Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency
I recently did a very quick chat about IT security on Eagles Waves Radio. You’ll find the episode here:
http://www.eaglewavesradio.com.au/2014/11/eagle-business-27-nov/
I’m the last of the three segments about 48 minutes into the episode. I cover a few major topics around IT security in general, especially when it comes to passwords.
I thank Eagle Waves Radio for the opportunity to be a guest on their show.
If you weren’t aware, Office 365 supports sending encrypted messages to anyone. Basically, they get an email telling them to login to a web portal to view the message. Here’s how to make all that work.
You’ll firstly need to enable Rights Management for your tenant. To do that login to the Office 365 portal as an administrator.
On the left hand side select Service Settings.
This will expand a menu as shown above. From this menu select Rights Management.
On the right now select the Manage hyperlink.
Select the Activate button to enable Right Management.
Confirm that you wish to enable by selecting the Activate button.
After a few moments the screen should update.
You are now going to need to run some PowerShell commands. if you haven’t done this check out this previous blog post to get your environment setup:
Configuring PowerShell Access in Office 365
Once you have connected using PowerShell you’ll need to run the following commands depending on your location:
USA: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
Europe: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
Asia-Pacific: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
In my case I used the Asia Pacific URL as shown above.
You then need to run the command:
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
which produces the above result.
Then this command:
Set-IRMConfiguration -InternalLicensingEnabled $True
Finally run the command:
Test-IRMConfiguration -RMSOnline
and ensure the result come back OVERALL RESULT: PASS
With that done you can now return to the Office 365 management portal as an administrator to set up a message encryption transport rule.
In the top right of the Office 365 portal select Admin and then Exchange from the menu that appears.
From the menu on the left select mail flow.
Select the Plus icon on the right and the option Create a new rule from the menu that appears.
Now there are lots of different options when creating an Office 365 Transport Rule but I am not going to cover these. This post is aimed at showing you the basics of enabling Exchange Online Message Encryption. If you want more information about Office 365 Transport Rules in general see:
http://technet.microsoft.com/en-us/library/jj919238(v=exchg.150).aspx
In this case I am going to set a rule to encrypt messages sent to one person in the organisation (Anne Wallace).
To see the encryption options ensure you select the More options hyperlink at the bottom of this window as shown above.
For the Do the following condition select Modify the message security and then Apply Office 365 Message Encryption as shown above.
Once saved the new rule should appear in the list as shown above.
Now if Anne Wallace is sent an email by another Office 365 she will see:
Indicating that this is an encrypted message.
To view the message Anne must save the attached HTML file to her local machine and open it.
When she so and opens it she will see the above message.
If she then selects the Sign in and view encrypted message hyperlink she will be see the encrypted message.
Exchange Online Encrypted messages work with people inside and outside Office 365. If you want more information check out the following:
http://technet.microsoft.com/en-us/library/dn569286.aspx
Once you have done the initial Rights Management setup you then have a lot of flexibility using Exchange Online Transport Rules to determine how messages are handled. You could set up a rule that if the word ENCRYPT is in the message subject it will always be encrypted.
Very flexible and most importantly, very secure.
The IT landscape today is filled with hackers, malicious software and disasters. Most businesses have these under control for traditional servers and desktops within their business and perhaps somewhat in their homes but when it comes to mobile devices many have adopted the ‘Macintosh fallacy’. That is, it won’t happen to me.
The bad news is that mobile devices are now more than ever the target of the bad guys and are more likely to sustain some sort of disaster (like falling into the toilet). My question is, what are YOU doing about it? Yes YOU.
The first app that I’d be looking at installing on your devices is Lookout.
It will protect your device from malware, scan every app that you download to ensure that it is safe as well as block malicious web sites. It will also backup your contacts, photos and other data allowing you to easily transfer it to a new device. Lookout even allows you to find your device and remotely wipe it if you need to.
Much like the Secunia desktop software, a version now available for Android devices allows you to ensure that all the apps on your device are up to date. This greatly reduces the chance of them being exploited as any desktop user knows.
