Office 365 low hanging security fruits - MFA
In this part of the series I want to talk about the most obvious and meaningful security measure for O365 – Multifactor authentication (MFA). The well-established technology can significantly reduce the attack surface of your organization and is easy to implement for O365 administrators. It should be your first line of defense against phishing and replay attacks in your security environment. In this article I want to talk about the technical/mathematical concept of the standard and show you how to activate the tool and its features in your tenant.
This is a multi part security series for O365 with the following articles:
Introduction
I believe by now everyone in the IT environment, who didn’t live under rock in the last decade, has heard of MFA. However, I thought it might be helpful to explain the fundamentals behind it in order to lift the mystifying curtain of the technology. MFA uses, as the name already tells, several factors to authenticate the user against the system. Usually something you know (a password) and something you have (a hardware or software token) is used, but it’s entirely possible to take something you are (biometrics such as fingerprints or face scanner). Any combination of the three is considered MFA, but usually a password plus a token is used, as this method is the cheapest and easier to implement for companies than biometric scanner – even if they are much cooler 😉
Technical basics
I don’t want to go into detail regarding the user password part of the process. The aspects of this such as password policy, hashed password databases etc. are far too comprehensive to discuss here and are out of the scope of this article. Instead the focus is on One-Time Passwords (OTP), which run on a second device for the user, usually a smartphone with an authentication app or a usb-sized hardware, but technically the paper-based token list of your old school bank counts as well 😉. The two standard procedures for OTP are HMAC-based One-Time Password (HOTP) and Time-based One-Time Password (TOTP). Both procedures create a passcode that is only valid once for a transaction or login. The difference between TOTP and HOTP are actually minor, HOTP uses increments based on the HMAC hashing algorithm, counting up after each authentication. However, with HOTP the token is valid until it is used or a new one is generated TOTP has constant incrementation with time as the moving factor on both sides. Advice: Keep in mind that TOTP systems rely on the fact all devices run the correct time. If the authentication fails, make sure to check the connection to the NTP server and your time settings first. Below I have created a poster to show all the features of TOTP, the full PDF is available to download here
Office 365 low hanging security fruits - DMARC
How you do implement basic security policies for your company's Office 365 system? As mail systems are usually the main target for your average cyber criminals, a quick strategy was needed to harden the first line of defense against this attack vector. The measures I came up with are luckily not any kind of rocket science and easy to implement even by not so experienced O365 admins, as they are well established and around for quite a while by now. But they are a great way to harden your network and protect your users against cyber criminals with just a few hours of work. This is a three part series, starting with how to implement DMARC for your Office 365 Exchange Server.
Office 365 low hanging security fruits - Mail tagging
This part is focused once again on mail traffic and its attack vectors. Specifically, I wanted to tag all incoming mails in Office 365 Exchange, which are not coming from trusted domains. This is really easy to implement with Exchange Online rules and doesn't even require any kind of powershell knowlegde, so every O365 should have implemented this policy in their environment.