled, you will receive a PIN via the app or you can use the devices biometrics to approve (I use the iPhone’s fingerprint scanner).

When your end users use multi-factor authentication, they will also take security further by using app passwords for all Outlook and ActiveSync access. As an administrator, you can then take the final step of locking down OWA access through this PowerShell command:

Set-CasMailbox UserName@DomainName -OWAEnabled $False

Even if someone’s Microsoft account information is stolen, they still can’t get into the mailbox because the app passwords are in place. Microsoft believes identity is the control plane for security in your organization because it is the one thing that is common when working anywhere, anytime, and on any device.

So we’ve bypassed the text messaging risk, two-factor risk and the risk of the end user accidentally leaking their passwords through phishing.

Speaking of Phishing

Stopping a phishing attack on the fly can be extremely difficult. End user education is always a key part to any strategy. Microsoft does some very common sense things already, including supporting DMARC and adding safety tips inside of Outlook on suspicious messages.

Phishing is one of the most complex attacks because of its simplicity. Basically, phishing involves a single message sent to another single user. It uses regular grammar and oftentimes has no spelling errors. This can make it difficult, if not impossible, to stop.

One of the things you can do is activate alerts for suspicious activity for your mailboxes. With Advanced Security Management in Office 365, you can receive alerts on several key scenarios that could be indicative of an attack and then take action, such as suspend the user account.

The governance is what makes this tool so powerful. For example, if a user attempts access from an IP belonging to a known Botnet or the Tor network, an alert can be sent and the user suspended. There is also the impossible login scenario. If a user logs in to an account in Washington, D.C. and then let’s say Russia within the same 5-minute period, you can take the same action.

This gets to the heart of one of the more fascinating trends with Microsoft regarding security. You can use the power of their cloud to watch security and take action when things happen, no scripting or heavy lifting required.

Securing it Right from the Start

There is a definite trend with recent Office 365 migrations that Arraya has done to favor security as part of the migration strategy. While transient organizations, like a presidential campaign, can easily spin up a cloud-based email solution, they should absolutely be using one with the power to mitigate threats and not just provide email as a commodity service.

In the past year, Microsoft has grown their security story, both in the Office 365 stack, but also with Enterprise Mobility + Security. Check out some of our other blogs posts on Cybersecurity this month and reach out to the Arraya team if you are interested in learning more.