Bad guys keep winning (Part VI)

I’m super angry about this, so be prepared for a bit of a rant. I’m posting this in the hope that it maybe found by others who maybe concerned about a recent call they received from the “Security Department of VISA and Mastercard” detailing fraud on their banking accounts.

My senior parents received a call from “Neil Spence” from the “Security Department of VISA and Mastercard” claiming there had been some potential fraudulent transactions from eBay and Amazon on an account. The total of these was around $400. He then asked whether they wanted them investigated and stopped. Of course they said “Yes please”. He then said he would transfer them to their bank to speak with someone to take action and block these transactions. During this process he provided a call back number 1800 829 403 (which turns out to be the number for the Australian Government Department of Aged Care Fraud hotline which is nothing to do with VISA. I also called and determined there is no “Neil Spence” their either) and a reference number SIP5010.

Now the ‘helpful’ person at ‘the bank’ they were transferred to, got them to provide all the account details (account number and balances) and made a great show of saying that this isn’t a scam because they were not being asked for the PIN to any accounts. The ‘bank’ said it would investigate.

A few days later the ‘bank’ called back and said they had identified that fraud had indeed taken place but by an employee of the ‘bank’ at the local branch they use. The ‘bank’ then said they wanted the help of my parents by catching the employee in act of conducting this fraud. To do this, my parents needed to go the bank immediately and make a cash withdrawal of just over $8,000 and then wait for more instructions. They were however told not to mention this at the bank branch otherwise it would tip off the investigation and allow the perpetrator to get away scott-free!

At this point it was determined that it was a scam but here’s where it gets interesting for me. Even though I was confident that no money was missing I thought it best to call the bank. That process took me down a rabbit hole of pushing numbers on a phone routing system, entering account details, trying to work out how to enter an alpha numeric password via tones, etc. My parents had no hope negotiating that.

When I did eventually get through, I was on hold for more than 20 minutes with no idea of how much longer I’d be, so I hung up and called the Police on a general number. That too went to hold and again I gave up after 20 or so minutes of no reply and no idea of wait numbers.

Here’s why the scammers win. They target people of an older generation who are less comfortable with the modern method of banking (Internet and phone). They also target them because they tend to not question authority. They then establish trust and get the target to ‘help’ them catch the bad actors, that makes the target feel guilty that they should help catch the alleged perpetrator. All this ends up doing is draining money from their accounts and sending it to the scammers all the while making people like my parents less trusting of their local branch staff, which is exactly the people they should be going to. There is no doubt, these scammers know their game.

At this stage it seems like the initial attempt at obtaining funds has been thwarted but given account details were shared unwittingly, we’ll need to be extra vigilant and potentially cancel all the credit cards which will be a very painful process. Very. So this issue is not over by any means and at the very least my parents will probably continue to receive more called from the ‘bank’ and I expected these to become more hostile when they don’t comply.

What has truly made me angry is just how hard it is for people of my parents generation to get help on these matters. Luckily, I was able to provide an external perspective as well as do some investigation of my own. What would of happened if I wasn’t available to assist? Most likely, the scammers would have continued to fleece my parents for large of money over a few weeks.

No wonder the bad guys (and gals) keep winning if the responses I got from the authorities trying to report this is anything to go by. Where is the protection for our societies most vulnerable? As I have said many, many times cybersecurity is largely an illusion, especially when enacted by big institutions. It seems like it is you against some very clever and motivated scammers and if you are the right target, then you really don’t stand much of a chance. From where I sit, there is lots of talk but the problem is not getting any better. Just look at the news and amounts people are scammed out of regularly. Why is there not better protection? People have a right to not have their hard earned money fleeced from them when they are with a large institution that makes all these noises about being cybersecurity-aware and investing billions in protecting customer. Unless you fit their customer profile seems like you are on your own to me!

A sad state of affairs were we are all reduced to looking after ourselves. But what about those who are unable to do this? Do we just let them get fleeced? As I said, I’m angry that it is victim who pays and hope this information is of value to someone else and prevents them from being fleeced or put through this drama.

Microsoft Defender for Business post setup wizard recommendations

Let’s say that you have kicked off the Microsoft Defender for Business setup wizard as shown above. For the purposes of this article I’ll also assume that this is part of a Microsoft 365 Business Premium tenant.

Let’s assume that you have now completed that process, which you can read about here:

Use the setup wizard in Microsoft Defender for Business

After the wizard has completed I suggest you head to the Settings options in https://security.microsoft.com and then select Endpoints and finally, select Advanced features, where you should see the above screen full of options on the right.

At this point I’d suggest you go and enable all the options listed. Now, not all of them will be relevant but I’d still recommend they be turned on none the less. Do it once and you won’t need to come back is my philosophy.

Leave that location open as we’ll be coming back here.

Next, head over to your Microsoft Endpoint Manager and select Endpoint security on the left, then Microsoft Defender for Endpoint, which should result in the above screen.

Here you want to ensure the Connection status is Enabled (i.e. green check mark) as shown.

If it isn’t for some reason, then head back to https://security.microsoft.com, Settings, Endpoint, Advanced features.

