News & Updates

External penetration tests are a critical component, and often one of the first steps, of an organisation's defence strategy. These engagements typically focus on the infrastructure that an organisation controls or hosts. However, this leaves a blind spot within the security posture - services hosted by third parties, such as Microsoft's M365, which grant users access to company resources like SharePoint and Outlook. 

Background 

For over 10 years, many Microsoft products (including the M365 login function) have contained enumeration flaws which allow malicious actors to determine if an account is valid. The first step to any password attack against an organisation's userbase is to compile a list of targets, and tooling exists to automate this process. Microsoft has not indicated that they are going to address these user enumeration flaws.  

Tooling also exists to automate the process of systematically attempting to log into each account in that list of targets. 

The Budget Problem 

This kind of threat is typically only tested during a simulated attack against the organisation (such as during a red team engagement), but these projects are covert, comprehensive, and usually last for weeks or months. A cost-effective way to address this initial access threat is to carry out a targeted credential attack against your organisation's M365 user accounts. A straightforward engagement will confirm whether any leaked credentials are still valid and whether any users utilise a weak password and can usually be carried out in one or two days.  

The Password Problem 

Would you consider the following password policy strong? 

• at least 10 characters in length 

• upper case character 

• lower case character 

• a digit 

• and a special character 

Well, "Password1!" meets these guidelines and is occasionally the condition for an initial compromise. You may think you are fine as you utilise multifactor authentication; however, there are several methods to defeat these controls. It's worth noting that users with weak passwords may be less security conscious in general and more likely to fall victim to a phishing attack designed to capture sensitive information such as an MFA token. A user may utilise the same password elsewhere which does not enforce MFA. We have also found that some organisations have special shared accounts where MFA is not enforced for quality-of-life purposes.  

Contact Us 

If you want peace of mind regarding this attack vector, contact us and we can tailor the engagement to your organisation's needs. We can perform a simulated credential attack and many other kinds of review to secure this gap. www.fortiscyber.co.uk 

Although Amazon Web Services remains the market leader in the UK for cloud computing services, Microsoft Azure is quickly closing the gap, as increasingly, UK based businesses adopt both Azure and Microsoft 365 to host their computer resources, store their files, and administrate their business operations. 

You may be among the many new adoptees of Azure as your cloud computing platform, and whether your tenant was supplied by a third-party distributor, or you opted to configure the service yourself, you might assume that the default configuration of the platform would be sufficiently secure. Unfortunately, this is not the case, and many of the default settings leave your tenants and resources at risk. 

Common Misconfigurations 

Inadequate Access Controls 

The most common issue with fresh Azure tenants is the lack of stringent access controls. Any user can, for instance, create new tenants or security groups, have access to the administration panel, or share files externally that do not belong to them. 

Multifactor Authentication 

Multifactor authentication is critically important for enhancing the security of any IT environment, making it far more difficult for malicious users to compromise devices or online accounts. There are several ways to implement MFA within Azure, so it may be confusing to know which is the best method. Per-User MFA and Conditional Access policies are two such methods. You may be tempted to enable both, but when used together in Azure, these methods can lead to potentially less effective security configurations. Auditing two different MFA methods can be confusing, and the administrative overhead of maintaining two implementations may also lead to errors or oversights. 

Lack of Monitoring and Logging 

Event based alerts are not configured by default within Azure. Actions like creating new billable resources or changing administrator passwords could go unnoticed. Azure Activity Logs also only retain information for 90 days, after which the logs are automatically erased. In the event of a breach, it is imperative that appropriate logs are stored to track illegitimate activity.   

Preventing Misconfigurations 

Both Microsoft and the Center for Internet Security (CIS) offer recommendations on how to secure your Azure resources in line with security best practice, however it can be time consuming to review the settings yourself. A Cloud Configuration Review performed by a Security Consultant can be a valuable way to understand the weaknesses in your Azure platform and identify areas that need attention and changes. 

Contact us at Fortis Cyber® if this is a service your organisation would benefit from. 

Author: Mackenzie Pearce 

We introduced our Information Security Officer as a service (ISOaas) offering

to provide greater flexibility which is economically sound for clients. This service provides an experienced Information Security Officer to manage an organisation’s information security and risk management operations on a fractional basis, ensuring all systems and data are secure and compliant with regulatory requirements.

The multiple benefits include:

• Easy access to specialist advice and industry experience

• A central point of contact for all information security matters

• A cost-effective alternative to employing in-house specialists

• Seamless integration within your existing team

• Flexible and scalable service

• Assurance in your information security programme

• Access to other cyber security professionals via the ISOaas conduit

The Information Security Officer service is a convenient and cost-effective way for businesses to access industry-leading cyber security knowledge in a flexible and agile manner. A professionally certified and experienced security consultant enables an organisation to benefit from their years of security expertise and delivers clarity, confidence, and certainty for your digital, cyber security and network journey.

Our Information Security Officers hold a number of professional qualifications which include NCSC Certified Cyber Professional, Certified Information Systems Security Professional, Certified Information Security Manager, and ISO/IEC 27001 audit/implementor.

​Fortis delivers expert guidance and best practice advice via our team of highly experienced and qualified security professionals who support clients to accelerate, shape and deliver a coordinated information security program and manage business security risk.

"We have been delighted with the exceptional service provided through Fortis’ Information Security Officer as a Service (ISOaaS). The firm’s wealth of knowledge, security assessment capabilities, and customer-centric approach have been invaluable."

Mike Powell CEO Rapid Addition.