Both of these are FREE so there is no excuse not to have them running on your device. Both also offer commercial products that provide greater amounts of control for businesses with lots of devices to manage so if you have a fleet of devices you need to manage you should also look at how these products can allow you to create your own BYOD (Bring Your Own Device) strategy.
If you don’t protect your device then you have no one to blame if something goes wrong. Reduce the risk and use these two free apps. I do!
A very common request I see out there is people wanting to ensure that a person who receives an email does so securely and can’t forward it to others. That is a little tough given the way the standard email protocol was designed and implemented.
To provide an enhanced level of security with its Office 365 service Microsoft has recently announced that it will be shortly introducing email message encryption. if you want to see how it will work then check out this blog post.
http://blogs.office.com/b/office365tech/archive/2013/11/21/introducing-office-365-message-encryption-send-encrypted-emails-to-anyone.aspx
The great thing about this is that you’ll be able to send encrypted mail to anyone! That is certainly going to fill a major need these days as well as make a real point of differentiation for Office 365.
We’ll have to wait until early next year until it becomes available and the good news is that E3 and E4 plans will automatically receive it. It will also be available as an option with other plans but in the long run I see it becoming part of the standard Office 365 offering for all plans.
The number of incidents I am seeing of people being infected with the Cryptolocker continues to escalate. Now before I launch into this rant here is information about the nasty:
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
so you have been warned.
But how the hell can this be happening? How the hell can these sorts of things still get through and cause mayhem and destruction? Having lived through Nimda, Code Red, Melissa, Conficker and more, why is this all happening over and over again? Simple, technology is making it easier for the bad guys not harder. Am I the only one who acknowledges this fact?
I have written many, many times about how vulnerable society has become by creating such a dependence on technology. For example:
here – https://blog.ciaops.com/2013/03/a-gift-for-hackers.html
here – https://blog.ciaops.com/2008/07/why-bad-guys-will-always-win.html
here – https://blog.ciaops.com/2008/08/the-bad-guys-win-again.html
and here – https://blog.ciaops.com/2009/08/bad-guys-win-again-part-iv.html
but to name just a few.
And yet, the world seems to be again brought to its knees by a clever piece of code that is able to slip past all the ‘so-called’ filters, scanners, protection mechanisms and what not that are supposedly put in place. How is that? How can people still be clicking links and attachments they know nothing about? And why is everyone paying so much for what seems like so little protection? Is all this supposed ‘security’ actually making things worse by providing people with a false sense of security?
Simple, the weakest link is the wet-ware behind the keyboard (i.e the human being). People simple don’t have any concept of the security risk they face on ANY device that is connected to the Internet or that receives email. And you know what? That is just about every single technology device we have today. EVERY SINGLE ONE. What is being to educate people about IT security. Not much from what I can see. That is the REAL problem here.
The modern world continues to place its unmitigated faith in the march of technology, obvious to the underlying risks and fragility it is creating. It also lives with this naive assumption that whatever is done on the Internet is also anonymous. They likewise jump up and down when they find out that the NSA is monitoring email traffic. Like DUH, emails have ALWAYS been sent in the clear so ANYONE could read them, DUH. It demonstrates how removed from technology the average person is. They happily use technology but have no IDEA how it works. That is always a dangerous recipe.
It makes NO difference where your information is. In your Office or in the cloud, if you are connected to the Internet you are vulnerable, full stop. The problem is others are also on the Internet so if you get infected then there’s a chance you’ll infect them. We are now more than ever all connected together and what happens in one place can have a huge impact thousands of miles away INSTANTANEOULSY.
To me most of this anti virus software and filtering is a complete and utter waste of time. Don’t get me wrong, I have a certain set of tools and programs I use but my main weapon to remain secure is to concentrate on scaring the crap out of everyone I know (especially my family), constantly reinforcing what maladies will befall them if they click on something they shouldn’t. Does that make them paranoid? You bet it does, but you know what? I am pretty sure none of them are going to get infected with this latest virus because they are more scared of me than this virus. Sometimes that’s what you gotta do keep people secure.
