A little bit more security

Security is never an absolute and is largely about defence in depth. That is, adding more layers of protection. With this in mind, I was recently made aware of this little gem that can help provide just a little more protection for inbound emails, especially against inbound malicious attachments.

Exchange Online has a Malware policy that you can configure. You’ll find it in the Microsoft 365 security center under policies. When you edit that policy, as shown above, you’ll see an option for Common attachment types filter. You should ensure that this is set to On. If so, you can then select the Choose type button to select which attachment types will be blocked.

You’ll see there are about ten default file types that will be blocked. What you may not be aware of is that if you press the Add button at the top of the page, as shown above,

There are an additional 86 file types that Microsoft allows you to directly add.

Just select them all and Add them.

You should then see a total of 96 file types listed in the policy as shown.

I was a little puzzled why Microsoft wouldn’t have added more of the 86 optional files types to the standard 10? Most of the option 86 seem to be developer focused so maybe that is why? Many of the optional 86 are quite antiquated but that doesn’t mean they couldn’t be used somehow to compromise an environment. Thus, it is therefore probably a very good idea to block all these 86 option file types on top of the default 10 it seems.

I also had a quick look at what all these filetype typically refer to and provide this summary for you:

– ade https://www.file-extensions.org/gadget-file-extension

– adp https://www.file-extensions.org/adp-file-extension

– asp https://www.file-extensions.org/asp-file-extension

– bas https://www.file-extensions.org/bas-file-extension

– bat https://www.file-extensions.org/bat-file-extension

– cer https://www.file-extensions.org/cer-file-extension-internet-security-certificate

– chm https://www.file-extensions.org/chm-file-extension

– cmd https://www.file-extensions.org/cmd-file-extension

– com https://www.file-extensions.org/com-file-extension

– cpl https://www.file-extensions.org/cpl-file-extension

– crt https://www.file-extensions.org/crt-file-extension

– csh https://www.file-extensions.org/csh-file-extension-csh-script

– der https://www.file-extensions.org/der-file-extension

– dll https://www.file-extensions.org/dll-file-extension

– dos https://www.file-extensions.org/dos-file-extension

– fxp https://www.file-extensions.org/fxp-file-extension-adobe-flash-builder-project

– gadget https://www.file-extensions.org/gadget-file-extension

– hlp https://www.file-extensions.org/hlp-file-extension

– Hta https://www.file-extensions.org/hta-file-extension

– Inf https://www.file-extensions.org/inf-file-extension

– Ins https://www.file-extensions.org/ins-file-extension

– Isp https://www.file-extensions.org/lsp-file-extension-autolisp-language-source-code

– Its https://www.file-extensions.org/its-file-extension-internet-document

– js https://www.file-extensions.org/js-file-extension

– Jse https://www.file-extensions.org/jse-file-extension

– Ksh https://www.file-extensions.org/ksh-file-extension

– Lnk https://www.file-extensions.org/lnk-file-extension

– mad https://www.file-extensions.org/mad-file-extension

– maf https://www.file-extensions.org/maf-file-extension

– mag https://www.file-extensions.org/mag-file-extension-microsoft-access-diagram-shortcut

– mam https://www.file-extensions.org/mam-file-extension

– maq https://www.file-extensions.org/maq-file-extension

– mar https://www.file-extensions.org/mar-file-extension

– mas https://www.file-extensions.org/mas-file-extension

– mat https://www.file-extensions.org/mat-file-extension

– mau https://www.file-extensions.org/mau-file-extension

– mav https://www.file-extensions.org/mav-file-extension

– maw https://www.file-extensions.org/maw-file-extension

– mda https://www.file-extensions.org/mda-file-extension

– mdb https://www.file-extensions.org/mdb-file-extension

– mde https://www.file-extensions.org/mde-file-extension

– mdt https://www.file-extensions.org/mdt-file-extension

– mdw https://www.file-extensions.org/mdw-file-extension

– mdz https://www.file-extensions.org/mdz-file-extension

– msc https://www.file-extensions.org/msc-file-extension

– msh https://www.file-extensions.org/msh-file-extension

– msh1 https://www.file-extensions.org/msh1-file-extension

– msh1xml https://www.file-extensions.org/msh1xml-file-extension

– msh2 https://www.file-extensions.org/msh2-file-extension

– msh2xml https://www.file-extensions.org/msh2xml-file-extension

– mshxml https://www.file-extensions.org/mshxml-file-extension

– msi https://www.file-extensions.org/msi-file-extension

– msp https://www.file-extensions.org/msp-file-extension

– mst https://www.file-extensions.org/msstyles-file-extension

– obj https://www.file-extensions.org/obj-file-extension-microsoft-visual-studio-object

