Microsoft 365 – Cloud Security Configuration Review
Microsoft 365 is now a common tool used across organisations large and small, which isn’t surprising given the great features the cloud-based solution provides. Although 365 does offer security and protection, under the Shared Responsibility Model the liability of ensuring a secure configuration lies mainly with you – the user. In its default state there are a number of controls, which without additional configuration, do not make best use of the inbuilt security features the platform can deliver. Attackers are equally aware of this, and often leverage weak configuration settings to perform attacks against users. For example, using the default configured Legacy Authentication Protocols to negate Multi-Factor Authentication.
By performing a Microsoft 365 configuration review, Precursor Security can identify and advise on potential risks posed to your organisation. The objective of the assessment is to move your Microsoft 365 Tenancy towards best practice and compliance requirements.
A Precursor Microsoft 365 Security Configuration Review covers the following Eight key areas:
- Existing Accounts
- Cloud Application Configuration
- Cloud Application Permission Provisioning
- Data Management & Storage
- Email Security
- Event & Security Auditing
- Mobile Device Management
To schedule a Microsoft 365 assessment, or to request more information please get in touch using the contact form on this page, or via any of the channels outlined in the contact us page.
Key Assessment Areas
By reviewing the existing account structure, it is possible to highlight problems related to fundamental processes. For example, does the administrative structure ensure that no single administrative user can perform actions without the knowledge of other Admins, or does the current number of privileged accounts inadvertently increase the organisational attack surface?
Ensuring authentication is configured in a secure manner is critical to minimising the risk of malicious adversaries accessing your accounts and data. By reviewing authentication mechanisms, it is possible to ensure that configured controls provide adequate levels of security and do not contradict or negate each other. For example, Legacy Protocols such as POP3 and IMAP4 do not support MFA. By using these protocols, it is possible to perform authentication without MFA even when enabled, making them a common target for brute force attacks.
The Microsoft 365 suite not only provides users with a myriad of applications, but also allows users to add third-party integrations to the environment. Due to this the number of attackers selecting malicious applications as their avenue of attack is growing at an alarming rate. Existing applications can also allow users to inadvertently share data external to the organisation or allow users to share malicious files between themselves. Reviewing the permissions of both native and third-party applications is crucial to ensuring the continued control of your Critical Data.
Data Management & Storage
Managing access to your organisation’s sensitive data is fundamental to any Information Risk Management strategy. Ensuring correct configuration of Data Loss Prevention (DLP) and Data Classification controls allow an organisation to maintain control of its critical and sensitive data.
Email is the most popular feature of the Microsoft 365 service so it’s no surprise that Phishing continues to be the preferred initial attack vector of many adversaries. By applying strong configuration, it is possible to negate many common phishing techniques. Furthermore, ensuring that Administrators have visibility over their environment to identify threats and contain ongoing attacks before further, serious and potentially irreversible damage is done is paramount in responding to incidents.
Event & Security Auditing
Auditing is crucial to any investigation and response process. Ensuring that the correct data is being audited is key to understanding the impact of an incident, as this could directly hinder the ability to identify malicious activity.
Mobile Device Management
Modern business requires users to access their data around the clock from any number of devices and locations. By enforcing device security policies, it is possible to limit the impact of lost, stolen, or compromised devices, upholding confidentiality of sensitive data – such as the requirement for a device PIN or limiting access for Jailbroken devices. With the increase of device theft, another common requirement is the ability to remotely wipe a lost and/or stolen device to ensure sensitive data does not fall into the wrong hands.
At the end of the assessment a report will be provided detailing each recommendation, the remediation and implementation steps including any rationale. A summary excerpt of a typical deliverable is shown below: