A Simple Practical Guide to... Securing Your People People; The cause of and solution to all of life’s problems
There is that song by Baz Luhrmann, well it was actually a speech of his first that was later made it into a catchy jingle. It goes …
If I could offer you only one tip for the future, sunscreen would be it
A long-term benefits of sunscreen have been proved by scientists
Whereas the rest of my advice has no basis more reliable
Than my own meandering experience, I will dispense this advice now
Unfortunately in securing your business, there is no Sunscreen type solution. Unlike people, Businesses are more by the book and if the sunscreen-cyber-security analogue existed, one would be dowsed in it on first entering the building rather like that scene with naked people and flea powder in the Shawshank redemption.
Securing your People is rather more like plugging the holes in a sinking ship. You cant focus on one hole, you need to get to them all in order of size while also pumping like a madman. So in this article, we will focus on the low hanging fruit.
Use Appropriate Credentials
I’ve written about this before but most accounts are breached because passwords are weak. However, the solution is not to email the staff and tell them to stop using the name of the company with all the ‘O‘s replaced with zeros. A weak password is far more subtle. Let’s look at the best password in the world. It might “E$ftwsiicoyotftfswb%i” (Its the first letter from each word of Baz’s song above with some symbols thrown in). While this approach is decent, the average employee is likely to render it weak (useless) for the following reasons.
- They write it down
- The email it to themselves
- They also use it to sign in to other sites regardless of those sites security (or lack thereof)
- They use it on an unsecured computer leaving it in the copy and paste buffer
- They forget it and eventually reset it to “Password1”
The list goes on, however, what the points have in common is that brains are not made to handle multiple unique complex passwords. There are two simple solutions that will get you most of the way.
Get a password management service.
These things have changed my life. I use Lastpass, it is free and simple, there are a handy browser extension and mobile app. now I let Lastpass create highly complex passwords for everything and I don’t have to remember any of them. It fills them in for me. And the basic version is free. Nice
Use Multi-Factor Authentication (MFA)
If there was anything in this blog that was Baz’s “Sunscreen“, this would be it. MFA reduces the likelihood of breached by orders of magnitude. For those that don’t know, it uses your phone as a second security check. The hacker would need your password AND your phone.
Roling out MFA to your employees can be a bit of pain. Not everyone is going to follow the MFA enrollment procedure and new users will not have MFA enabled by default. If you are hesitant about MFA then at least use if for any and all Admin accounts on your tenant. These accounts are very sensitive as they hold the keys to all your doors. The article includes different approaches, both using the Portal and using PowerShell to manage MFA.
Unfortunately, this will have to be done each and every time for new accounts. Watch this space however, We at Octiga have a set of tools to easily manage MFA role-out and automated actions when new users are created without MFA.
Check out Octiga Prevent for easy ways to manage password policies, and roll out MFA
Don’t Click That
I think no matter how many times you tell employees not to click suspicious or unsolicited links, one day, they inevitably do. They may be forgetting or maybe, as much as we try to educate people, their in-built tendency to be suspicious of something is just not present. So what can we do?
Anti Phishing and Spoofing
If your tenant has either an Enterprise E5 licence or alternatively an Advanced Threat Protection (ATP) add-on then you can create Anti Phishing policies. There are also Anti Spam and anti Spoofing policies to name a few.
Malware files attached to emails
Office 365 has Malware Filter Policies which can be created to block, quarantine, alert, or redirect emails that contain suspicious attachments. You can block common attachment types that you may deem harmful and will be blocked. The default set is fairly good however you may want to add additional file types or better still remove some that are commonly used by your employees in the course of their job. For example, it is common for people in your IT department to want to send around files containing code that is commonly blocked. I would say however that such files should be shared in a more appropriate manner such as code source control (Gitlab offers free accounts) or similar.
Details on configuring malware policies can be found here. It can be done easily using the portal or through PowerShell.
Check out Octiga Prevent for easy ways to configure all of the above settings.
Don't use email to transfer files. Send Links Instead
The end goal of cybersecurity is often to secure sensitive information in your business. There are some simple steps we can take to reduce the risk that a well-intended action could lead to a leak.
Don’t send attachments
Wait, what? How can I send those spreadsheets to those accountants?