– ops https://www.file-extensions.org/oxps-file-extension

– os2 https://www.file-extensions.org/os2-file-extension

– pcd https://www.file-extensions.org/pcd-file-extension-microsoft-visual-test-data

– pif https://www.file-extensions.org/pif-file-extension

– plg https://www.file-extensions.org/plg-file-extension

– prf https://www.file-extensions.org/prf-file-extension-microsoft-outlook-profile

– prg https://www.file-extensions.org/prg-file-extension-program

– ps1 https://www.file-extensions.org/ps1-file-extension

– ps1xml https://www.file-extensions.org/ps1xml-file-extension

– ps2 https://www.file-extensions.org/ps2-file-extension

– ps2xml https://www.file-extensions.org/ps2xml-file-extension

– psc1 https://www.file-extensions.org/psc1-file-extension

– psc2 https://www.file-extensions.org/psc2-file-extension

– pst https://www.file-extensions.org/pst-file-extension

– rar https://www.file-extensions.org/library-ms-file-extension

– scf https://www.file-extensions.org/scf-file-extension

– sct https://www.file-extensions.org/sct-file-extension

– shb https://www.file-extensions.org/shb-file-extension

– shs https://www.file-extensions.org/shs-file-extension-microsoft-windows-shell-scrap-object

– tmp https://www.file-extensions.org/tmp-file-extension

– url https://www.file-extensions.org/url-file-extension

– vb https://www.file-extensions.org/vb-file-extension

– vsmacros https://www.file-extensions.org/vsmacros-file-extension

– vsw – https://www.file-extensions.org/vsw-file-extension

– vxd – https://www.file-extensions.org/vxd-file-extension

– w16 – https://www.file-extensions.org/w16-file-extension

– ws – https://www.file-extensions.org/ws-file-extension

– wsc – https://www.file-extensions.org/wsc-file-extension

– wsf – https://www.file-extensions.org/wsf-file-extension

– wsh – https://www.file-extensions.org/wsh-file-extension

– xnk – https://www.file-extensions.org/xnk-file-extension

Thus, I’d recommend you update your Exchange Online policy to include the complete of file types that Microsoft provides protection for, even if most aren’t enabled.

December poll

ask-blackboard-chalk-board-chalkboard-356079

For December I’m asking people:

What methods are your accounts using as their primary method of multi-factor (MFA) verification?

which I greatly appreciate you thoughts here:

https://bit.ly/ciasurvey202012

You can view the results during the month here:

https://bit.ly/ciaresults202012

and I’ll post a summary at the end of the month here on the blog.

Please feel free to share this survey with as many people as you can so we can get better idea on this question.

November poll results

November’s question was:

Are you using a third party product/service to ‘backup’ Office 365 data outside what Microsoft provides?

The anonymous December question is:

What methods are your accounts using as their primary method of multi-factor (MFA) verification?

which can be found at:

https://bit.ly/ciasurvey202012

Appreciate if you could take a moment and share your thoughts.

CIAOPS Need to Know Microsoft 365 Webinar–December

laptop-eyes-technology-computer

To round off 2020 we’ll take a look at Power BI this month. Power BI is really amazing tool for visualising data and who doesn’t want to visualise their data? Come along and learn what Power BI is and how to start using it in your business. There is also plenty of news that I’ll cover as well as open Q and A for any questions you may have.

You can register for the regular monthly webinar here:

December Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – December 2020
Wednesday 23rd of December 2020
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

CIAOPS Cyber protection model update

If you’ve been following along at home, I’ve been working on a simplified security model for the Microsoft cloud. After further thought, I’ve come to the conclusion that firstly, the browser is not an independent connector, it is in fact an app. Thus, I have replaced it as a connector with a User connector. The inclusion of a specific user (basically a real live person) came about after concluding that an identity and a user are actually two separate things. This is because a user can actually have multiple identities, for example to on premise infrastructure which maybe different from the cloud.

