Chapter 6
IN THIS CHAPTER
Enhancing your security posture
Using built-in security features in Microsoft 365
Implementing encryption capabilities, the easy way
John Chambers, former Cisco CEO, said that there are only two types of companies: those that have been hacked, and those who don’t know they have been hacked. Considering that Cisco is the worldwide leader in IT, networking, and security solutions, notable personalities in the industry (including James Comey) have echoed the same sentiment for a good reason.
Sadly, that statement is today’s reality and the new normal for anyone running a business of any size. On any given day, we face the risk of being attacked by malicious threat actors whose intent is to cause business disruption or harvest valuable company data to be resold on the dark web. Companies that have vulnerable servers and devices from lax (or the lack of) patch management and outdated practices are usually the entry points for hackers.
And if that weren’t enough, we also face risks from the inside, with users intentionally or unintentionally leaking critical data. In fact, most confirmed data breaches are due to weak or stolen passwords. Guess what the three most common passwords were in 2017? Surprise!
As a small business, you most likely do not have the budget to implement a highly complex security infrastructure to combat cyber-attacks. You probably also do not have the means to hire top security talents to manage your computing environment. These realities, however, do not mean that you’re out of luck. With a shift in mindset, a commitment to adopting security best practices, and a cost-effective monthly subscription to Microsoft 365 Business, even a small business like yours can enhance its security posture just like the large enterprises do today.
In this chapter, you glean insights into the built-in security features in Microsoft 365 Business and how these features work across the different services. You can follow along with the step-by-step instructions on configuring security features and learn how to send encrypted emails to reduce your vulnerability to cyber-attacks.
When you run a business, you have data and you collect data. Data can be in the form of proprietary information, employee data, customer data, or data from your vendors and partners. In today’s digital age, data is the new currency. Hackers know that protecting data is a challenge for SMBs, so it is no surprise that hackers increasingly target small businesses. A few years ago, ransomware from hackers who wanted a quick buck started out at around $5,000. Nowadays, with the availability of ransomware-as-a-service, I have seen victims who were asked to pay $1,500 to get their data back.
Although you can’t stop hackers from being hackers, you can stop them from making you their latest victim. The first step in protecting your environment is to assume that you will be attacked. With that mindset, you can begin securing your front door and letting hackers know they’re not welcome.
Statista.com studies show that 48 percent of email traffic worldwide is spam. When you’re using Office 365, the emails you see in your mailbox are mostly ones that have passed the cloud-based mail-filtering system for spam (unwanted mail) and malware (viruses and spywares). This filtering system is automatically configured in the subscription, but you, as an admin, can tweak the settings to fit your company’s needs.
Hackers, however, have become smarter. To bypass these filters, they’ve resorted to social-engineering techniques to try to breach your environment. They employ deceptive techniques to manipulate you — for instance, to get you to give them your password.
Office 365 Advanced Threat Protection (ATP) is a cloud-based solution that employs a multilayered approach to protecting not just email but also data across the Microsoft 365 Business environment, including SharePoint Online, OneDrive for Business, and Microsoft Teams. In the Microsoft 365 Business subscription, Office 365 ATP comes with two features: ATP Safe Attachments, and ATP Safe Links.
While traveling this year, I thought I’d use a 30-minute layover to be productive and check my email. I connected to the airport Wi-Fi and fired up Outlook; soon I was responding to emails and accomplishing a lot. As I was about to shut down my computer to start boarding my flight, I saw an email come in marked “Urgent.” It was from a colleague, with an attachment and a note saying she needed my immediate approval or the project we were working on would be delayed by four weeks. In my rush, I didn’t verify the email associated with the sender and immediately double-clicked the attachment. As it turns out, even someone aware of phishing tricks can still fall prey to social-engineering tactics. Lucky for me, ATP Safe Attachments is running on my system, so instead of the hacker wreaking havoc, I was presented with a notification that the attachment was blocked, as shown in Figure 6-1.
The ATP Safe Attachments feature took the appropriate action based on the policies I configured in Exchange Online. The policy allowed me to see the body of the email but blocked access to the malicious file. Sophisticated machine-learning technologies, artificial intelligence, and a host of other automated systems run in the background in real time to ensure that the policies are in effect — that is the beauty of cloud technologies. Imagine if you were to do this all by yourself. You’d have to spend a ton of money, time, brainpower, and — actually, you simply couldn’t do what this technology does.
ATP Safe Attachments also works for files in SharePoint Online and OneDrive for Business document libraries. If someone loads malicious files in document libraries, the system detects them and prevents users from opening them.
Here’s how to set up ATP Safe Attachments.
https://admin.microsoft.com/
.On the Safe Attachments page, select the box to the left of Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.
