Data/Cyber/Cloud Security, Privacy, Website Security, Data Encryption, Malware/Viruses, Open Source Intelligence, Cyber Defence, Data Breaches
With every man, woman and his/her dog using Office365 for email, it appears it is an invasion plan! This translates into many central government departments including the Ministry of Defence + National Cyber Security Centre, councils, schools, constabularies and FTSE 100s. It takes away backup, patching, maintenance and elements of security. As with all cloud services, security comes down to the one who configures it and it is not perfect out of the box. Email is the core communication method and can be used to reset passwords plus pull off a lot more attack types.

The admin account
Go back ten years and usernames were not email addresses but a letter followed by a few random numbers. Now everything is This email address is being protected from spambots. You need JavaScript enabled to view it. or initialsurname as a login. This has made password cracking, guessing and phishing easier.

The admin account should not be the Head of ITs general email address but something different so it cannot be guessed easily. I.e. do not set the admin account as This email address is being protected from spambots. You need JavaScript enabled to view it. but rather something like This email address is being protected from spambots. You need JavaScript enabled to view it. or more random to make it harder to guess. Look at general password policies to.

Two factor authentication
Statistics say only about 10% or less of organisations use 2FA of any everywhere form. With emails being easily guessable as stated above, phishing or password cracking is a problem. Why? With on-premise a firewall at times restricted access to OWA (Outlook Web Access), not with Office365 by default.

Even on the entry level SaaS offering by Microsoft, 2FA is included which not everyone knows about. It can authenticate by: SMS code, push on app or OTP code within the app. Start off by enabling 2FA for all admins, then have them test it for a week, and then slowly enforce it for all organisational users.

Consider ATP (Advanced Threat Protection)
Office365 inbuilt antimalware & antispam protection is decent however nothing is perfect of course. By default, links embedded in emails are only checked simply and files go through a few standard antimalware engines. More advanced and worse, targeted attacks have a chance of getting through.

Office365 ATP RRP is £1.50 per user per month and is great value for its functionality. It has two core functions; firstly auto sandboxing files it cannot determine the intent of - it runs the file in a safe environment and delivers it if safe. Secondly, re-codes each link so on click it is rescanned in the cloud.

Enable SPF (Sender Policy Framework)
Phishing is a big problem and some emails are simply spoofed. SPF is free and open source anti spoofing technique. When emails come to you it checks the IP address against a published record and either cans them or flags them as spam. At the time of writing this, August 2020, even NatWest Online Banking has no SPF record setup!

With SPF there are three settings: neutral which does nothing, hardfail (-) which cans the message and softfail (~) which usually marks it as spam. A typical hardfail txt record looks like “v=spf1 include:spf.protection.outlook.com -all”. Make sure you add a txt record to your DNS and ensure your inbound emails are being checked to.

Enable DKIM (DomainKeys Identified Mail)
Continuing on from a similar topic above… it is an anti-forgery method and unlike the above, uses a basic digital signature which is made up of a private key on the server (or cloud in this case) and a public key which lives in a DNS TXT or CNAME record. The private key is used to sign outbound emails and the receiver (or a mail server) can look up the public key to see if it came from where it is meant to come from.

This is a little fiddly to setup for cloud or on-premise though Office365 handles the key generation for you. Once enabled you need to add two CNAME (Canonical Name) records rather than the normal TXT records. It will them check to see if the records are present and then, will do all the work for you including key generation. It is a bit fiddly understanding how the CNAMEs are entered in DNS.

Backup
Cloud computing can be seen as putting all your eggs in one basket as well as intangible. You cannot see your physical hardware nor see the backup methods (tapes in the older days) used. If a user deletes a bunch of emails and the 30-day self-recovery is past you are likely in trouble. What about to, if you delete a mailbox by mistake and it is past 30 days?

Office365 does offer some form of backup and archiving service for extra monthly fees but what about if Microsoft went bust or their data centres went into thermonuclear meltdown? Various third-party services exist for a few pounds a month to offer true offsite independent backup. Just make sure of their security posture and data centre locations.

File types
Though obvious file such as MSI’s, EXE’s and SCR’s will unlikely make it though. What about macro enabled file like DOCM + XLSM and archives (7Zip, WinRar & WinZip)? All sorts of files can be malicious and even two files bolted together can infect a computer.

You can simply block files coming inbound or outbound and the main ones to consider are: ade, adp, app, asp, bas, bat, bhx, cab, ceo, chm, cmd, com, cpl, crt, der, docm, dotm, enc, exe, fxp, hlp, hta, inf, ins, isp, its, jar, js, jse, lnk, mad, maf, mag, mam, mar, mas, mat, mde, mim, msc, msi, msp, mst, ole, pcd, pif, potm, ppam, ps1, ppsm, pptm, reg, scr, sct, shb, shs, sldm, vb, vbe, vbs, vsw, wmd, wmz, ws, wsc, wsf, wsh, xlam, xltm and xxe.

Smartphones and tablets
Who does not have a smartphone these days? No one apart from if you are six months old or maybe 100 years old. A smartphone is similar to a laptop and has extras on it like SMS, contacts and banking apps. The dangers are varied: loss, theft, infection and traffic interception. Email which is guaranteed to be on a smartphone can reset passwords and at times switch off two factor authentication.

Smartphones are a massive business enabler if secured correctly. Office365 has Intune which is its own MDM (mobile device management). Intune can force security rules, encryption, containerisation, remote wipes, DLP rules and a lot more. Out of the box Office365 can control devices or device types, or just block outright phones from being added to email accounts through ActiveSync.

Scoring
With many settings and sub settings of Office365 it is easy to forget or get lost. Some areas seem and are partly like duplicate settings. Office365 has an inbuilt and free scoring method which is quantitative rather than qualitive. Scores are given in numbers and by categories.

To read more about it view: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score?view=o365-worldwide and to see your score while logged in as an administrator go to: https://security.microsoft.com/securescore.

Consider DRM (Digital Right Management)/DLP (Data Loss Prevention)
From a user’s point of view these can be seriously annoying and even go too far. Think about the triad: usability, security and cost. Just like with a laptop you can disable USB, SD card and DVD/CD drives, similar can be done for Office365 services. The idea is to stop on purpose data theft or accidental lost like forwarding a sensitive email or addressing it to the wrong recipient.

Whatever you do, someone will probably find a way round your control. Taking a photo of the screen, screen capturing or a trick I found: paste the text into Microsoft’s Edge URL bar and it removes wrapper protection. Options include: only allowing logins from work managed devices, blocking forwarding, blocking print, blocking files from being uploaded through a browser, block files from going onto external mediums, block or flag on social security numbers, passports or credit/debit cards.