Enabling DLP for SharePoint and OneDrive for Business

DLP or Data Loss Prevention is a way inside Office 365 (E3 suites or above) that you can protect data from leaving the organisation. You can use DLP to protect not only email attachments but also files in SharePoint Online Team Sites and user’s OneDrive for Business.

Office 365 provides a number of standard templates for protecting standard information, such as credit card information as detailed here, but you can also customise the DLP policies to protect any custom data you wish.

The first step in using DLP is to set up and enforce the policies you wish to use. To do this you’ll need to login to the Office 365 portal as an administrator with the appropriate rights. You’ll then need to navigate to the tenant Admin area. From the menu on the left hand side of the screen expand the Admin centers option. From the options that appear select the Security & Compliance item.

From the Security and Compliance console select Security policies on the left. From the options that then appear below this select Data loss prevention. If this menu item doesn’t appear then you current don’t have an Office 365 plan that supports DLP.

On the right hand side you will probably see that the list is empty. Select the Plus icon to create a new policy.

You can select from a number of templated policies if you wish but in this case select Custom and then the Next button.

You now need to select the areas in which this policy will apply. You can specify unique locations but for this example we’ll simply select all locations and then continue.

At the next screen select the Plus icon to set the rules for which you wish to test.

In the new window that appears select the Add condition button.

From the pull down menu that appears select Content containing sensitive information.

Select the Plus icon that appears to enter the actual rules.

Scroll down the list that appears and select Credit Card Number. You can select other items here but in this case all we want this example DLP rule to test for is credit card numbers.

Select OK to continue.

You should now see the entry appear in the list as shown above. You can edit this entry if you wish by selecting it and then pressing the Pencil icon (edit).

Select the Actions item from the menu on the left.

Select the Add actions button on the right.

In this example, select Block the content. This will prevent anything that matches this rule from being shared.

You should now see the blocking Action listed as shown above.

Select the Incident report option from the menu on the left. Enter the details if you wish to receive a report of any actions on this policy.

Select General from the menu on the left. Give this set of rules a name and save them.

You should now see the rules listing appear as shown above in the DLP policy you just created. You can create as many of these rules inside a single policy as you wish. However, best practice is always to keep it simple.

Give the DLP policy and name and select the option to Turn on the policy.

Select the Create to complete the policy creation process.

You should now see the policy listed in the DLP area as shown above. You should also see that the Status is set to On.

The DLP policy will not come into effect immediately. It will take a little while (15 – 30 minutes typically in my experience) to roll out through your tenant.

To test the policy, create a document in your OneDrive for Business that contains credit card numbers as shown above. The numbers used here are verified public ‘test’ card numbers.

Now create a public View link that requires no sign-in as shown above. This should allow anyone who clicks on that link direct access to the file without the need of a login or password.

When the DLP policy is active anyone trying to access that link will have the content blocked as shown above. This confirms that teh DLP policy is working as expected.

If you also elected to get alerts you should fine one in your inbox as shown above.

Thus, DLP is a way to protect your Office 365 information by examining the contents against a set of rules that you create. It can examine both email and file data then take actions which you determine.

DLP is part of the E3 or better suite in Office 365.

Enable Customer Lockbox from Classic Office 365 Admin portal

At this stage of the game it appears that not everything has been migrated to the new Office 365 Administration Console. One of the things that is missing is the Customer Lockbox configuration (which is available with the E5 plan).

To get to the old admin center select the button in the top right of the Office 365 Admin center preview screen. Once you have done that, follow my previous article:

Enabling Customer Lockbox

When you have enabled Customer Lockbox according to my article, select the orange bar across the top of the Office 365 admin center to revert back to the new Admin center preview that you started out with.

I would assume that the control of Customer Lockbox will eventually make its way into the new Admin portal but for now you’ll need to go round the long way to configure it.

Office 365 Security and Compliance Overview

A common question you get with any cloud service is around security and compliance. Many don’t realise that Office 365 has many advanced features built right into the product. You also get a lot more features when you start looking at enterprise plans such as E3 and up.

The above video is an overview of what’s available with Office 365 Security and Compliance. It contains many of the features that I believe most people aren’t even aware of.

Of course, Office 365 security and compliance features and abilities continue to improve but hopefully this tutorial will give you a better concept of exactly what is available with the product.

The impact of Stuxnet

I’ve always had a fascination for the change cyber security is bringing and how little people appreciate the challenges and dangers it provides. One of these major changes of late has been the Stuxnet program and how it now seems evident that we are at the of a new age of cyber warfare.