Scroll through the list of items until you find the Microsoft Intune connection as shown above. Ensure that it is turned On. If it isn’t, turn it On, wait at least 15 minutes and check back in Endpoint Manager for the Connection status to be Enabled (i.e. you see the green check mark). If it is already On and the green check mark doesn’t appear, turn the setting Off for at least 15 minutes and then turn it back On. You know, kinda reboot it. The connection status should go green after that in my experience.

When the Connection status is Enabled go and turn all the options on the page to On as shown above.

Return to https://security.microsoft.com and select the Onboarding option as shown above.

My recommendation is that you manually onboard the first Windows 10 device in your environment using a local script. That will ensure everything is working quickly and easily.

Simply download the script provided and run it on one of the Endpoint Manager enrolled devices in your environment.

Once the script has run successfully return to the console and select Device inventory from the menu on the left as shown. Within 15 minutes or so, you should see the machine that you ran the script on appear here.

Congratulations, you have successfully onboarded your first device to Defender for Business in your tenant. You are now free to continue to configure additional devices using the policies provided. I always like to do the very first device in the environment manually so I know everything is working as expected. If I then get issues, I know to troubleshoot my deployment policies.

Removing local device administrators using Endpoint Manager

A best practice to reduce your attack surface on Windows 10/11 devices is to not have any local device administrators. You can achieve this using things like Autopilot, however if devices are added manually to Azure AD by a user then that user becomes a local device administrator by default. You can manually go in and remove them from the local administrators group on the device but Endpoint Manager allows you to do this with a policy.

Navigate to https://endpoint.microsoft.com and login as a tenant administrator. Select Endpoint security from the left menu, then Account protection. Select to Create Policy. Select the option for Windows 10 and later as the platform and then Local user group membership for the profile as shown above. The select Create at the bottom of create the policy.

After you have given the policy a name you should see the options displayed above allowing to select which local group you want to work with.

At the moment, these are the groups you can work with. Here we’ll select Administrators.

and these are actions. Here we’ll select Remove (Update).

All you then need to do is select the users or groups from your Azure AD you wish this actioned on. Beware here, if you want select users removed then you will need to add those users individually not via a group like All users for example. The policy, at least in my experience, doesn’t enumerate a group to include all the users inside that group. Thus, if you select the group All users say, only that exact group will be actioned, not all the users who maybe part of that group. In short, the actions only apply to the unique object ID of the items you select here, not items that maybe contained within them.

You then continue with the policy creation process and assign the policy. With this, you’ll generally want to apply it to devices but you can do users or specific groups if desired as with any Endpoint policy.

Of course, you should test the impact of removing things like local device administration before you implement it widely across your whole environment. You may also want to consider some form of ‘break glass’ account if need be. That too can be done via a policy if you need to.

Once you have completed and save the policy it will be applied to your environment.

To verify the policy has been applied to a device, run the Computer Management utility as shown above. Expand Local Uses and Groups on the left and select Groups below this. Then on the right select Administrators and ensure the desired users don’t appear here.

Endpoint security policies in Endpoint Manager make it easy to configure the main local groups on your Windows 10 devices to help you be more secure.

An introduction to Microsoft Defender for Business presentation

I recently presented on Microsoft Defender for Business along with the other options in the Microsoft Defender for Endpoint. The slides from that presentation can be found here:

https://www.slideshare.net/directorcia/an-introduction-to-defender-for-business

Azure AD Identity Protection basics

Azure AD Identity protection is available with Azure AD P2 and provides risk detection and policy enforcement for sign ins and users. It can also be incorporated with Conditional Access policies to provide even more flexibility. This video shows you the basics of Azure AD Identity Protection as well as showing you an example of a login process that generates creates risk.

You can find the video here – https://www.youtube.com/watch?v=8AQQrSCrLMI

and more information here – What is Identity Protection?

Azure AD access reviews basics

Azure AD reviews are a capability provided with Azure AD P2 licenses that allow you to automate the discovery and access control of user account in Azure AD groups and roles. This video give you a walk through of the basics of creating and using access reviews to ensure your environment remains secure.

You can find the video here – https://www.youtube.com/watch?v=UxlVuSNBBzE

You can learn about Azure AD access review here:

What are Azure AD access reviews?

Escalating to multiple roles using Privileged Identity Management

Privileged Identity Management or PIM, is great way to ensure that users are not given standing administrative access. Instead, with PIM, these rights can be requested, approved and removed in an automated and audited way.

In the scenario where a user may need administrative rights to multiple services at the same time, say Exchange Online administration and SharePoint Online administration together, you can achieve this by using the capability in Azure AD to assign multiple roles to an Azure AD group. You then have users go through the PIM process to become members of that group. When they do, they automatically get access to the roles that are part of that group. Once PIM deactivated them, they are removed from that group and lose those permissions.

This video take you through that process.

https://www.youtube.com/watch?v=mAA1KjxjAuQ

remember, to achieve this you’ll need to have an Azure AD P2 assigned and that currently this feature is in preview.

For more information consult the following documentation from Microsoft:

Management capabilities for Privileged Access groups

Privileged Identity Management auditing options

Privileged Identity Management or PIM is a way to allow the ability for users to escalate their rights on demand via approvals as well as being audited. This video shows you locations in the Azure portal where these logs are located for both the user escalating and the tenant administrator.

Video link = https://www.youtube.com/watch?v=uXYZXiN8Of8