So what’s the point of this post? Firstly, it is to express my utter disbelieve in the existing security ‘industry’ that charges users billions of dollars every year and yet somehow fails to protect them. Is the problem the software or those charged with maintaining them? Hmmm… I could go on but secondly, it is to say that these problems are only going to continue because we are not dealing with the root cause – the idiots who click on unknown attachments and files sent to them. Here’s my golden IT security rules for idiots that MUST be followed under pain of death:
1. Backup, backup, backup. That’s not being repetitive it means back your stuff up at least 3 times.
2. If it seems too good to be true then it is. That means, that if there is any doubt then there should be no doubt.
3. If you don’t know, then ask.
I long for the day when society takes IT security seriously and develops solutions to EDUCATE people on how they vulnerable they really are every time they access the Internet. Am I being paranoid, I sure am, because you know why? Only the paranoid survive when it comes to security. I’m paranoid and I’m proud of it. That is why the machines I look after don’t get infected. Sure, there is never 100% surety when it comes to dealing with human beings but you know what? Paranoia goes a lot further in my books than most of this other ‘so called’ protection I see out there today.
In my last post I noted how Office 365 prevents you from uploading infected files. I got to wondering what happens when the other file sharing services try and share an infected file.
If I try and attach an infected file directly from my local machine to an email in Google Apps it is detected as shown above, which is good, and prevents that file being attached.
But since I can also attach from Google Drive as well, I can attach the infected file (since I can upload into Google Drive as my last post highlighted). This is not good.
Now you’ll see that with Google Apps the attachment is really shared via a link rather than attaching the actual file from what I see. Any email system worth its salt will detect and quarantine an attachment that contains a virus, so let’s just eliminate from our considerations. But, if instead I send a link to an infected document what happens? I know the email will reach the users (because it isn’t infected).
So here’s what the user sees. If I click the link to the file I see:
Now if I try and download I get:
That’s good, but remember here I am dealing with a .com file that includes a virus.
So let’s assume I am a little more cunning in my attempts to infect a user I place the infected file inside a ZIP archive. What happens?
As you see, Dropbox allows me to send a public link to the encrypted file where anyone can download it. This means that your only defence typically here is now the local anti virus software which we know all users always keep up to date right? (if you believe that then you live in world of unicorns, leprechauns and perpetual rainbows). Not good!
Now if I share the same ZIP file using Google Drive and attempt to download it from the File menu.
It is blocked like before which is good, BUT look at this:
If I download it from the drop down option at the end of the file
It downloads! Not good, especially give this the default that users see when they view the link provided. I also find it strange that one way you get one result (i.e. blocked file) while the other way you don’t. Strange.
So what’s the moral here? Best bet is don’t let the file get up to file sharing platform in first place, which is why I reckon Office 365 is a much better bet when you start digging into what can happen as I have done briefly here.
All file sharing systems are not created equal.
I’m seeing a lot of people out there getting hit with all sorts of viruses coming through file sharing programs because you know what? They simply don’t provide any protection but they are really easy to use.
For example when I upload the eicar antivirus test file to Dropbox look what happens:
Dropbox allows the file to be uploaded and stored. Now, if a user opens this file they run the risk of being infected.
So what happens if you attempt the same thing with Google Apps? Guess what? It also let’s the virus be uploaded and stored.
This highlights how great most file sharing applications are a virus delivery mechanisms now doesn’t it?
However, when we come to Office 365 SkyDrive Pro and SharePoint we receive the above notification telling us that our file is infected and won’t be uploaded! Now that’s protection.
Viruses and malware are so much a part of todays landscape, problem is, so are easy file sharing utilities. Most of these file sharing utilities don’t even do the most basic security checks to ensure the files uploaded are clean. Office 365 is different. It is is protected by Forefront Protection for email, SharePoint and SkyDrive Pro. To my mind that makes it some much better than the alternatives, because it automatically protects users.