If you have any interest in cyber security or the changing face of the digital world that we live in I’d highly recommend you take a look at the above documentary:

Zero Days – Stuxnet and the Iran Nuclear Program

It provides a really good in depth examination of what Stuxnet is and how it has impacted us far beyond its original mandate.

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

I’d also commend to you the book:

Countdown to Zero Day

which also covers a lot of the same material.

Ultimately, I still firmly believe that technology will doom us all as I see more and more of our lives being placed in critical but effectively insecure systems all being tied together. This growing interdependency means a failure of one part of the system potentially leads to a catastrophic failure of the complete system.

Yes, technology is amazing and yes technology can help us solve many problems, but when these solution create additional vulnerabilities is the cure worse than the cause? All I can say is make sure you have your contingencies in place and always be sceptical of technology. Trust but verify as they say.

The ramifications of Stuxnet go far beyond the job it was designed to do Seeing the movie and reading the book will help you understand that Pandora’s box has now been opened.

Office 365 E3 and above includes Rights Management

There are many benefits of the more advanced Office 365 plans. One of the benefits you receive with E3 licenses and above is Rights Management:

If you visit the E3 product page at:

https://products.office.com/en-us/business/office-365-enterprise-e3-business-software

You will find the above focus on the included Information Protection features. One of the ways this is provided is via Rights Management.

https://technet.microsoft.com/en-us/network/dn858608.aspx

If you visit the above link you’ll find the table that compares the Rights Management features you receive in Office 365 E3 or better and with Azure Rights Management Premium.

Although Office 365 Rights Management isn’t as full featured as the premium product it does most things a business needs. It will basically protect documents no matter where they are located. Rights Management basically will encrypt documents and embed permissions inside the document. Thus, the permissions go wherever the document goes, inside or outside the business.

This is unlike most documents today that are only protected by the location in which they are stored. If you have a sensitive document on your file server, it is generally locked down via server permissions. However, that doesn’t prevent someone with the appropriate permissions sending that document, as an email attachment say, another person who doesn’t normally have permissions. That is because once the file is removed from its secure container it effectively is no longer protected. That’s because only the container the file lives in has permissions, not the file itself. With Rights Management, the permissions are embedded into the file, ensuring it is protected where ever it goes.

So, if you have Office 365 E3 or better, what’s the easiest way to start using the included Rights Management abilities you get with Office 365?

The easiest way is to configure information to be directly protected from the file system and desktop applications.

If you look at the above screen shots of PowerPoint and Windows Explorer you see there is no option to apply Rights Management. To provide that we need to firstly install the Rights Management agent software on the desktop.

To download the agent software, navigate to the Microsoft Rights Management download portal at:

https://portal.aadrm.com/Home/Download

Simply select the icon that matches your device. In this case we’ll select the Windows computer icon.

When the software has downloaded, run it.

Select Next to continue.

You’ll see the software configure and install Microsoft RMS for you.

After the installation is complete you’ll now need to Restart your system.

Now when you look at your Office applications you’ll see a new button called Share Protected as shown.

You’ll also find that Rights Management has been embedded into the file manager. Just right mouse click on any file and you’ll see the Protect with RMS option in the menu as shown.

I’ll cover off how you actually use this inbuilt Rights Management functionality to protect your information in an upcoming article, so stay tuned. However, at least now you have the agent installed on your desktop to make protecting your information with Rights Management easy.

Remember, Rights Management with Office 365 is currently only available with E3 or better suites but is also available as a stand alone purchase if you want it.

Need to Know Podcast–Episode 101

Marc and I catch up on all the latest Azure and Office 365 news. We talk about the new Azure Resource Policy as well as the latest changes to the Office 365 interface. We also spend some time chatting about security and the best hardware device to get. THis one’s a little bit random, so enjoy the ride.

As always don’t forget to send us you questions and feedback as well as leaving review to help grow our audience. We appreciate you taking the time to listen.

or can listen to this episode at:

http://ciaops.podbean.com/e/episode-101-cloud-news/

or subscribe to this and all episodes in iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me anyfeedback or suggestions you may have for the show.

Resources

Marc Kean – @marckean

Robert Crane – @directorcia

Custom SSO through Azure AD

Azure Resource Policy

New Office 365 login screen

New Office 365 admin center look and feel

Office 365 B2B sharing

Lastpass

Office 365 customer lockbox

Project Madeira

Cloud App Discovery coming to Office 365

One of the handy features of Azure AD Premium was the ability to install a small program on each workstation and then have it report on cloud based applications used. All the data was collected by Azure and then reported in a handy dashboard.