A no attachments policy can seem like a strange thing to suggest given the prevalence of file attachment in modern business. How can I send those spreadsheets to those accountants? The issue is that if your mailbox is compromised, all of the data is available.
The solution is to send a link that you control. MS SharePoint and OneDrive provide the easy way to share a file through a link. These links can be made to expire automatically. If you used expiring links, a bunch of useless URLs are available to the hacker. Furthermore, links can be made read-only and non-downloadable. Controlling what the recipient can do in this way mitigates the risk that they could misuse the contents, accidentally or otherwise. Remember, what is currently a good relationship with a recipient, might change in the future. In such a case, links can also be manually revoked.
Using links has other great uses beyond the security realm, such as seamless and managed collaboration and versioning. MS Sharepoint and OneDrive provide the easy ability to share a file through a link. The link can be revoked or the file can be updated. You have control. Depending on the sharing procedure you choose you can also share to specific users, add a password, make it read-only, see when it has been accessed. I could go on but Microsoft explains this really simply here
Control Default Sharing Policies Configure OneDrive, Teams and SharePoint Link Policies
Using sharing policies, you can control the default link-sharing options given to users. You can also control what types are not allowed. It is a good idea to do this in conjunction with a policy that nothing sensitive should be sent by email, as described above so that you guide users to share in the desired fashion.
You can do this in SharePoint Admin Centre. The options are:
- No external sharing
- Existing guests
- New and existing guests
- Anonymous sharing
In addition to the above, you can set how long it will take for links to expire. We cannot say which is the right default option for you. However, we would highly recommend not allowing anonymous sharing if links are set to never expire. We also suggest not overly restricting users concerning the types they can use. Otherwise, you may find users reverting to using attachments instead of links.
You may not think of it but when we share our calender's we may be letting outsiders know sensitive information about all our meetings. This may include sensitive meeting names and not to mention our whereabouts at different times. The latter is particularly pertinent with the increase in remote working. Furthermore, there has been a dramatic increase in video conferencing use with the move to remote working. Video conferencing is notoriously insecure in its use of links and IDs that allow anyone to join.
In the case of the former imagine your CFO calling a meeting with the CEO entitled "strategy for lay-offs". Given the wrong sharing settings, this name can then be seen by others who need to check the times the CFO is available to talk about their pension plan. Calendar sharing policies can be created in the Exchange Online Admin Centre. We suggest a policy to share ONLY "Free/Busy information with time only".
This article explains the levels that are possible. I suggest that a policy is created to share ONLY “Free/Busy information with time only”
Check out Octiga Prevent for easy ways to configure all of the above settings.
Don’t create a mailbox like “Accounts“
So what I mean here don’t create user mailboxes for shared functions. Time and again I see either companies creating a real mailbox called “Accounts“, “Reception” or “IT support“ and then multiple employees access it directly. This is a BAD idea. When something goes wrong, the account gets breached, or you need to track who has access you will be blind and left putting all accessing employees under suspicion.
Instead, use Shared Mailboxes which are not real user mailboxes but rather allow prescribed users delegated access to log in and send or read mail based on their needs. This way you can add, remove, and more importantly, audit who accessed sent and read mail.
Check out Octiga Prevent for easy ways to select mailboxes, split them and assign delegates as required
Don’t be an Admin
The final simple rule to follow is don’t be an admin. You may think when you set yourself up as new user that because your role in the company means you need administrator access, that your user in Office 365 should have that level of access. You should not. Instead create a separate, non-licence (remember an unlicensed user won’t cost you anything) user with a similar name to your mailbox except called bob_admin@yourCompany.com (assuming your name is Bob) and give that user all the access levels it requires.
The thinking is simple. The more an account is used, the more, in general, there is a risk that the credentials will fall into the wrong hands. If you log in every day from 10 locations then you need to make sure that the credentials you risk spilling are not those of a Global Admin who in the wrong hands would summon dragons upon your company. The number of times you actually need to log in to do real admin functions are probably far less. We need to limit the exposure of Admin Credentials. In the same vein, go through the company accounts and ask yourself for each admin, is this admin required and should it be a different user account.
Finally, even if you adverse to MFA for all users, I would stress having MFA on for at least all admin accounts
Check out Octiga Prevent for easy ways to identify such users, split them, assign new credentials, enable MFA for admins and generally keep your admins safe and locked up