Security strategies to avoid phishing and ransomware attacks, including multifactor authentication
As of the end of 2021, a staggering 4,000 ransomware attacks take place per day. Most people are likely aware of the importance of security measures to protect against all sorts of cyberattacks, which last year cost one US-based insurance company a whopping $40 million ransom after one such attack. We could talk about best practices for avoiding ransomware attacks for days, and it is a strong idea for every organization to invest in learning about and enacting preventative measures against phishing and ransomware attacks.
Multifactor authentication (MFA) is one way – one of the best and easiest – to protect your organization from these threats. Available in Dynamics 365 and Office 365 applications, modern authentication and, by extension, MFA are considered standard and common today. You’ve no doubt encountered MFA before, even if you don’t know it now.
Top security strategies – best practices from a software vendor (NOT a compliance regulator)
Before delving into MFA, let’s cover some best practices you can implement to avoid phishing and ransomware attacks.
Here we want to clarify that Syvantis is a software vendor, not a compliance regulator. We’re drawing from our experience to provide a brief, but not comprehensive, list of best practices you want to consider for your own org, if you haven’t yet implemented these things already. You should always check in with your compliance officer, IT team, or technology vendor before implementing a new security policy.
Best Practice 1: Provide regular training for your staff on how to identify and avoid common phishing emails. One common tactic that sinister senders will use include using language that pressures the recipient to act quickly. Sometimes they even feel vaguely threatening with email subjects like “Immediate action needed.” This is specifically done with the intent to cause your staff alarm and cause them to act hastily, making it more likely that they will click on something they otherwise may not.
Training your staff on the common red flags of phishing emails will help your organization identify them and avoid them. But it is incredibly human to make a mistake now and then and, even with training, fall for a phishing email.
Training can help reduce your overall vulnerability to fall for phishing emails, but it can still happen, which is why MFA is still important.
Best Practice 2: Report all suspicious emails to your IT team immediately for investigation so that they can report to Microsoft.
Best Practice 3: Work with your IT provider to ensure that your DNS records are set up properly. DNS (Domain Name System) files are instructional text files that map domain names and IP addresses and tell servers how to handle any requests regarding that domain. Specifically, you want to ensure that these services (that contain many DMS records) are set up:
SPF (Sender Policy Framework)
DMARC (Domain-based Message Authentication Reporting and Conformance)
DKIM (DomainKeys Identified Mail)
When they are, spammers have a much harder time spoofing your email addresses. An email spoof is when a spammer will send an email that appears as though it is from someone you think you know—this can be anyone, often someone higher up in your organization to create a commanding presence and a sense of urgency, like the CEO. These emails usually ask the recipient to immediately pay a vendor invoice or something of that nature. Again, this is meant to cause the recipient to feel stressed or like they will be in trouble if they do not comply. The email coming from an email address that appears as though it is within the organization makes phishing attempts stronger and easier to fall for.
Best Practice 4: Allow a maximum of 2 global administrator accounts for your tenant. Some of your users may require administrative privileges and that’s fine, but it’s best to only give administrators the level that they require without giving full global privileges.
All administrators, global and otherwise, should be using multifactor authentication because they do have that higher level of control over the system.
Best Practice 5: Create company-wide security policies and make everyone stick to them. These policies include anti-spam, anti-malware, and anti-phishing policies. When creating these policies, you can consider Malwarebytes subscriptions that include ransomware mitigation (and if you choose to go in this direction, Syvantis can help with this—just get in touch with us).
Best Practice 6: Set up managed devices for your PCs and mobile devices. This will allow you to set up certain types of monitoring and reporting to identify devices that may be vulnerable or compromised.
Best Practice 7: Create a security maintenance and operations plan. As employees come and go, have policies in place to ensure they are activated and deactivated appropriately and that they only ever have just enough rights to do their jobs. Remember, it’s not about the trust in your employees, it’s about mitigating your risk to outside attacks.
Best Practice 8: Use a secure, enterprise-level encrypted password vault. This way your employees aren’t reusing passwords. A password vault lets them instead generate secure, random, complex passwords. Experts have found that most of us have very insecure passwords and when we come up on that dreaded 90-day password reset requirement that our IT sets, we just add an extra character at the end because it’s easier for our fallible human brains to remember. If a password ever becomes compromised, all a hacker has to do is guess which character you’ve changed or added to the end of the existing password and boom, they’re in.
Best Practice 9: Use multifactor authentication! Let’s get to the meat of this blog: Multifactor Authentication (or MFA).
What is MFA?
Multifactor authentication is also sometimes called 2-factor authentication, or MFA for short. Most people have probably used some version of MFA for various personal apps. MFA utilizes various pieces of security information on top of using a password, adding a second layer of security to prevent unwanted or unauthorized login attempts. Commonly, the app will send the user a text message with a pin or code to enter a prompt on their screen to verify their identity.
In practice, multifactor protects against phishing like this:
Someone on your team gets an email asking them to click on a link. They’re rushing, just trying to get their work done, and they click on it.
