CISA Report Only Scratches Surface of Securing Office 365

Makes Basic Security Recommendations for Office 365

CISA Report AR19-133A
CISA Report AR19-133A

The U.S. CyberSecurity and Infrastructure Security Agency (CISA) “Microsoft Office 365 Security Observations” report issued on May 13 doesn’t offer any new advice to Office 365 administrators about keeping their tenants secure. In fact, anyone who has ever read the Office 365 for IT Pros eBook will think that the CISA suggestions are simple block-and-tackle steps that any competent administrator will already have taken.

But to be fair to CISA, their advice is directed at organizations “transitioning to O365 and other cloud services.” In other words, people who are just getting used to Office 365 and need basic help to secure their tenant. This salient fact didn’t stop some websites coming up with headlines like “Feds warn of Office 365 security flaws” – a classic click bait headline.

Some Words of Basic Advice

Let’s look at some of the issues highlighted in the analysis.

Multi-factor authentication (MFA) not enabled by default for administrator accounts. This is true. It’s also absolutely positive that all administrator accounts should be protected by MFA. However, it’s hardly a flaw because some up-front work is needed to figure out what the second factor will be in the authentication process. An argument could be made that part of the Office 365 tenant setup routine should be to configure MFA for the first administrator account, but it’s better to put some thought into the topic. For instance, is SMS a dependable mechanism or should we use the Microsoft authenticator app? What accounts need protection? (answer: all administrator accounts and sensitive user accounts). What apps support MFA (Office 365 apps do, but what about third-party apps)? In short, preparing for and deploying MFA is a step that well-prepared tenants will take as they deploy Office 365.

Mailbox auditing is disabled. This used to be the case, but Microsoft changed the default for Office 365 tenants last year. In fact, well-managed tenants had made arrangements to enable mailbox auditing for all accounts using PowerShell for years beforehand.

Unified audit log needs to be enabled. This is a very simple one-time operation. I think Microsoft should enable ingestion for all tenants by default, but I don’t think this is an issue that deserves too much attention. High-profile or sensitive Office 365 tenants are likely to use other methods to gather audit information such as Office 365 Cloud App Security or a third-party reporting product (like Radar Security and Audit) that use other APIs to retrieve audit data from Office 365, if only to avoid the known problems in the ingestion of audit data into the unified log (this is just one example).

Password Sync Enabled. It’s absolutely true that care needs to be taken in the configuration and operation of the AADConnect utility used to synchronize on-premises objects to the cloud in hybrid organizations. And then keep updated with patches issued to fix vulnerabilities. The worry expressed in the report is that some privileged accounts might have been compromised in the past when AADConnect wasn’t as careful as it should have been. Regular audits of administrator accounts and the use of MFA to remove a reliance on simple passwords help.

Modern authentication unsupported by older protocols. I continue to be bemused at how many people continue to use email clients based on the antique POP3 and IMAP4 protocols. These clients can’t use modern authentication. As the report points out, Azure Active Directory conditional policies can block these clients connecting and force people to use more secure clients. Alternatively, you can block protocols for an organization with Exchange Online authentication policies.

CISA Recommendations

The report ends up making five relatively simple recommendations:

  • Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for Office 365 users.
  • Enable unified audit logging in the Security and Compliance Center.
  • Enable mailbox auditing for each user. [Now on by default]
  • Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
  • Disable legacy email protocols, if not required, or limit their use to specific users.

Implementing these recommendations should take a competent administrator less than a day in total and that’s including making a decision about MFA and planning and testing AADConnect. The hardest piece in the list is the human dimension of how to explain to people that they can’t use their favorite legacy protocol email client to connect to Exchange Online.

What’s Missing

A large number of relevant steps that should be taken to protect organizations after they move email to the cloud are missing from the report. What’s curious is that anyone who has any experience of using Microsoft Secure Score to analyze an Office 365 tenant will understand why these steps are necessary, which then begs the question why the report’s authors failed to cover these points.

For instance, configuring Exchange Online Protection to protect against malware isn’t considered, nor is the need to check users auto-forwarding to remote domains. The latter point is bad for two reasons: first, it allows potentially sensitive information to go outside the tenant; second, hackers often plant rules to forward email to learn how an organization works before they execute an impersonation attack. There’s no discussion about how to control mobile devices connecting to the tenant either.

To create a more balanced view, a more comprehensive report would have incorporated aspects of Office 365 that don’t exist on-premises. Office 365 Message Encryption (available for all Office 365 E3 and E5 tenants), which enables out-of-the-box message encryption to any recipient, is one example. Office 365 Sensitivity Labels protect sensitive information in both email and documents, even if the information leaves the tenant. Data Loss Prevention is different in Office 365, and its policies can enforce encryption too. And then there’s lots of things that can be done with Office 365 Advanced Threat Protection to ensure that Exchange Online is better protected than its on-premises counterpart.

The lack of coverage (even a brief mention) of the features that can be exploited after an organization moves to Office 365 is a flaw in the report. If you want to make observations about the security of a system, you must consider the entire picture.

Consultants to Blame?

Perhaps the most worrying statement in the entire report says that: “The organizations that used a third party have had a mix of configurations that lowered their overall security posture (e.g., mailbox auditing disabled, unified audit log disabled, multi-factor authentication disabled on admin accounts). In addition, the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities.” In other words, third-party consultants don’t know how to secure Office 365 (especially Exchange Online). It sounds like a failure in due diligence during the selection process when organizations set out to find Office 365 expertise to help them move to the cloud. That’s pretty serious. Hopefully, it only happened in the organizations CISA interviewed for the report.

In summary, there’s some value in the report but it’s very limited when it comes to the complete spectrum of Office 365 apps and services. CISA looks at some aspects of keeping email secure after a migration to Exchange Online but ends up by only scratching the surface of what can be a very complex subject.

Need help addressing the issues raised in the CISA report? Look in the Office 365 for IT Pros eBook and read Chapter 3 (Identities and Authentication), Chapter 21 (Reporting and Auditing), Chapter 4 (Managing Office 365), Chapter 5 (Exchange Online), Chapter 17 (Protecting Email traffic), and topics spread across other chapters

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.