Andrea Danti - Fotolia
Editor's note: In the first of a two-part article on securely operating or migrating to the cloud-based Microsoft 365 (formerly Office 365) suite of services, Nemertes Research CEO and founder Johna Till Johnson first looks at common security misconfigurations surrounding Microsoft 365 and the operational practices of some of its third-party practitioners. Part two will look at the best practices and operational strategies designed to mitigate Microsoft 365 security risks.
Using and migrating to Microsoft 365 can be done securely, but it requires effort and attention by enterprise technologists. IT pros shouldn't assume Microsoft has automatically embedded security effectively and appropriately in its suite of cloud services. Compounding the issue, third-party Microsoft implementers and hosting providers may increase the security risk through less-than-optimal operational practices.
In Nemertes' 2019-2020 Cloud and Cybersecurity Research Study, we found relying on Microsoft as a strategic cybersecurity partner correlated with doubling the mean total time to contain (MTTC) a breach -- which is Nemertes' primary security operational metric. The study included 390 end-user organizations ranging from large enterprises and nonprofits to small and midsize businesses in 11 countries and across a range of verticals.
Survey results revealed organizations that rely on Microsoft as a strategic security partner have a median MTTC of 360 minutes to contain an attack, compared to a median MTTC of 180 minutes for companies that don't. In other words, using Microsoft as a strategic security partner correlates with being a less-secure organization, which lengthier MTTCs indicate.
Obviously, correlation doesn't necessarily indicate cause and effect, but throughout our careers as technology professionals at Nemertes, we have seen over and over again that Microsoft doesn't appear to have cybersecurity principles embedded in its DNA as a technology company.
A recent example is Microsoft's February 2019 mishandling of the nation-state attack on SharePoint users in which the company issued two patches that were not only late, but ineffective. It wasn't until the third patch was issued in April 2019 that a months' long vulnerability was actively fixed.
For now, it's evident that mindless reliance on Microsoft's security initiatives is not an effective approach for enterprise IT pros.
Microsoft 365 migration security issues
In May 2019, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report (AR19-133A) containing best practices designed to help organizations mitigate risks and vulnerabilities associated with migrating their email services to Microsoft 365. The report was prompted by CISA's discovery that many organizations had multiple Microsoft 365 misconfigurations, with defaults set to dangerous settings which thereby introduced cybersecurity vulnerabilities.
These security misconfigurations included the following:
- disabling mailbox auditing (default set to off prior to January 2019), which makes it difficult or impossible to do root-cause analysis of email-related security breaches;
- disabling unified audit log, which has the same issue -- making root-cause analysis of security breaches difficult or impossible;
- failing to use multifactor authentication, particularly on admin accounts, which makes it possible for hackers to break into privileged accounts;
- relying on out-of-date email protocols, which makes it impossible to configure multifactor authentication; and
- enabling password synchronization, which makes it possible for hackers to impersonate administrators and gain privileged-user access.
In addition to CISA's concerns, third parties hired by enterprise IT pros may introduce misconfigurations and poor practices.
Finally, Microsoft 365 implementations may be particularly vulnerable to phishing attacks, given the platform's popularity. Microsoft has demonstrated a lack of agility in responding to such attacks. For instance, Barracuda Networks reported Microsoft 365 accounts are often targeted by and compromised in account takeover attacks, with cybercriminals later using them for a wide variety of nefarious purposes, ranging from spear phishing to malvertising campaigns. This means enterprise technologists need to be prepared to ramp up their antiphishing efforts in terms of both technical controls and employee awareness.
Next: Part two will address best practices and operational strategies for mitigating security risks of Microsoft 365.