This action enables Safe Attachments in SharePoint Online, OneDrive for Business, and Microsoft Teams.
In the New Safe Attachments Policy window, specify the name and description.
In Figure 6-3, I named the policy Deliver Right Away.
Choose the action that’s appropriate for your organization.
In my example in Figure 6-3, I chose Dynamic Delivery. This choice delivers an email that contains an attachment immediately to the recipient. While the attachment is being scanned, a placeholder attachment is attached, and the user is notified that the attachment is being analyzed. After the scanning is complete, if the attachment is deemed safe, the attachment is reattached to the email. If the attachment is determined to be malicious, it is sent to quarantine, where the global administrator of Microsoft 365 Admin Center can review and manage it.
In the Redirect Attachment on Detection section, select the Enable Redirect option and enter an email address.
This step is required if you want someone investigate malicious attachments.
Click the Save button.
A Warning window appears, reminding you that Dynamic Email Delivery is only for mailboxes hosted in Office 365.
If you’re finished with creating policies for Safe Attachments, you can navigate away from the page by clicking any of the menus on the left or by closing the browser.
Hackers are persistent. They will continue to find ways to try to breach your environment. If you close the door with attachments, they will try to open another door by tricking you into clicking a link in the body of an email or inside a document to take you to a malicious site. They may even make it so that the first time you click the link, it takes you to a legitimate website. If you click the link again, it redirects you to a malicious site!
ATP Safe Links, another security feature in Office 365 ATP, verifies the link each time you click it in real time. If the link is malicious, and ATP Safe Links is configured, a warning page will appear to notify the user that access to the website is blocked, as shown in Figure 6-4.
As a cloud service, Office 365 ATP is updated regularly, so it’s best to edit the default policy to ensure that all the new features are enabled for your company.
To edit the default ATP Safe Links policy, follow these steps:
https://admin.microsoft.com/
.For added protection, select all boxes under Settings that apply to content except email heading.
This default policy does not apply to email messages. You can use this as a guide to create your own policy to apply to emails.
Click the Save button to save your changes.
You return to the Safe Links page.
If you’re finished with creating policies for Safe Links, you can navigate away from the page by clicking any of the menus on the left or by closing the browser.
About 20 years ago, while working on some confidential projects, I had to use PGP (Pretty Good Privacy) to send encrypted email. I found the experience cumbersome, time-consuming, and sometimes maddening. First, I had to install the PGP software, generate a private key and public key, share my public key with others, get other people’s public keys, and then get all these keys in one place. When I was finally ready to send an encrypted email, I’d have to encrypt the email with other people’s public keys and send it over to them. Then they would have to decrypt the email using their private keys. If I forgot to encrypt the email with another person’s public key, I’d have go through the steps all over again. A lot of times, people would complain that they couldn’t open the email because it wasn’t encrypted to them or it was encrypted with an old key. The process was a nightmare.
Today, sending encrypted emails in Office 365 involves a few clicks. There is no software to install or keys to generate or share with others. All the magic happens in the backend.
The IT admin doesn’t even have to configure anything in the backend. That’s because Microsoft 365 Business automatically comes with Office 365 Message Encryption as part of the Azure Information Protection service. Right out of the gate, licensed users can immediately take advantage of this security feature.
As the name suggests, Azure Information Protection (AIP) is a cloud-based service designed to protect information. AIP includes a variety of features depending on the type of plan you subscribed to. One of the features of AIP is Office 365 Message Encryption (OME).
Microsoft 365 Business includes AIP Premium 1, which includes OME. OME in turn, comes with the following four default labels:
These labels are accessible from the Outlook desktop application as well as its cloud version, Outlook Online.
No software installation, no key generation or distribution, and no admin setup and configuration. That’s the promise of Office 365 Message Encryption. Sending encrypted messages from Outlook or Outlook Online is quick and easy with a Microsoft 365 Business subscription.
To send an encrypted email:
Compose the email as you normally would.
Enter the recipient’s email address in the To line, the subject, and the message.
In the top menu bar, click Encrypt, as shown in Figure 6-5.
The Encrypt label is automatically applied to the email. You can apply a different label by clicking Click Change Permission in the gray bar above the recipient’s name.
Click Send.
The email is sent and the screen reverts to Outlook’s reading view.
If the recipient of the email uses Exchange Online in Office 365 of Microsoft 365, the email will automatically be readable. If the recipient uses another email system, such as Gmail, the email will include a button that shows the recipient how to read the encrypted email.
Figure 6-6 shows a recipient using Gmail. When the recipient clicks the Read the Message button, a new window opens. In the new window, the recipient is given two options for viewing the message: sign in with a Google account or use a one-time passcode. After one of these authentication requirements is met, the email is displayed.