It takes them to a fake Office 365 login page, and they enter in their username and password.
Nothing happens. They put it in again. Still, nothing happens.
A user will now do 1 of 2 things: 1) panic when they realize this was not a legitimate email or 2) rush to their prior engagement and forget about this altogether. In the latter scenario, the spammer will take those credentials and log into this person’s Office 365 account and begin sending emails as your teammate. They will almost certainly set up rules in their Outlook account to automatically delete any emails that are replies to the nefarious email, as well as set up rules to hide the emails from “sent” messages. This allows the spammer to fly under the radar longer.
By the time someone in your organization realizes that something has gone wrong, this person’s account has likely sent out hundreds or thousands of phishing emails. If you’re lucky, all they were looking for were additional usernames/passwords. If you aren’t, they may have used you to send out ransomware or to ask your clients to change the payment method they have on file for your organization and pay invoices to the spammer’s account instead of to you.
How does multifactor authentication (MFA) work?
But, how does multifactor authentication prevent all these issues? Your team member may still receive that phishing email and they may still click it and add their credentials. But when the spammer in question goes to use those credentials to log into Office 365, they’ll be prompted to enter a code or approve a prompt from an app before giving them access to the system. Your team member will receive the prompt, hopefully realize they’ve been compromised, and can change their password to prevent future issues. It’s a simple solution, but it’s very effective.
There are a few different authentication options through Office 365 MFA:
text message sent to a phone that requires the user to type a verification code.
A phone call.
The Microsoft Authenticator smart phone app.
You can use apps like Google Authenticator as well, but the nice thing about using the Microsoft Authenticator app for Office 365 MFA specifically is it will actually send a push notification to your phone so instead of having to enter a security code into the browser after sign-in, you just have to click “Accept” or “Decline” on the prompt on your phone and you’re all set. It is a slick process. Though which option to go with is up to you, the Microsoft Authenticator App is recommended.
Users aren’t going to need to do this every single time they log in. They only need to do this the first time they sign into a new app or device, or the first time after changing the password. After that, a user just needs the “primary” factor, which is usually the password. MFA is mostly extra security when someone comes from an unknown source – they are going to need that second factor to gain access to the account.
Setting up MFA in Dynamics 365 and Office 365 apps
With all of that context, how do you get started with MFA in Dynamics 365 and Office 365 apps?
A couple of pre-requisites:
First, you need to be a Global Admin to manage MFA. Otherwise, your partner can set this up for you. If we’re your partner, shoot us an email and we’ll get a case to configure it. It doesn’t take long to get things configured and we can send you and your users documentation as well.
If you had multifactor authentication turned on in the past when it used the so-called “per user model,” you’ll have to turn that off first.
If you’re still using Office 2013 for some reason, you’ll need to turn on a special “Modern Authentication” protocol for those devices. If you can update to a newer version, definitely do so. If you’re stuck with Office 2013 for some reason – maybe you’ve got a third-party software that isn’t compatible with newer versions or something – then you’re going to have to do this.
If you use Active Directory Federation Services (ADFS) or Hybrid Active Directory, meaning you have a third-party or local server that is
utilizing single sign-on with Office 365, you have some special requirements you’re going to need to fulfill. Hit me up and I’ll help you out with that.If you have GDPR compliance requirements, check in with your compliance officer on whether you need to do anything for consent from your employees.
Now, let’s talk about how to do it. Counter to all the context above, setting up modern authentication is actually a tiny process:
Go to the Microsoft 365 admin center.
On the left nav, go to “Org Settings.”
Under the Services tab, choose “Modern Authentication.”
Under the Modern Authentication pane, make sure that “Enable modern authentication” is selected.
Then, save your changes.
That’s it. If you recently purchased Office 365 or Microsoft 365, this may helpfully be enabled by default. Any Dynamics 365 app that uses Office 365 as an authentication method or for email capabilities will now be protected via MFA, if they are set up for it.
After you’ve enabled modern authentication, your users will be prompted to set up an additional authentication method. The next time they sign in, they’ll be prompted for more information. The prompt will say “More information required. Your organization needs more information to keep your account secure.” They’ll click Next.
By default, Microsoft is going to ask them to use the Microsoft Authenticator App. Again, this is recommended. But, let’s say a colleague doesn’t have a smart phone—they can use one of the other options instead by selecting “I want to set up a different method.” Microsoft will ask them for their mobile number and then send them an SMS or give them a call. Either way, Microsoft 365 is going to walk them through the prompts to get everything configured and congratulate them when it’s all set!
MFA is the simplest thing you can do to make sure your organization is protected from phishing attacks. There are a slew of other options for monitoring and tracking potential security vulnerabilities, and it is recommended that every organization learns about them as well. But, if nothing else, get multifactor turned on. It’s well worth the effort—a lot less effort than dealing with the fallout of a hack.
Syvantis can help you put together a plan on how to implement some of these recommendations. Shoot your client service manager a message or reach out to me directly for more info. Obviously, we are a software vendor and not a compliance regulator, so always check in with your compliance officer or vendor before implementing a new security policy.