If you want to understand the difference between file sharing options and Office 365 then look no further than inbuilt virus and malware protection. When I pay for a file sharing and collaboration solution I want the one with built in security. That is Office 365 and SkyDrive Pro.
I recently wrote a blog post highlighting the fact that too few ordinary businesses and users perform adequate backups. However, backing up your information is really only half of what you should be doing. To give yourself 100% certainty of your backups you actually need to restore them.
I can’t tell you the amount of times that I have come across people who religiously backup but when they need to actually restore data they can’t for some reason. The most likely reason is because the media is corrupted however I have even seen a case where a company was religiously backing up to write protected tapes. Since all they ever did was change the tape daily and never check the log they effectively had no backups when they needed them. The sad thing is that they thought they were doing the right thing! (certainly not the “write” thing).
So restoring backed up data is just as important because you don’t want to find you have issues when you are relying on your backups to get you out of a disaster. In theory you should of course perform a complete disaster recovery so you know you can do it when the chips are down. At the very least, you should be running smaller test restores regularly to reduce the chances of issues developing.
Now that is all well and good but what happens if you are using the cloud as a backup? What happens when you are using a large provider to maintain your backups? What happens if you are paying someone else to perform your backups? I would still again say restore, restore, restore. You need to be 100% confident that YOU and you alone can recover your data if needed. That means that if you are not 100% comfortable with a third party doing it for you then you need to take additional steps to ensure you can.
This may mean that you need to do your own data backup if your information is stored in the cloud. Remember, the rule of thumb is 3-2-1.
– 3 copies of the data including the original
– 2 different media types for backed up information
– 1 backup off site
Now if you are using a hosted service, I wouldn’t be waiting until you need to recover information, I’d be testing the whole restore process beforehand. In most cases this means logging a ticket with the service provider to complete the recovery. In most cases, this means that the restore process is now out of your control. You simply have to wait until it is completed. How long will that take? You’ll never know until you asked to have something restore now will you? Again, do it as test before you actually need to restore something and document the process so you know.
You also need to be aware of what can actually be restored. In the case of something like SharePoint Online the only current option is a complete site collection restoration over the top of the existing information as detailed here:
http://blogs.technet.com/b/akieft/archive/2012/01/09/restore-options-in-sharepoint-online.aspx
That means that if all you want restored is a single file then you can’t achieve that without overwriting the complete site collection.
SharePoint Online was plenty of other recovery options such as the recycle bin which alleviates this issue BUT what it highlights is that there are limits on what hosting providers can restore. My question for you is, if you are using a cloud provider do you KNOW what the restoration process is? If you don’t then you should.
To be truly secure with cloud providers you are probably going to have to set up some sort of manual or third party back up of your data and that can be difficult, especially given the volume of data most people are pushing up to the cloud. Most connections won’t allow your to suck everything down to a local hard disk over night, so what do you do?
This is where a hybrid approach makes sense. If you use a desktop application like Outlook for you emails then a local copy of your inbox is stored on your workstation. This at least allows you to work ‘off line’ and get to the data locally. If you only accessed your emails via a web browser then you may not be able to get access to it in the event of a disaster.
Office programs like SkyDrive Pro, SkyDrive, OneNote, etc allow you to retain local copies of your data on multiple devices automatically. These features are more designed for convenience that pure backup, however the certainly provide this functionality as an important side benefit. If you accessed everything only via your browser then you may not have that luxury in the event of a disaster. My questions are, do you know what can be restored if needed from the cloud? Then, how can it be restored? Then, how long will it take?
No matter whether you use hosted providers or on premise equipment you need to be able to restore your data when required. You need to understand how long this will typically take and what you can and can’t restore. You and ONLY you are responsible for the security of your data. Therefore you NEED to take responsibility for it NOW and ensure you can restore it if needed.
You have been warned. Because remember, it isn’t a matter of IF you need to recover data, it is WHEN you need to recover data, because NO ONE is immune from disaster.
CIAOPS 