That way you could see what cloud based applications were in use, how much data was flowing through them and whether they were being used outside the Azure AD Single Sign On Web Portal.

A good example I have seen is where cloud app discovery uncovered the fact that a number of employees were sharing large amounts of corporate information using Dropbox which had been banned from the workplace. Cloud Discovery allowed these users to be identified along the times sharing was taking place. The business could then take appropriate action.

According to this post from Microsoft:

https://blogs.office.com/2016/02/25/new-security-management-and-transparency-capabilities-coming-to-office-365/

Cloud App discovery is a new feature, amongst others, coming to Office 365. To quote:

Office 365 cloud app discovery gives you the ability to understand which other cloud services your users are connecting to. From the Office 365 admin portal, you can view a dashboard on network activity. For example, you can see where users are storing and collaborating on documents and how much data is being uploaded to apps or services outside of Office 365.

Not quite sure how exactly it works but I expect it will be a slightly cut down version of what is available in Azure AD Premium, like many other enhanced features of Office 365 are.

There are also some other great security enhancements announced in that blog post so check it and be ready for the new features arriving in an Office 365 near you soon!

Why technology will doom us all

As much as I like and make a living from technology, I have always maintained a healthy interest in all aspects of digital security. I have written plenty of previous articles about how technology is pretty devoid of good security in my opinion, such as:

Bad guy just keep winning

The world of security anonomalies

Security before convenience or else

Here’s another recent personal episode that once again proves my point that we are headed to a very bad place with technology due to a lack of focus and understanding of the real value of security.

While visiting a family member they informed me they feared their PC had been hacked. The reason sighted was they saw a message appear on the screen, while browsing the Internet, that told them their system had been hacked. They immediately panicked and turned the whole system off awaiting my arrival.

Time to investigate.

I powered the machine back up and ran a few scans and checked the logs and couldn’t see anything nasty. The family member told me that had been searching the Internet and viewing the resultant sites. The last one they remember visiting was:

Tasmanian Air Adventures

Rather the visting the site I ran my own search on the name of the business.

Above is the first result that was returned. If you look closely you’ll see that results returned are just ‘default text’ ( i.e. Donec ullamcorper…). This indicates to me that site still has some ‘defaults’ set somewhere. If that is the case then the site also probably has ‘default’ security, which really means no security!

After a little more digging I turned up the suspect HTML page and the above image from the browser cache which is what the user remembered seeing.

The suspect HTML also revealed that the exploit used was against an outdated Mailchimp WordPress plugin.

After some further checking I was confident that the exploit targeted the insecure server not client browsers. I re-assured the user that all was good and they didn’t have anything to worry about (for the reasons I’ll point out a bit later).

After some more digging it turns out that the company whose web site it was actually went into liquidation a while back.

Tasmanian Air Adventures in liquidation

That was about 10 months ago as of today.

So here are my comments/questions:

1. Why the hell is an insecure web site still allowed be to be running when that company was liquidated 10 months ago?

2. Who the hell is paying for that server to be still running?

3. If that web server was actually shared amongst others that insecure account now potentially makes all accounts on that server vulnerable.

I could go on but ….

My point here is that as we race towards making technology more and more part of our lives and our businesses, including connecting them all together all the time, we make ourselves more vulnerable to any single insecurity.

The Internet of Things sure sounds great but it will open a Pandora’s box of pain for everyone by connecting every device we see to the Internet. Why? Because all it requires is one insecurity in any of these connected system to give the bad guys a foot hold. In fact, I would contend that it is too late, they already well entrenched.

I’m scared. I really am. We are building a world that is going to fail, and fail potentially castastrophically. It is going to make us more vulnerable. It’s a world were the financial incentive is heavily stacked towards doing evil rather than good.

It is pretty much impossible these days to go totally unibomber and unplug. Thus, our only realistic option is to deal with the world we have created. That means taking total ownership of your own security.

Case in point, the family member who experience this issue was running a FULLY patched AUTOMATICALLY updating version of Windows 10 with other security measure in place thanks to your truly. Many people complain about the change Microsoft made to have Windows and Office automatically update. I, however, think that is GREAT! It is one thing EVERY piece of software MUST do in my opinion. Otherwise, we leave holes that the bad guys can crawl into and never be removed once they are in.

The reality, which I believe fails to be grasped, is that technology security is a losing equation. Every day more and more software and devices become vulnerable because they are not being updated YET they remain connected, just like the web server my relative was visiting.

I’m sorry, we are all doomed and technology is to blame. You have been warned.