Today’s common attacks

Unless you’ve been living under a rock the last couple of years, you most likely have been affected directly or indirectly with a cyberattack. Whether you had the credentials from your favorite online store stolen, or had your Facebook data exposed in the Cambridge Analytica scandal, or received an email from a “prince” in Nigeria wanting to transfer a million dollars into your account, most of us have been attacked.

You are not alone. Here are the top three attacks Microsoft is seeing in their ecosystem.

• Password spray: In August 2018 alone, more than 200,000 accounts were compromised by this type of attack. In a password spray, attackers use a common password such as 123456 or password against many accounts, hoping to find a few users who didn’t get the memo about using stronger passwords.

  And even a user who did get the memo and is diligent about updating passwords every 90 days will most likely recycle old passwords and simply add an exclamation point at the end. Hackers count on this behavior when they do a password spray. After they get a hit on just one account, they will have the ability to access the company’s address book, which can then be used for a phishing campaign.

• Phishing: Attackers using this tactic usually try to lure users into giving up personal information after following a link in an email. In 2018, Office 365 blocked about 5 billion phish emails and analyzed approximately 300,000 phish campaigns. Microsoft’s logs show that 20 percent of users will click phish email within five minutes of receipt.

  This blunder happened to TalkTalk, the United Kingdom’s leading business-to-business telecom provider, and landed them in a high-profile data breach. The breach started when a user clicked a malicious link in an email that started encrypting the data on the machine. The user then forwarded the email to the manager, writing something like “Something weird happened to my machine when I clicked this link. What happens when you do it?” Of course, the manager clicked the link. The company ended up paying a record fine for security failings leading to the theft of personal data for almost 157,000 customers.

• Breach replay: Microsoft processed 2 billion credentials in 2018 and were able to match 650,000 accounts with leaked credentials. A breach replay happens when a user uses the same username and password on many sites.

  Admit it, most of us have done it. In fact, even smart people in Washington, DC do it, as we learned from the Ashley Madison scandal, in which 15,000 government officials accessed the extramarital dating site by using email addresses registered to the White House, top federal agencies, and military branches.

If any company is well positioned to address security challenges in today’s computing environment, it is Microsoft. Every month, Microsoft scans 400 billion emails for malware and phishing attacks from Office 365 and Outlook, and processes 450 billion authentications every month from their 200-plus cloud consumer and commercial services globally. In addition, Microsoft has scanned 18 billion-plus Bing web pages and collected data from a billion Windows devices. These insights provide Microsoft with visibility into the current threat landscape like no other company. And that bodes well for an IT admin for a small business with no budget or expertise to maintain a security infrastructure.

Applying the latest password guidance

If you’re looking for the latest guidance for password best practices, you should check out the following two resources:

• National Institute of Standards and Technology (NIST) Digital Identity Guidelines at https://pages.nist.gov/800-63-3/sp800-63b.html
• Microsoft Password Guidance White Paper at https://www.microsoft.com/en-us/research/publication/password-guidance/

Although both documents are written in different styles (the NIST document is more official looking and wordy), they are aligned on best practices. I recommend using the white paper from Microsoft as a reference if you want to skip the formal talk.

As an IT admin, you can complete two action items today to make your environment secure with your Microsoft 365 Business license: enabling multi-factor authentication and eliminating mandatory password resets.

I cover multi-factor authentication in a separate chapter (Chapter 11) because the topic requires a thorough discussion to ensure a good experience for your end users if you roll it out.

I had initially thought eliminating mandatory password resets was counter to driving a more secure environment. The argument presented in the guidance from Microsoft, however, does make sense. Their experiment showed that users who are asked to update passwords often do not create a new, independent password. Rather, they update an old one. Full disclosure: I have done that myself but will no longer do so, now that I have read these new guidelines.

Want a remember or tip icon for the preceding paragraph?

To eliminate mandatory password resets, do the following:

1. Log in with your global admin credentials for Microsoft 365 Business at http://admin.microsoft.com.

   You will need your Microsoft 365 Global Admin credentials.

2. From the left menu, click Settings and then select Security & Privacy.

   The Security & Privacy page appears, as shown in Figure 10-1.

3. In the Password Policy section, click Edit.

   A form appears on the right.