So, the current model starts with containers where data flows:

1. Service – e.g. Microsoft 365

2. Device – e.g PC or phone

3. Identity – e.g. Azure AD

4. Data – e.g. files, folders

Through and into these containers flows data from connectors like:

1. Email

2. Connections – e.g. LANs, Internet

3. Apps – e.g. Microsoft Office, Browser

4. User

Since I have now replaced the browser connector by a user connector, let’s work through an interactions here to test my logic out.

To use a browser the user (i.e. John) will need to login to a device. Assuming that device is Azure AD connected, it means that they will be using a device inside the service (Microsoft 365) as shown above. Remember also, that as each interaction crosses a container boundary logs will be written. To gain access to a device managed by the Microsoft 365 (the service), the John (the user) will need to verify their identity with Azure AD. This process can be protected with features like multi factor authentication (MFA) and Conditional Access (CA). Once the user has successfully completed this process they can access both the data in the inner container, the device and any applications, like the browser, on the device.

If the John (the user) wants to access the data within the service they can do so securely. Remember, that any access to data via an app like a browser crosses a container boundary and thus logs are captured. In this case, those events will be captured and available in the unified audit log.

Of course, John (the user) is also typically going to want to access data from outside Microsoft 365 (the service) and there needs to be as much protection as possible provided during that process. The first step in that protection process is to protect the application, that is the browser. This can be achieved via the Microsoft Edge baseline settings for Intune. Also, because the browser is an application running on the device that also should be protected. That can be done via the Windows 10 Security baseline, which is part of Endpoint Manager as well as Microsoft Defender SmartScreen. Further protection can be layered on with Windows Defender for Endpoint. If the user saves information into SharePoint, OneDrive for Business or Teams (i.e. the data container) it is protected via Defender for Office 365.

Data can also be protected via Azure Information Protection (AIP) and Windows Information protection (WIP). These features of Microsoft 365 (i.e. the service) allow the business to determine whether information can be stored on a device and what protection it should have no matter where it is stored. If the user is allowed to save information onto the device it can also be protected via Bitlocker which can be enforced via Endpoint Manager policies.

Now, if John (the user) was to access the service from a device that was not Azure AD joined they could do this but because the data still resides inside the service it can still be protected using things like control access from unmanaged devices.

Ok, I’m becoming happier that this model fits the bill. Each container provides layers of protection such as:

– Service – Alerts, Log searching, Microsoft Cloud App security, Exchange online filtering, etc., etc.

– Device – Bitlocker, Endpoint manager policies, etc

– Identity – MFA, CA, Azure identity Protection, etc

– Data – AIP, WIP, encryption at rest, etc

and crossing each boundary also generates separate sets of logs for the interaction.

I feel pretty confident with this security model in place I can now start attaching the specific security features the Microsoft Cloud provides in each location and explaining the role they play. I have mentioned a few here just to give you an idea and verify to myself that the model works but now I think it is time to take this mode and run with it! What do you think? Love to hear your thoughts.

CIAOPS Cyber Protection Model

I have started on a journey to nut out a unique protection model with the aim of applying it to the Microsoft Cloud to simplify the application and understanding of cybersecurity for people. My initial thoughts are here:

A simplified protection model

With input from a few, I’ve now progressed my thinking.

The latest model is shown above. The containers are:

1. Service – For example: Microsoft 365 or Gmail, etc

2. Device – For example: Windows 10 desktop, iPhone, Android phone, Mac PC, etc

3. Identity – For example: Azure AD credentials, Google or Apple account, etc

4. Data – For example: Files, folders, email messages, etc

Through and into these containers flows data from connectors like:

1. Email

2. Connections – For example: networked devices, the Internet, etc

3. Apps – For example: desktop apps like Office, accounting apps, etc

4. Browser – For example: Edge, Firefox, Chrome, etc

Let’s just focus on the email connector initially, as shown above. You see that in the above model that the device container is missing. This is because email can be delivered without the need of a device. That is an email can be sent to Exchange Online in Microsoft 365, received, verified that a user with that identity exists, and then finally delivered to the users inbox. That can all happen without the interaction of the user and without the need of a device.

If we expend this out one level the inbound email received by Exchange Online (Service B) has to have been sent by another email service (Service A shown above). Service A must contain an identity (i.e. the sender of the email) and the actual message (i.e data).

This however, still hasn’t involved a user. It has simply been a ‘service to service’ process.

