IT security is an ever-growing concern for organizations around the globe. We are more deeply connected to technology than we ever have been before. This really works in our favor when it comes to productivity in business and creativity. Unfortunately, this also creates a perfect breeding ground for hackers to design malicious threats by using unauthorized individuals to gain access to systems they have not been granted access to.
Microsoft Azure has a huge commitment to security. Microsoft also has an extensive list of technologies to help combat cyber security threats on your business, with identity being the single control pane for accessing all your data, devices and applications.
Identity, as a whole, is at the center of security . When you think about all of your data breaches or any types of questions that are going to be asked of whether or not you were breached your CISO will probably ask the most fundamental questions such as:
“Who did this?”
“Where did they come from?”
“What permissions did they have?”
“What else did they have access to?”
“What else could have been compromised?”
These questions are really quite scary when you put security and identity together. The nature of cyber security attacks is constantly changing; attackers find new intelligent ways to breach networks and infrastructure, specifically targeting credentials. Rather than using phishing or malware, most of time attackers are hiding under the identity of an innocent user who doesn’t even know they have been compromised.
Attacks are caused by lost, weak or compromised user credentials, credentials which are vulnerable because passwords are vulnerable. A previous study has shown that 73% of passwords are, in fact, duplicates. We all know the challenge of having multiple passwords for different applications and services, right? So in order to simplify our process and be more productive, we tend to use the same passwords over and over again (maybe with a “1” at the end, or an “!” exclamation mark), thus making it far easier for an attacker to dump those extra characters into their wordlists and commence their attack.
80% of employees use non-approved apps and services for work on their company device. So, if they’re using a similar password for each system or application they use, hackers can ingest the algorithm on non-secure sites then find that same password pattern among the rest of the employee’s services. This is called “Lateral Movement,” when an attacker will systematically move through your networks and application data to ex-filtrate that information.
Multi-factor authentication is something that can really help reduce the risk of identity theft being compromised by 99.9%. Yet, not everybody utilizes MFA. When an organization moves their employees to the public cloud using Azure AD and AD Connect for synchronization, their security strategy needs to start with a strong protected single identity at the center of the business.
Organizations are routinely challenged by multiple security threats:
- Compromised Credentials: Highly privileged accounts that have had their passwords stolen.
- Weak and Stolen Credentials: Accounts with weak passwords that have been compromised.
- Malicious Insiders: Associates that have malicious intent through social engineering or other reasons.
- Trust relationships: Compromised accounts in a trusted domain or forest.
- Misconfiguration: Endpoints that are missing security updates, policies, settings, or protection software.
- Ransomware: Malicious code that finds its way into unprotected endpoints through improper configuration, email, and unaware users copying files from removable devices. Ransomware typically disables certain aspects of a system or entire systems altogether so that data and services are rendered completely inaccessible in exchange for money to reverse the damage. The WannaCry ransomware in 2017, which crippled the multiple companies, is a good example of this.
For further clarity, I’ve listed a few Microsoft Technologies and attack scenarios on how to defend your business against different types of cyber security threats beyond just Identity.
| Compromised Credentials | Technology |
| Privileged access credentials, which give administrative access to devices and systems, typically pose a higher risk to the enterprise than consumer credentials. | Azure PIM – Azure Privileged Identity Management provides a set of features to make it difficult to maliciously use privileged identities. Just in time (JIT) access, just enough access (JEA), role time limitations and role approvals are just some of the features you can use to provide only the access required to perform a specific task within a limited time window. Access is then removed to the role after that time has elapsed. |
| Weak and Stolen Credentials | Technology |
| Apps and protocols sending login credentials over your network pose a significant security threat. An attacker connected to your network can easily locate and utilize these credentials for lateral movement. | Azure MFA – Azure Multifactor authentication (MFA) prevents unauthorized access to a system using stolen credentials by requiring the user to provide at minimum a secondary form of authentication. A mobile phone attached to the account for which a text or call is sent to confirm the login is a common and effective approach.
Azure AD Password Protection – Enhances an organization’s password policy by providing a list of banned words or terms that cannot be used in a password. Azure AD Smart Lockout – Intended to detect a brute force attack. Smart Lockout detects password entries that vary wildly. When something is deemed a brute force attack, the account gets locked out after a defined threshold of attempts. |
| Malicious Insiders | Technology |
| Users with access to sensitive data and networks can inflict extensive damage through privileged misuse and malicious intent. | Azure RBAC – Role based access control provides only the effective rights for a given user to perform their role. If their password is compromised, damage limitation is assured.
|
| Misconfiguration | Technology |
| Misconfigured virtual machines, devices, and apps present an easy entry point for an attacker to exploit. | Azure Policy – Azure Policy provides effective governance over IT assets. You can audit your infrastructure and remediate automatically when resources are non-compliant.
Azure Security Center – The security center is a one stop shop to detect, prevent and respond to threats across your Azure environment. Identify shadow IT subscriptions, lack of endpoint protection and unencrypted virtual machines. Azure Firewall – As well as having endpoint protection, Azure firewall is yet another line of defense against misconfigured VM’s.
|
| Ransomware | Technology |
| The costs of a ransomware attack can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin. | Azure Sentinel – Collects data across your enterprise and uses intelligent AI to make threat detection smarter and faster. You can detect and respond to threats rapidly with automation and orchestration.
Update Management – Turn on update management for your virtual machines and ensure they have the latest security updates. Azure Endpoint Protection – Malicious attacks begin at the source, a guest operating system such as Windows or Linux. Endpoint protection ensures that you have a first line of defense against viruses and ransomware attacks. |
| Phishing Attacks | Technology |
| Phishing is one of the most effective social engineering attack vectors. | DMARC with O365 – Domain Messaging Authentication, Reporting and Conformance is an email authentication, policy, and reporting protocol. Its purpose is to make it easier to determine if a message is from a legitimate sender and what happens if it’s not.
Office 365 ATP Anti Phishing – When using Office 365, you can enable and define ATP Anti Phishing policies to help protect against Phishing attacks. Messages can be quarantined, deleted before arrival, sent to junk, or redirected to protect end users from phishing attempts. |
A lot of the above technologies listed can now be connected to Azure Sentinel. This will help your blue teams verify the identity flaws and security information and create a solid defensive strategy.
To put it plain and simple, no one is really safe. However, implementing these types of products can help you minimize threats, reduce risk, and have a more secure and sustainable identity security model overall. Cost is going to be a factor, but should you really put a price tag on your data?
To summarize:
Design for a solid authentication solution (Please invest in Multi-Factor Authentication!!)
- Something you know
- Something you have
- Something you are
Design for a solid authorization solution (Identity Access Management)
- RBAC
- Apps & Data Access
- Privileged Access Management
At New Signature, security isn’t just one thing we do; it’s baked into all we do. If you are concerned about the security posture of your business, connect with an expert today.
About the Author
Craig Fretwell is a New Signature Azure Solutions Architect located in our United Kingdom region. He’s spent the last 12 years focusing on helping customers overcome challenges with cloud-based solutions. His primary focus is on architecting and designing cloud and hybrid solutions in Azure. He loves to troubleshoot problems he’s faced and write about those challenges to help others find success.