4. In the Password Policy form, toggle On the switch next to Set Users Passwords to Never Expire.

5. Click the Save button and then click the Close button.

   Your changes are saved and you return to the Security & Privacy page.

Rolling out SSPR in your organization

Change is difficult for some people, so before you roll out SSPR in your organization, be sure to let people know about your plans. If you want to minimize the risk of people getting mad at you for implementing yet another newfangled thing, first do a pilot rollout of SSPR to a few receptive folks.

To enable SSPR, follow these steps:

1. Log in to Microsoft 365 Admin Center at http://admin.microsoft.com.

   You need your Microsoft 365 Global Admin credentials.

2. On the left menu, click Settings, and then select Security & Privacy.

   The Security & Privacy page is displayed.

3. At the bottom of the Security & Privacy page, in the Let Your Users Reset Their Own Passwords card, click the link to Azure AD Admin Center.

   A new browser window opens and the Azure Active Directory Admin Center page is displayed. Alternatively, you can reach the same page by going to https://aad.portal.azure.com.

4. On the left side of Azure Active Directory Admin Center, shown in Figure 10-2, click Users.

   The Users — All Users blade is displayed.

5. In the Users — All Users blade, click Password Reset, as shown in Figure 10-3.

   The Password Reset — Properties blade is displayed.

6. In the Properties page, click All to enable SSPR for all users in your organization, and then click the Save button (see Figure 10-4).

   The system processes your changes. After your changes are saved, the Save button appears dimmed.

After SSPR is enabled, users will be prompted to provide additional contact information the next time they log in to Office 365 so that the system can verify their identity should they reset their password on their own.

By default, users will be asked to provide two methods of verification if they reset their password. Two is the recommended setting, but you can change it to one from the Authentication Methods blade, as shown in Figure 10-5.

The end user’s experience in SSPR

When end users log in to Office 365 after SSPR is enabled, they enter their username and password as usual. After they successfully enter their credentials, the More Information Required window will appear to prompt the user to provide additional information. Figure 10-6 shows the user interface for a non-admin end user. Note that an admin user may have a slightly different user interface.

After clicking Next, the end user will be guided through the process of providing additional information. After the process is finished, the end user can now reset his or her password at any time.

For example, let’s say that a user forgot her password. Here are the steps the user should follow to reset the password:

1. Navigate to https://portal.office.com, enter the username, and then click Next.

   The Enter password window is displayed.

2. Click Forgot My Password, as shown in Figure 10-7.

   The Get Back Into Your Account page appears.

3. Enter the characters in the box above the phrase Enter the Characters in the Picture or the Words in the Audio, and then click Next.

   You see the first verification step.

4. Choose the contact method for verification.

   To follow along with the example, choose Email.

5. Click the Email button.

   The system sends an email to the email address provided during the end user SSPR setup.

6. Enter the code from the email in the box, and then click Next.

   The next verification step is displayed.

7. Enter the code received from the secondary verification method (a text message, for example) and then click Next.

   The Choose a Password page is displayed.

8. Enter the new password twice and then click Finish.

   The Your Password Has Been Reset page appears.

9. Sign in to Office 365 with your new password by clicking the Click Here link and following the prompts.

   The sign in page is displayed, prompting the user to enter his or her username. The rest of the login process proceeds as usual.

Changing passwords from the MyApps portal

Sometimes users need to change their password even though they know the current password. You can complete this task in the MyApps portal.

The MyApps portal is a web-based portal for users who are licensed for Azure Active Directory through their Office 365 or Microsoft 365 Business subscription. In this portal, users can reset passwords, view the apps to which they have access, view their account details, set up multi-factor authentication, and more. It’s best to bookmark the portal and visit it often because new features may show up as the service evolves.

To change an existing password, follow these steps:

1. Navigate to https://myapps.microsoft.com and log in in with your Microsoft 365 Business credentials.

   The MyApps page is displayed.

2. Click your profile photo (at the top right of the page) and then select Profile, as shown in Figure 10-8.

   The Profile page appears.

3. On the right, under Manage Account, click Change Password.

   The Change Password page is displayed.

4. Enter the old password, enter the new password twice, and then click Submit.

   You return to your profile page.

One of the highly recommended tasks for securing the IT environment is to enable multi-factor authentication (MFA). I cover that subject in the next chapter. For now, note that the end user is also required to set up MFA from the MyApps portal.