At the end of the chain will be a device (a Windows 10 PC say), logged into via a user account (identity), that created that data with an app (say Outlook). That data (email message) is then moved by the email connector firstly to Service A which then again uses an email connector to move it to Service B as shown above.

Putting specific identifiers on things you get the above.

So the model seems to scale but we need to re-focus it on protection. Looking at the above, it is clear that you can only control so much of the ‘chain’, as you see highlighted by the ‘control boundary’. Therefore, we should focus our efforts on only what we can control and protect.

With said focus, we can now start to map capabilities to protect the environment. For example, with email, we can ensure we have appropriate DNS records. This capability lies outside the Service boundary (here M365) but still within our control boundary. When data passes over any security boundary it creates logs. In the case of emails, this would be information that could be examined using features like Message trace in Microsoft 365.

After the data, flowing through the connector, passes across a boundary and writes log data, security features of that container can now be applied to the data. In the example, once an email is delivered to Exchange Online in Microsoft 365 it then typically has anti-spam and anti-malware as well as other filtering policies applied. Additional protection can also be provided in the form of Microsoft Defender for Office 365 (shown as ATP in the above image to keep things short).

So, that is just my brief thinking around the Email connector but I feel that the model works well so far helping to simplify security I hope. I’ll keep expanding what I have and begin to incorporate more specific examples of where Microsoft Cloud security products fit into this model. Hopefully, the more built out the model becomes the easier for people it will be to understand the total breadth of Microsoft can offer to help protect your environment.

As always, love to hear your thoughts and feedback on what I’m developing here, so don’t be shy. Look out for future model enhancements coming soon!

A simplified protection model

As much as third party cyber security protection models are handy (i.e NIST Cybersecurity Framework), I personally find them far too complicated for my liking. Complicated generally translates to poorly or not full implemented. That translates into lower levels of security, especially in the SMB space. I think that good security is all about keeping things as simple as possible.

With that in mind, I’ve started to try and nut out my own model. My thoughts so far centre on the above diagram. In the centre is your data. Data is moved and changed via four basic connectors:

1. Email

2. Connections (i.e. to removeable storage, network connections, Internet, etc)

3. Applications

4. Browser

The Data is normally protected by a Device, being a workstation, server or mobile. However, typically it is a workstation as hopefully most people aren’t browsing on servers. The aim also here is to focus on cloud deployments here without on-premises infra-structure.

For the Connectors to interact with Data they must do so across the Device boundary. In the security context, this means that these Connectors also need access to not only the Data but also the Device. Thus, attacks are going to be targeted at either the Data or the Device via the Connectors as I see it.

If we consider that most Data doesn’t include it’s own defensive capabilities because, typically, it is the container in which the data lives that has the defensive capabilities, then we need to look at the defensive capabilities of the Device I believe. It is also worth noting that data on it’s own generally isn’t a threat, it is only when action is taken with Data that risk arises. For example, a phishing email sitting in an inbox unopened is not an active threat. It only becomes active when it is read and the link inside is clicked allowing a process to take place, typically, on the device. In short, Data typically isn’t the source of active threats, it is actions taken with that data that generates active threats. These are typically activated on the device.

That means the major security focus should be on the defensive capabilities of the Device. It also means that the major threats are going to come from the four connectors; email, browser, connections and applications. Of these four, I would suggest that the most likely source of introduced threats is going to be from email and the browser.

Reducing the risks from both email and the browser start at the source of these two connectors. For email that means appropriately configuring things like DNS, then mail filtering policies to provide protection even before the connection passes onto the device. Likewise for the browser, this means content filtering before results are returned to the browser. However, setting those items aside for the moment and let’s just focus on what threats the device faces from the email and browser connections.

The threat from email is going to be a message that either:

1. delivers a malicious attachment that when opened by the user and takes action

2. delivers a message that contains a malicious link that is clicked by the user and takes action

3. delivers a message that convinces the user to take some risky action

The threat from the browser is going to be either:

1. navigating to a web site that contains malicious content that is downloaded and takes action

2. navigating to a web site that harvests credentials

The interesting thing with all of these is that it requires some sort of user interaction. As I said, a phishing email isn’t a major threat until a user click on a link it contains.

So what’s kind of missing from my model so far is the person or identity. let me go away and think about this some more but I appreciate sharing my thoughts with you and if you have any feedback on this model I’m trying to develop, please let me know.